Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe

Overview

General Information

Sample Name:Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Analysis ID:1300719
MD5:0b56217621818cb94a6c0d4c46166f52
SHA1:79a1b1e0f100ed8d2711fbd32b6b50fe047c8d8d
SHA256:8f5d5ae2cd2b40c022144cfa0aeced9287b565fa881bd0b867d74f7fa67a02c6
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Registers a new ROOT certificate
Installs new ROOT certificates
Creates files inside the driver directory
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Drops files with a non-matching file extension (content does not match file extension)
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Stores large binary data to the registry
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Enables driver privileges
Enables security privileges
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64_ra
  • Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe (PID: 6676 cmdline: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe MD5: 0B56217621818CB94A6C0D4C46166F52)
    • cmd.exe (PID: 4824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd" " MD5: 4943BA1A9B41D69643F69685E35B2943)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • net.exe (PID: 1084 cmdline: NET SESSION MD5: 2D09708A2B7FD7391E50A1A8E4915BD7)
        • net1.exe (PID: 6124 cmdline: C:\Windows\system32\net1 SESSION MD5: DACD2D80B3942C3064B29BC0D0382EF3)
      • RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe (PID: 2480 cmdline: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe" /S MD5: 05B756A815EC4F1F2024A055B9B57128)
        • RangerCore_4.2.18.0.exe (PID: 3524 cmdline: "C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger MD5: 4C81F04895E9C07D3F1E6DF691368C36)
          • vcredist_x86.exe (PID: 240 cmdline: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart MD5: B88228D5FEF4B6DC019D69D4471F23EC)
            • Setup.exe (PID: 6316 cmdline: c:\2c943420539b5d851ede182b60\Setup.exe /q /norestart MD5: 006F8A615020A4A17F5E63801485DF46)
        • DigitalCheck-TSSeries_Installer.exe (PID: 5472 cmdline: "C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger MD5: 6E410C4D1E5DDB837EF6CAD248EA5652)
          • TellerScanDriverV1107.exe (PID: 5204 cmdline: "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent MD5: 8C66A75D40D8C12F3AF108AA2E0DA538)
            • TellerScanDriverV1107.tmp (PID: 2968 cmdline: "C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp" /SL5="$50338,947705,67072,C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent MD5: 1789A04058130108337961A38192052C)
              • DevCon.exe (PID: 5860 cmdline: "C:\Program Files\TellerScan\Drivers\DevCon.exe" disable *VID_08B1* MD5: C4B470269324517EE838789C7CF5E606)
                • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
              • DPInst.exe (PID: 6824 cmdline: "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /u tsusb2.inf /d /q MD5: E90140FF5F5FF7521EA52F94BEC29F8C)
              • DPInst.exe (PID: 6352 cmdline: "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /sa MD5: E90140FF5F5FF7521EA52F94BEC29F8C)
              • DevCon.exe (PID: 5924 cmdline: "C:\Program Files\TellerScan\Drivers\DevCon.exe" enable *VID_08B1* MD5: C4B470269324517EE838789C7CF5E606)
                • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
              • DevCon.exe (PID: 3380 cmdline: "C:\Program Files\TellerScan\Drivers\DevCon.exe" rescan MD5: C4B470269324517EE838789C7CF5E606)
                • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • regsvr32.exe (PID: 6856 cmdline: regsvr32 "C:\Windows\Downloaded Program Files\alttiff.ocx" /s MD5: EB3B90B6989227F590BB36356DF96A30)
      • RangerRemoteSecureInstaller.exe (PID: 2044 cmdline: "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe" /S MD5: 3DAE48510B29272D4DEDB381647874FC)
        • msiexec.exe (PID: 2904 cmdline: C:\Windows\system32\msiExec" /i "RangerRemoteSecureInstaller.msi MD5: F9A3EEE1C3A4067702BC9A59BC894285)
  • svchost.exe (PID: 6664 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)
  • msiexec.exe (PID: 1836 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2D9F692E71D9985F1C6237F063F6FE76)
  • SBTLogServiceWindows.exe (PID: 6660 cmdline: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe MD5: 80FAD3429D5F9AD94441BBF01580F701)
  • svchost.exe (PID: 1796 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: 9520A99E77D6196D0D09833146424113)
    • drvinst.exe (PID: 5116 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\tsusb2.inf" "9" "47095fa47" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "c:\program files\tellerscan\drivers\64-bit" MD5: 100997A8B475B1D1B173BE8941DFE1A6)
  • msiexec.exe (PID: 3308 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 2D9F692E71D9985F1C6237F063F6FE76)
    • cmd.exe (PID: 4636 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat"" MD5: 9D59442313565C2E0860B88BF32B2277)
      • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • Ranger Remote_v1.4.2.1_Installer.exe (PID: 3428 cmdline: "Ranger Remote_v1.4.2.1_Installer.exe" /wss /S MD5: 57C3754A9113DFAFE11AD022B9BE5C33)
        • CheckNetIsolation.exe (PID: 3528 cmdline: CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe MD5: 2FBEB635ADD6F73B226EE4BE660201BB)
          • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • cmd.exe (PID: 1624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd"" MD5: 4943BA1A9B41D69643F69685E35B2943)
          • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
          • certutil.exe (PID: 5580 cmdline: "C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com" MD5: 46B60DBFFA3D5E1D6647E47B29EF7F69)
        • cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd"" MD5: 4943BA1A9B41D69643F69685E35B2943)
          • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • cmd.exe (PID: 1292 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd"" MD5: 4943BA1A9B41D69643F69685E35B2943)
          • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
          • certutil.exe (PID: 2004 cmdline: "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem" MD5: 46B60DBFFA3D5E1D6647E47B29EF7F69)
        • cmd.exe (PID: 3968 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd"" MD5: 4943BA1A9B41D69643F69685E35B2943)
          • conhost.exe (PID: 2712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • vcredist_x86.exe (PID: 5364 cmdline: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart MD5: B88228D5FEF4B6DC019D69D4471F23EC)
          • Setup.exe (PID: 3380 cmdline: c:\686fc0c283be14fef7\Setup.exe /q /norestart MD5: 006F8A615020A4A17F5E63801485DF46)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7B17D1 __EH_prolog3,CryptQueryObject,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,9_2_6C7B17D1
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7980D5 CryptMsgGetParam,SetLastError,9_2_6C7980D5
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7980A5 CryptHashPublicKeyInfo,SetLastError,9_2_6C7980A5
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C798094 CryptMsgGetAndVerifySigner,9_2_6C798094
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C798083 CryptQueryObject,9_2_6C798083
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C798114 CryptDecodeObject,SetLastError,9_2_6C798114
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1033\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1041\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1042\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1028\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\2052\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1040\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1036\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1031\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\3082\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1049\eula.rtfJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Plugin_ReleaseNotes.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\OpenSSL License.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ReadMe.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\README.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\CACert_RootDistributionLicense.txt
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1049\eula.rtf
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-SQJEO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-C9CL8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-Q0CBT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-SIRCF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-J40RI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-UM847.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-QF250.tmp
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerInstallFilename_Config.txtJump to behavior
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerRemote_InstallFilename_Config.txtJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230830_233917878-MSI_vc_red.msi.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29E98AE7-A193-40A1-BF4A-5B84B435E2DB}_is1
Source: Binary string: mfc100.i386.pdb` source: SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: msvcr100.i386.pdb source: SBTLogServiceWindows.exe, SBTLogServiceWindows.exe, 0000000C.00000002.3969056642.000000006C5C1000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: msvcp100.i386.pdb source: SBTLogServiceWindows.exe, SBTLogServiceWindows.exe, 0000000C.00000002.3975469415.000000006C681000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: c:\gianni\progetti\usbscanners\driver\tsusb2\driver\objfre_wxp_x86\i386\TsUsb2.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058E2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\users\htl\desktop\svil_tsusb2\tsusb2\driver\objfre_wlh_amd64\amd64\TsUsb2.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.000000000598E000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000013.00000003.2992859078.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3010459052.0000017DE5D9A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3002338095.0000017DE5D22000.00000004.00000020.00020000.00000000.sdmp, is-R5HGV.tmp.15.dr
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, vcredist_x86.exe, 00000008.00000000.2754416822.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86.exe, 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe, 00000032.00000002.3975713243.000000006BC38000.00000020.00000001.01000000.00000029.sdmp, SetupEngine.dll.8.dr
Source: Binary string: patchhooks.pdbX source: vc_red.msi.8.dr
Source: Binary string: mfc100.i386.pdb source: SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: patchhooks.pdb source: vc_red.msi.8.dr
Source: Binary string: DpInst.pdbG source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFCM100.i386.pdb source: mfcm100.dll.10.dr
Source: Binary string: DpInst.pdbH source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058F7000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000012.00000000.2971763459.00007FF7FEA51000.00000020.00000001.01000000.00000021.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 00000009.00000000.2778645370.00000000007F1000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000032.00000000.3207984374.0000000000AE1000.00000020.00000001.01000000.00000028.sdmp, Setup.exe.46.dr
Source: Binary string: DpInst.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058F7000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000012.00000000.2971763459.00007FF7FEA51000.00000020.00000001.01000000.00000021.sdmp
Source: Binary string: devcon.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DevCon.exe, 00000010.00000002.2971306257.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000010.00000000.2966899944.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000016.00000002.3046833976.0000000001001000.00000020.00000001.01000000.00000020.sdmp
Source: Binary string: devcon.pdb\TU source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DevCon.exe, 00000010.00000002.2971306257.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000010.00000000.2966899944.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000016.00000002.3046833976.0000000001001000.00000020.00000001.01000000.00000020.sdmp
Source: Binary string: MFCM100.i386.pdb00 source: mfcm100.dll.10.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3D8097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,9_2_6C3D8097
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C4281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,9_2_6C3C4281
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C785B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,9_2_6C785B82
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C78410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,9_2_6C78410A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,12_2_6C61CC23
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C620CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C620CBB
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,12_2_6C61C8FD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C62088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C62088A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61E0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,12_2_6C61E0BD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5E81A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C5E81A1
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61FF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61FF0E
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F9DD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61DBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,12_2_6C61DBC0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F593
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61D687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,12_2_6C61D687
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F169
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C62110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C62110C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 4x nop then push esi12_2_6C5CF680
Source: SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmpString found in binary or memory: ftp://http://HTTP/1.0
Source: Setup.exe, 00000009.00000002.2880905722.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, DPInst.exe, 00000012.00000003.2979021891.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3020756497.0000017DE5D2F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000002.3966258203.0000000000EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Setup.exe, 00000009.00000002.2880905722.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, DPInst.exe, 00000012.00000003.2979021891.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, DPInst.exe, 00000012.00000002.2980229917.0000000000B22000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3020756497.0000017DE5D2F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000002.3966258203.0000000000EF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Setup.exe, 00000009.00000003.2795369962.0000000002686000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000009.00000003.2789364756.0000000002300000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000003.3226102410.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000003.3236465658.0000000002A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
Source: RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000002.3090260653.0000000000409000.00000004.00000001.01000000.00000005.sdmp, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000000.2737738757.0000000000409000.00000008.00000001.01000000.00000005.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000003.2910909537.0000000000874000.00000004.00000020.00020000.00000000.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3074479114.0000000000409000.00000004.00000001.01000000.0000001C.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3070494811.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000000.3099601117.000000000040A000.00000008.00000001.01000000.00000024.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3963450026.0000000000409000.00000004.00000001.01000000.00000025.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000000.3137570816.0000000000409000.00000008.00000001.01000000.00000025.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000002.3090260653.0000000000409000.00000004.00000001.01000000.00000005.sdmp, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000000.2737738757.0000000000409000.00000008.00000001.01000000.00000005.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000003.2910909537.0000000000874000.00000004.00000020.00020000.00000000.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3074479114.0000000000409000.00000004.00000001.01000000.0000001C.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3070494811.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000000.3099601117.000000000040A000.00000008.00000001.01000000.00000024.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3963450026.0000000000409000.00000004.00000001.01000000.00000025.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000000.3137570816.0000000000409000.00000008.00000001.01000000.00000025.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://s2.symcb.com0
Source: Setup.exe, 00000032.00000003.3223730555.0000000000EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micros
Source: Setup.exe, 00000009.00000003.2809931762.0000000000708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsof
Source: eula.rtf2.8.drString found in binary or memory: http://schemas.microsoft
Source: RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: alttiff.ocx.0.drString found in binary or memory: http://www.alternatiff.com/
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://www.alternatiff.com/l&
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://www.alternatiff.com/register/
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drString found in binary or memory: http://www.alternatiff.com/register/Incorrect
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2948484353.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3063788714.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954368008.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954206973.00000000031F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digitalcheck.com/
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digitalcheck.com/&
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3063788714.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954368008.0000000002368000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digitalcheck.com/.
Source: TellerScanDriverV1107.tmp, 0000000F.00000003.3063046216.0000000000647000.00000004.00000020.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000002.3066708898.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digitalcheck.com/Z9
Source: RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://www.fiserv.com/0
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.innosetup.com/
Source: OpenSSL License.txt.32.drString found in binary or memory: http://www.openssl.org/)
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: TellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/psU
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2913153935.0000000000812000.00000004.00000020.00020000.00000000.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3075052465.00000000004A2000.00000004.00000020.00020000.00000000.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3073480898.0000000000543000.00000004.00000020.00020000.00000000.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3966472416.000000000071D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sbullet.com
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.sbullet.com0
Source: DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3075052465.00000000004A2000.00000004.00000020.00020000.00000000.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3966472416.000000000071D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sbullet.comPublisherSilver
Source: RangerImageFromBase64.html.32.drString found in binary or memory: http://www.sbulletsupport.com/forum/index.php?topic=308.0
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: svchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7C4B54 URLDownloadToFileW,9_2_6C7C4B54

E-Banking Fraud

barindex
Registers a new ROOT certificate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem" startup_42
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem" b_2744460f8
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2_x64.cat (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\tsusb2_x64.cat (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET813E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\is-QF250.tmpJump to dropped file
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\TsUsb2_x64.cat (copy)Jump to dropped file
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7DB4.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3DD81C9_2_6C3DD81C
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3DD0649_2_6C3DD064
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C9A509_2_6C3C9A50
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7BE49E9_2_6C7BE49E
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7D9F129_2_6C7D9F12
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7DA9BE9_2_6C7DA9BE
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7DA4689_2_6C7DA468
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7DC65E9_2_6C7DC65E
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C77F7909_2_6C77F790
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7DC00B9_2_6C7DC00B
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7DB09F9_2_6C7DB09F
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C60ECCD12_2_6C60ECCD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D8F8312_2_6C5D8F83
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C65083D12_2_6C65083D
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5F091912_2_6C5F0919
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D6B2812_2_6C5D6B28
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63245B12_2_6C63245B
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5E457E12_2_6C5E457E
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D867F12_2_6C5D867F
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63E76512_2_6C63E765
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C66672F12_2_6C66672F
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D601812_2_6C5D6018
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61E0BD12_2_6C61E0BD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C65814012_2_6C658140
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5C21F012_2_6C5C21F0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C6342FB12_2_6C6342FB
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5DA2A712_2_6C5DA2A7
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D63C912_2_6C5D63C9
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61A3DD12_2_6C61A3DD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D43A612_2_6C5D43A6
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D5C3012_2_6C5D5C30
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D5C2C12_2_6C5D5C2C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C651C1712_2_6C651C17
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D9D6512_2_6C5D9D65
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D3DD012_2_6C5D3DD0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63F82E12_2_6C63F82E
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C65388812_2_6C653888
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63994512_2_6C639945
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C667A5A12_2_6C667A5A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D3A1C12_2_6C5D3A1C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C661A0012_2_6C661A00
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61DBC012_2_6C61DBC0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63D45A12_2_6C63D45A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C65D67412_2_6C65D674
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C66965912_2_6C669659
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61D68712_2_6C61D687
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C63B79B12_2_6C63B79B
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D97A012_2_6C5D97A0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D709312_2_6C5D7093
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5E911E12_2_6C5E911E
Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\40406f.msiJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7A4E0D ExitWindowsEx,9_2_6C7A4E0D
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdpJump to behavior
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: String function: 6C5D0C80 appears 145 times
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: String function: 6C5DA51F appears 37 times
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: String function: 6C5D0C67 appears 69 times
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: String function: 6C5DB046 appears 57 times
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: String function: 6C7C8B7A appears 109 times
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: String function: 6C7739AD appears 43 times
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: String function: 6C7A85BC appears 56 times
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: String function: 6C7D6E1A appears 549 times
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: String function: 6C7A833E appears 579 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeCode function: 8_2_01002B13: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,8_2_01002B13
Source: RangerFlex.exe.7.drStatic PE information: Resource name: None type: DOS executable (COM)
Source: SetupResources.dll4.8.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: mfc100cht.dll.10.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll6.8.drStatic PE information: No import functions for PE file found
Source: mfc100kor.dll.10.drStatic PE information: No import functions for PE file found
Source: mfc100enu.dll.10.drStatic PE information: No import functions for PE file found
Source: SoftLockResource.dll.7.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll.8.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll1.8.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll4.8.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll7.8.drStatic PE information: No import functions for PE file found
Source: mfc100esn.dll.10.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll3.8.drStatic PE information: No import functions for PE file found
Source: mfc100ita.dll.10.drStatic PE information: No import functions for PE file found
Source: mfc100deu.dll.10.drStatic PE information: No import functions for PE file found
Source: mfc100jpn.dll.10.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll5.8.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll8.8.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll2.8.drStatic PE information: No import functions for PE file found
Source: mfc100chs.dll.10.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll0.8.drStatic PE information: No import functions for PE file found
Source: mfc100rus.dll.10.drStatic PE information: No import functions for PE file found
Source: mfc100fra.dll.10.drStatic PE information: No import functions for PE file found
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, 00000000.00000003.2709922931.0000000000A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, 00000000.00000003.2709814676.0000000000A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, 00000000.00000000.2706122163.0000000000420000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, 00000000.00000003.2709672563.0000000000A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeBinary or memory string: OriginalFilenamealttiff.ocxX vs Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: C:\Program Files\TellerScan\Drivers\DevCon.exeProcess token adjusted: Load Driver
Source: C:\Windows\System32\svchost.exeProcess token adjusted: Security
Source: mfc100cht.dll.10.drStatic PE information: Section .rsrc
Source: mfc100kor.dll.10.drStatic PE information: Section .rsrc
Source: mfc100enu.dll.10.drStatic PE information: Section .rsrc
Source: SoftLockResource.dll.7.drStatic PE information: Section .rsrc
Source: mfc100esn.dll.10.drStatic PE information: Section .rsrc
Source: mfc100ita.dll.10.drStatic PE information: Section .rsrc
Source: mfc100deu.dll.10.drStatic PE information: Section .rsrc
Source: mfc100jpn.dll.10.drStatic PE information: Section .rsrc
Source: mfc100chs.dll.10.drStatic PE information: Section .rsrc
Source: mfc100rus.dll.10.drStatic PE information: Section .rsrc
Source: mfc100fra.dll.10.drStatic PE information: Section .rsrc
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ranger Uninstall.exe - Ranger.lnk.7.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exe
Source: SBT Log Options.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exe
Source: SBT Log Viewer.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exe
Source: RangerFlex.lnk.7.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exe
Source: Silver Bullet Website.lnk.7.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Silver Bullet Technology\Ranger\Website.url
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exeFile created: C:\Users\user\AppData\Local\Fiserv
Source: is-R5HGV.tmp.15.drBinary string: \Device\Tsusb2-0
Source: classification engineClassification label: mal48.bank.evad.winEXE@82/346@0/0
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7BCBBB __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,9_2_6C7BCBBB
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C79E9B4 ChangeServiceConfigW,9_2_6C79E9B4
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7C78DF LoadResource,LockResource,SizeofResource,9_2_6C7C78DF
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\License.datJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat""
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile read: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeJump to behavior
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd" "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe NET SESSION
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 SESSION
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe" /S
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeProcess created: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe "C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess created: C:\2c943420539b5d851ede182b60\Setup.exe c:\2c943420539b5d851ede182b60\Setup.exe /q /norestart
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknownProcess created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeProcess created: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe "C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp "C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp" /SL5="$50338,947705,67072,C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" disable *VID_08B1*
Source: C:\Program Files\TellerScan\Drivers\DevCon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /u tsusb2.inf /d /q
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /sa
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\tsusb2.inf" "9" "47095fa47" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "c:\program files\tellerscan\drivers\64-bit"
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" enable *VID_08B1*
Source: C:\Program Files\TellerScan\Drivers\DevCon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" rescan
Source: C:\Program Files\TellerScan\Drivers\DevCon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 "C:\Windows\Downloaded Program Files\alttiff.ocx" /s
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe" /S
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiExec" /i "RangerRemoteSecureInstaller.msi
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe "Ranger Remote_v1.4.2.1_Installer.exe" /wss /S
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Windows\SysWOW64\CheckNetIsolation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com"
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd""
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem"
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess created: C:\686fc0c283be14fef7\Setup.exe c:\686fc0c283be14fef7\Setup.exe /q /norestart
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd" "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe NET SESSION Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 "C:\Windows\Downloaded Program Files\alttiff.ocx" /s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 SESSION Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeProcess created: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe "C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\RangerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeProcess created: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe "C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\RangerJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess created: C:\2c943420539b5d851ede182b60\Setup.exe c:\2c943420539b5d851ede182b60\Setup.exe /q /norestartJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp "C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp" /SL5="$50338,947705,67072,C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" disable *VID_08B1*
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /u tsusb2.inf /d /q
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe "C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /sa
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" enable *VID_08B1*
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess created: C:\Program Files\TellerScan\Drivers\DevCon.exe "C:\Program Files\TellerScan\Drivers\DevCon.exe" rescan
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\tsusb2.inf" "9" "47095fa47" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "c:\program files\tellerscan\drivers\64-bit"
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiExec" /i "RangerRemoteSecureInstaller.msi
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe "Ranger Remote_v1.4.2.1_Installer.exe" /wss /S
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem"
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess created: C:\686fc0c283be14fef7\Setup.exe c:\686fc0c283be14fef7\Setup.exe /q /norestart
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7A4DC9 AdjustTokenPrivileges,9_2_6C7A4DC9
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000Jump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C785CE1 __EH_prolog3,CoInitialize,CoCreateInstance,CoUninitialize,SysFreeString,9_2_6C785CE1
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7B1602 GetDiskFreeSpaceExW,GetLastError,9_2_6C7B1602
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C795238 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,FindCloseChangeNotification,9_2_6C795238
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeMutant created: \Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2712:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_02
Source: C:\686fc0c283be14fef7\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:304:WilStaging_02
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeString found in binary or memory: AlternaTiff/installFiles/alttifflicense.dat
Source: Setup.exeString found in binary or memory: Pre-Installation Warnings:
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile written: C:\ProgramData\Silver Bullet Technology\Ranger\GenericOptions.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpWindow found: window name: TMainForm
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-SQJEO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-C9CL8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\is-Q0CBT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-SIRCF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-J40RI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-UM847.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDirectory created: C:\Program Files\TellerScan\Drivers\64-bit\is-QF250.tmp
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29E98AE7-A193-40A1-BF4A-5B84B435E2DB}_is1
Source: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeStatic file information: File size 22396720 > 1048576
Source: Binary string: mfc100.i386.pdb` source: SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: msvcr100.i386.pdb source: SBTLogServiceWindows.exe, SBTLogServiceWindows.exe, 0000000C.00000002.3969056642.000000006C5C1000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: msvcp100.i386.pdb source: SBTLogServiceWindows.exe, SBTLogServiceWindows.exe, 0000000C.00000002.3975469415.000000006C681000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: c:\gianni\progetti\usbscanners\driver\tsusb2\driver\objfre_wxp_x86\i386\TsUsb2.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058E2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\users\htl\desktop\svil_tsusb2\tsusb2\driver\objfre_wlh_amd64\amd64\TsUsb2.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.000000000598E000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000013.00000003.2992859078.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3010459052.0000017DE5D9A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000015.00000003.3002338095.0000017DE5D22000.00000004.00000020.00020000.00000000.sdmp, is-R5HGV.tmp.15.dr
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, vcredist_x86.exe, 00000008.00000000.2754416822.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86.exe, 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe, 00000032.00000002.3975713243.000000006BC38000.00000020.00000001.01000000.00000029.sdmp, SetupEngine.dll.8.dr
Source: Binary string: patchhooks.pdbX source: vc_red.msi.8.dr
Source: Binary string: mfc100.i386.pdb source: SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: patchhooks.pdb source: vc_red.msi.8.dr
Source: Binary string: DpInst.pdbG source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFCM100.i386.pdb source: mfcm100.dll.10.dr
Source: Binary string: DpInst.pdbH source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058F7000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000012.00000000.2971763459.00007FF7FEA51000.00000020.00000001.01000000.00000021.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 00000009.00000000.2778645370.00000000007F1000.00000020.00000001.01000000.0000000C.sdmp, Setup.exe, 00000032.00000000.3207984374.0000000000AE1000.00000020.00000001.01000000.00000028.sdmp, Setup.exe.46.dr
Source: Binary string: DpInst.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.00000000058F7000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DPInst.exe, 00000012.00000000.2971763459.00007FF7FEA51000.00000020.00000001.01000000.00000021.sdmp
Source: Binary string: devcon.pdb source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DevCon.exe, 00000010.00000002.2971306257.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000010.00000000.2966899944.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000016.00000002.3046833976.0000000001001000.00000020.00000001.01000000.00000020.sdmp
Source: Binary string: devcon.pdb\TU source: TellerScanDriverV1107.tmp, 0000000F.00000003.3052087284.0000000005810000.00000004.00001000.00020000.00000000.sdmp, DevCon.exe, 00000010.00000002.2971306257.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000010.00000000.2966899944.0000000001001000.00000020.00000001.01000000.00000020.sdmp, DevCon.exe, 00000016.00000002.3046833976.0000000001001000.00000020.00000001.01000000.00000020.sdmp
Source: Binary string: MFCM100.i386.pdb00 source: mfcm100.dll.10.dr
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeCode function: 0_2_00A53AD1 push es; retf 007Ch0_2_00A53AD2
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeCode function: 0_2_00A53AB8 push es; iretd 0_2_00A53ABA
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C4821 push ecx; ret 9_2_6C3C4834
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C1B89 push ecx; ret 9_2_6C3C1B9C
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7D6F06 push ecx; ret 9_2_6C7D6F19
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7CE265 push ecx; ret 9_2_6C7CE278
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D0CC5 push ecx; ret 12_2_6C5D0CD8
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5C2D88 push eax; ret 12_2_6C5C2DA6
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5EA6AA push EF3FEFD4h; iretd 12_2_6C5EA6B1
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5E9CD8 pushad ; iretd 12_2_6C5E9CE6
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5DB658 push ecx; ret 12_2_6C5DB66B
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeCode function: 8_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,8_2_010029C2
Source: Ranger Uninstall.exe.7.drStatic PE information: real checksum: 0x7c2b37 should be: 0x24234
Source: System.dll.7.drStatic PE information: real checksum: 0x0 should be: 0x9e55
Source: DigitalCheck-TSSeries_Installer.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x40854c
Source: AccessControl.dll.7.drStatic PE information: real checksum: 0x0 should be: 0xa0c5
Source: GetVersion.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x10313
Source: System.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x9e55

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Windows\SysWOW64\certutil.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B88BA459CFB76853EFE0D837D9856C54D23C3EA0 Blob
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.pluginJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Windows\SysWOW64\Ts2Dll.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\is-SQJEO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1040\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.ocxJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplds4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1040\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcr100.dllJump to dropped file
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeFile created: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\unins000.exe (copy)Jump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemoteLogViewer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp100.dllJump to dropped file
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\SetupZiptrc.exeJump to dropped file
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AlternaTiff\installFiles\alttiff.ocxJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsn657A.tmp\AccessControl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\DevCon.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1049\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\TsUsb2.sys (copy)Jump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Windows\system32\TsUsb2.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\is-SIRCF.tmpJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsn657A.tmp\System.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplc4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1041\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\System.dllJump to dropped file
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\TsUsb2.sys (copy)Jump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\IQA\SilverBulletIQA.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\3082\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.pluginJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\SetupUi.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libnspr4.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nss3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe (copy)Jump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Windows\SysWOW64\MSFLXGRD.OCXJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\softokn3.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\AccessControl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\is-Q0CBT.tmpJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\freebl3.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET81CD.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2.sys (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\GetVersion.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1042\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\2052\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Downloaded Program Files\alttiff.ocxJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1049\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\certutil.exeJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\SoftLockResource.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\Setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1033\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\libeay32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\2052\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\1036\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\sqmapi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\SetupUi.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nssutil3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\686fc0c283be14fef7\SetupEngine.dllJump to dropped file
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\sqmapi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\nsExec.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Windows\SysWOW64\cximage.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\smime3.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemote.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeFile created: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeJump to dropped file
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeFile created: C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7E04.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\1036\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\jss4.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Windows\System32\is-R5HGV.tmpJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Windows\SysWOW64\buicap32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\ssl3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\Setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: C:\2c943420539b5d851ede182b60\SetupEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET81CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Windows\system32\TsUsb2.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2.sys (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Windows\SysWOW64\Ts2Dll.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Windows\SysWOW64\cximage.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Downloaded Program Files\alttiff.ocxJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpFile created: C:\Windows\System32\is-R5HGV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp100.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Windows\SysWOW64\buicap32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\Windows\SysWOW64\MSFLXGRD.OCXJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1033\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1041\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1042\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1028\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\2052\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1040\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1036\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1031\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\3082\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\2c943420539b5d851ede182b60\1049\eula.rtfJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Plugin_ReleaseNotes.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\OpenSSL License.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ReadMe.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\README.txt
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeFile created: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\CACert_RootDistributionLicense.txt
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeFile created: c:\686fc0c283be14fef7\1049\eula.rtf
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerInstallFilename_Config.txtJump to behavior
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerRemote_InstallFilename_Config.txtJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230830_233917878-MSI_vc_red.msi.txtJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet TechnologyJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\RangerJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\ToolsJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Tools\SBT Log Options.lnkJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Tools\SBT Log Viewer.lnkJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\RangerFlex.lnkJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Silver Bullet Website.lnkJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Ranger Uninstall.exe - Ranger.lnkJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SBT LogJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C79F721 StartServiceW,9_2_6C79F721
Source: C:\Windows\SysWOW64\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61A3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,12_2_6C61A3DD
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\686fc0c283be14fef7\Setup.exe TID: 4112Thread sleep count: 64 > 30
Source: C:\686fc0c283be14fef7\Setup.exe TID: 4112Thread sleep time: -64000s >= -30000s
Source: C:\2c943420539b5d851ede182b60\Setup.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_9-54472
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\686fc0c283be14fef7\Setup.exeLast function: Thread delayed
Source: C:\686fc0c283be14fef7\Setup.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeAPI coverage: 2.6 %
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET81CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1042\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Ts2Dll.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Program Files\TellerScan\Drivers\is-SQJEO.tmpJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplds4.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\2052\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1042\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Program Files\TellerScan\Drivers\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1049\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemoteLogViewer.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\SetupZiptrc.exeJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\certutil.exeJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\SoftLockResource.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1033\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1031\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\libeay32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\2052\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1049\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1036\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ssleay32.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\SetupUi.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nssutil3.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplc4.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\1041\SetupResources.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Windows\SysWOW64\cximage.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\IQA\SilverBulletIQA.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemote.exeJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\smime3.dllJump to dropped file
Source: C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7E04.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\686fc0c283be14fef7\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\1036\SetupResources.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\jss4.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.pluginJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\3082\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmpDropped PE file which has not been started: C:\Windows\System32\is-R5HGV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeDropped PE file which has not been started: C:\2c943420539b5d851ede182b60\SetupUi.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libnspr4.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nss3.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeDropped PE file which has not been started: C:\Windows\SysWOW64\buicap32.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\softokn3.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\ssl3.dllJump to dropped file
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\freebl3.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeDropped PE file which has not been started: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstaller.exeJump to dropped file
Source: C:\2c943420539b5d851ede182b60\Setup.exeAPI call chain: ExitProcess graph end nodegraph_9-53582
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: svchost.exe, 00000001.00000002.3971087653.0000022933E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\2c943420539b5d851ede182b60\Setup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7B0C91 __EH_prolog3_GS,GetModuleHandleW,GetLastError,GetSystemInfo,GetNativeSystemInfo,GetLastError,GetLastError,GetLastError,_memset,GetLastError,9_2_6C7B0C91
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3D8097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,9_2_6C3D8097
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C4281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,9_2_6C3C4281
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C785B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,9_2_6C785B82
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C78410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,9_2_6C78410A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,12_2_6C61CC23
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C620CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C620CBB
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,12_2_6C61C8FD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C62088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C62088A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61E0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,12_2_6C61E0BD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5E81A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C5E81A1
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61FF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61FF0E
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F9DD
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61DBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,12_2_6C61DBC0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F593
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61D687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,12_2_6C61D687
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C61F169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C61F169
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C62110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,12_2_6C62110C
Source: C:\2c943420539b5d851ede182b60\Setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\686fc0c283be14fef7\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\686fc0c283be14fef7\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeCode function: 8_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,8_2_010029C2
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7CEB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_6C7CEB6A
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7CC78B VirtualProtect ?,-00000001,00000104,?9_2_6C7CC78B
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C649B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,12_2_6C649B6F
Source: C:\2c943420539b5d851ede182b60\Setup.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_6C3C171F
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7A76A7 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetThreadStackGuarantee,SetUnhandledExceptionFilter,GetCommandLineW,9_2_6C7A76A7
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7CEB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_6C7CEB6A
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7CB091 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_6C7CB091
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C64AD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,12_2_6C64AD2C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C5D07A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_6C5D07A7
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: 12_2_6C64C097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,12_2_6C64C097
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp "c:\users\user\appdata\local\temp\is-ntjdl.tmp\tellerscandriverv1107.tmp" /sl5="$50338,947705,67072,c:\program files (x86)\silver bullet technology\ranger\scanner plug-ins\digitalcheck-tsseries\ranger\digitalcheck-tsseries\api files\driver\tellerscandriverv1107.exe" /verysilent
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp "c:\users\user\appdata\local\temp\is-ntjdl.tmp\tellerscandriverv1107.tmp" /sl5="$50338,947705,67072,c:\program files (x86)\silver bullet technology\ranger\scanner plug-ins\digitalcheck-tsseries\ranger\digitalcheck-tsseries\api files\driver\tellerscandriverv1107.exe" /verysilent
Source: C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd" "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe NET SESSION Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 "C:\Windows\Downloaded Program Files\alttiff.ocx" /s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe "C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 SESSION Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe "Ranger Remote_v1.4.2.1_Installer.exe" /wss /S
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd""
Source: C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem"
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C77DF27 AllocateAndInitializeSid,9_2_6C77DF27
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7A3657 GetSecurityDescriptorDacl,_malloc,InitializeSecurityDescriptor,_free,GetAclInformation,_malloc,_memcpy_s,SetSecurityDescriptorDacl,_free,_free,9_2_6C7A3657
Source: Setup.exe, 00000032.00000003.3268419813.0000000000ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k17[3840] [explorer.exe] [Program Manager] [Visible]ible]
Source: Setup.exe, 00000032.00000003.3268419813.0000000000EC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager="button" class="button" onclick="showResult('r',true)" value="Summary"/> 
Source: Setup.exe, 00000009.00000003.2809811740.00000000006E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager for="tCB" class="pointer">Date Time</label>&nbsp;&nbsp;
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,12_2_6C64EF5C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,12_2_6C5D74D0
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,12_2_6C5D750C
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,12_2_6C5D767A
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,12_2_6C64F05E
Source: C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,12_2_6C64F003
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2_x64.cat VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C3C343E GetSystemTime,SystemTimeToFileTime,9_2_6C3C343E
Source: C:\2c943420539b5d851ede182b60\Setup.exeCode function: 9_2_6C7A7B40 __EH_prolog3_GS,GetCommandLineW,_memset,GetTimeZoneInformation,GetThreadLocale,9_2_6C7A7B40
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86.exeCode function: 8_2_010027CB GetVersionExA,8_2_010027CB
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		1
Scripting		1
LSASS Driver		1
LSASS Driver		21
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts12
Command and Scripting Interpreter		12
Windows Service		1
Access Token Manipulation		1
Scripting		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts2
Service Execution		1
Registry Run Keys / Startup Folder		12
Windows Service		3
Obfuscated Files or Information		NTDS27
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon Script12
Process Injection		2
Install Root Certificate		LSA Secrets21
Security Software Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.common1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
File Deletion		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job43
Masquerading		Proc Filesystem2
System Owner/User Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Modify Registry		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
Virtualization/Sandbox Evasion		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
Access Token Manipulation		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchd12
Process Injection		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1300719 Sample: Scotiabank_Scanner_Driver_D... Startdate: 30/08/2023 Architecture: WINDOWS Score: 48 11 msiexec.exe 2->11         started        14 Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe 21 2->14         started        16 msiexec.exe 179 48 2->16         started        18 3 other processes 2->18 file3 119 C:\...\Ranger Remote_v1.4.2.1_Installer.exe, PE32 11->119 dropped 20 cmd.exe 11->20         started        121 C:\Users\user\AppData\...\SetupZiptrc.exe, PE32 14->121 dropped 123 C:\Users\...\RangerRemoteSecureInstaller.exe, PE32 14->123 dropped 125 RangerForDigitalCh....2.18.0-1.3.1.0.exe, PE32 14->125 dropped 127 C:\Users\user\AppData\Local\...\alttiff.ocx, PE32 14->127 dropped 22 cmd.exe 5 14->22         started        129 C:\Windows\SysWOW64\vcomp100.dll, PE32 16->129 dropped 131 C:\Windows\SysWOW64\msvcr100.dll, PE32 16->131 dropped 133 C:\Windows\SysWOW64\msvcp100.dll, PE32 16->133 dropped 135 16 other files (none is malicious) 16->135 dropped 26 drvinst.exe 18->26         started        process4 file5 28 Ranger Remote_v1.4.2.1_Installer.exe 20->28         started        31 conhost.exe 20->31         started        103 C:\Windows\...\alttiff.ocx, PE32 22->103 dropped 179 Registers a new ROOT certificate 22->179 33 RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe 17 22->33         started        35 net.exe 1 22->35         started        37 RangerRemoteSecureInstaller.exe 22->37         started        39 2 other processes 22->39 105 C:\Windows\System32\...\TsUsb2.sys (copy), PE32+ 26->105 dropped 107 C:\Windows\System32\...\SET81CD.tmp, PE32+ 26->107 dropped signatures6 process7 file8 137 C:\Program Files (x86)\...\rootCA.pem, PEM 28->137 dropped 139 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 28->139 dropped 141 C:\Users\user\AppData\Local\...\System.dll, PE32 28->141 dropped 151 15 other files (none is malicious) 28->151 dropped 41 cmd.exe 28->41         started        44 vcredist_x86.exe 28->44         started        47 cmd.exe 28->47         started        57 3 other processes 28->57 143 C:\Users\user\AppData\Local\...\System.dll, PE32 33->143 dropped 145 C:\Users\user\AppData\...behaviorgraphetVersion.dll, PE32 33->145 dropped 147 C:\ProgramData\...\RangerCore_4.2.18.0.exe, PE32 33->147 dropped 149 C:\...\DigitalCheck-TSSeries_Installer.exe, PE32 33->149 dropped 49 DigitalCheck-TSSeries_Installer.exe 33->49         started        51 RangerCore_4.2.18.0.exe 123 72 33->51         started        53 net1.exe 1 35->53         started        55 msiexec.exe 37->55         started        process9 file10 181 Registers a new ROOT certificate 41->181 59 certutil.exe 41->59         started        62 conhost.exe 41->62         started        165 14 other files (none is malicious) 44->165 dropped 64 Setup.exe 44->64         started        66 conhost.exe 47->66         started        68 certutil.exe 47->68         started        153 C:\Windows\SysWOW64\buicap32.dll, PE32 49->153 dropped 155 C:\Windows\SysWOW64\Ts2Dll.dll, PE32 49->155 dropped 157 C:\Users\user\AppData\Local\...\System.dll, PE32 49->157 dropped 167 4 other files (none is malicious) 49->167 dropped 70 TellerScanDriverV1107.exe 49->70         started        159 C:\Windows\SysWOW64\cximage.dll, PE32 51->159 dropped 161 C:\Windows\SysWOW64\MSFLXGRD.OCX, PE32 51->161 dropped 163 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 51->163 dropped 169 11 other files (none is malicious) 51->169 dropped 73 vcredist_x86.exe 77 51->73         started        75 conhost.exe 57->75         started        77 2 other processes 57->77 signatures11 process12 file13 183 Installs new ROOT certificates 59->183 109 C:\Users\user\...\TellerScanDriverV1107.tmp, PE32 70->109 dropped 79 TellerScanDriverV1107.tmp 70->79         started        111 C:\2c943420539b5d851ede182b60\sqmapi.dll, PE32 73->111 dropped 113 C:\2c943420539b5d851ede182b60\SetupUi.dll, PE32 73->113 dropped 115 C:\...\SetupEngine.dll, PE32 73->115 dropped 117 11 other files (none is malicious) 73->117 dropped 82 Setup.exe 2 9 73->82         started        signatures14 process15 file16 171 C:\Windows\system32\TsUsb2.sys (copy), PE32+ 79->171 dropped 173 C:\Windows\System32\is-R5HGV.tmp, PE32+ 79->173 dropped 175 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 79->175 dropped 177 10 other files (none is malicious) 79->177 dropped 84 DPInst.exe 79->84         started        87 DevCon.exe 79->87         started        89 DevCon.exe 79->89         started        91 2 other processes 79->91 process17 file18 99 C:\Users\user\AppData\...\TsUsb2.sys (copy), PE32+ 84->99 dropped 101 C:\Users\user\AppData\Local\...\SET7E04.tmp, PE32+ 84->101 dropped 93 conhost.exe 87->93         started        95 conhost.exe 89->95         started        97 conhost.exe 91->97         started        process19

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe5%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\2c943420539b5d851ede182b60\1028\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1031\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1033\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1036\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1040\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1041\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1042\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\1049\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\2052\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\3082\SetupResources.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\Setup.exe0%ReversingLabs
C:\2c943420539b5d851ede182b60\SetupEngine.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\SetupUi.dll0%ReversingLabs
C:\2c943420539b5d851ede182b60\sqmapi.dll0%ReversingLabs
C:\686fc0c283be14fef7\1028\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1031\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1033\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1036\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1040\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1041\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1042\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\1049\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\2052\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\3082\SetupResources.dll0%ReversingLabs
C:\686fc0c283be14fef7\Setup.exe0%ReversingLabs
C:\686fc0c283be14fef7\SetupEngine.dll0%ReversingLabs
C:\686fc0c283be14fef7\SetupUi.dll0%ReversingLabs
C:\686fc0c283be14fef7\sqmapi.dll0%ReversingLabs
C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe5%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\IQA\SilverBulletIQA.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\certutil.exe2%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\freebl3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\jss4.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libnspr4.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplc4.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplds4.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nss3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nssutil3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\smime3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\softokn3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\ssl3.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemote.exe3%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemoteLogViewer.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\libeay32.dll4%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ssleay32.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.dll0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.ocx0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.plugin0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe2%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstaller.exe0%ReversingLabs
C:\Program Files (x86)\Silver Bullet Technology\Ranger\SoftLockResource.dll0%ReversingLabs
C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe (copy)0%ReversingLabs
C:\Program Files\TellerScan\Drivers\64-bit\TsUsb2.sys (copy)0%ReversingLabs
C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmp0%ReversingLabs
C:\Program Files\TellerScan\Drivers\64-bit\is-SIRCF.tmp0%ReversingLabs
C:\Program Files\TellerScan\Drivers\DevCon.exe (copy)0%ReversingLabs
C:\Program Files\TellerScan\Drivers\is-Q0CBT.tmp0%ReversingLabs
C:\Program Files\TellerScan\Drivers\is-SQJEO.tmp4%ReversingLabs
C:\Program Files\TellerScan\Drivers\unins000.exe (copy)4%ReversingLabs
C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe2%ReversingLabs
C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AlternaTiff\installFiles\alttiff.ocx3%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\SetupZiptrc.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn657A.tmp\AccessControl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn657A.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\AccessControl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\GetVersion.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\vcredist_x86.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7E04.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\TsUsb2.sys (copy)0%ReversingLabs
C:\Windows\Downloaded Program Files\alttiff.ocx3%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.innosetup.com/0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://go.microsoft.0%URL Reputationsafe
https://%s.xboxlive.com0%URL Reputationsafe
http://www.remobjects.com/psU0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://schemas.microsof0%URL Reputationsafe
https://%s.dnet.xboxlive.com0%URL Reputationsafe
ftp://http://HTTP/1.00%Avira URL Cloudsafe
http://www.sbulletsupport.com/forum/index.php?topic=308.00%Avira URL Cloudsafe
http://www.sbullet.comPublisherSilver0%Avira URL Cloudsafe
http://www.sbullet.com0%Avira URL Cloudsafe
http://www.alternatiff.com/l&0%Avira URL Cloudsafe
http://www.alternatiff.com/register/Incorrect0%Avira URL Cloudsafe
http://schemas.microsoft0%Avira URL Cloudsafe
http://www.sbullet.com00%Avira URL Cloudsafe
http://schemas.micros0%Avira URL Cloudsafe
http://www.alternatiff.com/0%Avira URL Cloudsafe
http://www.alternatiff.com/register/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.alternatiff.com/l&Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.innosetup.com/TellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sbullet.comPublisherSilverDigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3075052465.00000000004A2000.00000004.00000020.00020000.00000000.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3966472416.000000000071D000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.alternatiff.com/register/IncorrectScotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drfalse
  • Avira URL Cloud: safe
unknown
http://ocsp.thawte.com0RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drfalse
  • URL Reputation: safe
unknown
http://go.microsoft.Setup.exe, 00000009.00000003.2795369962.0000000002686000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000009.00000003.2789364756.0000000002300000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000003.3226102410.0000000002B86000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000032.00000003.3236465658.0000000002A86000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://schemas.microsSetup.exe, 00000032.00000003.3223730555.0000000000EC6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.sbullet.com0RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorRangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000002.3090260653.0000000000409000.00000004.00000001.01000000.00000005.sdmp, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000000.2737738757.0000000000409000.00000008.00000001.01000000.00000005.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000003.2910909537.0000000000874000.00000004.00000020.00020000.00000000.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3074479114.0000000000409000.00000004.00000001.01000000.0000001C.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3070494811.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000000.3099601117.000000000040A000.00000008.00000001.01000000.00000024.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3963450026.0000000000409000.00000004.00000001.01000000.00000025.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000000.3137570816.0000000000409000.00000008.00000001.01000000.00000025.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe.0.drfalse
    		high
    http://www.symauth.com/cps0(RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpfalse
      		high
      https://%s.xboxlive.comsvchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		low
      http://www.sbullet.comRangerCore_4.2.18.0.exe, 00000007.00000002.2913153935.0000000000812000.00000004.00000020.00020000.00000000.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3075052465.00000000004A2000.00000004.00000020.00020000.00000000.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3073480898.0000000000543000.00000004.00000020.00020000.00000000.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3966472416.000000000071D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.digitalcheck.com/TellerScanDriverV1107.exe, 0000000E.00000003.2948484353.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3063788714.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954368008.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954206973.00000000031F0000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        http://www.digitalcheck.com/Z9TellerScanDriverV1107.tmp, 0000000F.00000003.3063046216.0000000000647000.00000004.00000020.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000002.3066708898.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://nsis.sf.net/NSIS_ErrorRangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000002.3090260653.0000000000409000.00000004.00000001.01000000.00000005.sdmp, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe, 00000006.00000000.2737738757.0000000000409000.00000008.00000001.01000000.00000005.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000003.2910909537.0000000000874000.00000004.00000020.00020000.00000000.sdmp, RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000002.3074479114.0000000000409000.00000004.00000001.01000000.0000001C.sdmp, DigitalCheck-TSSeries_Installer.exe, 0000000D.00000003.3070494811.0000000003F71000.00000004.00000020.00020000.00000000.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000000.3099601117.000000000040A000.00000008.00000001.01000000.00000024.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000002.3963450026.0000000000409000.00000004.00000001.01000000.00000025.sdmp, Ranger Remote_v1.4.2.1_Installer.exe, 00000020.00000000.3137570816.0000000000409000.00000008.00000001.01000000.00000025.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe.0.drfalse
            		high
            http://www.alternatiff.com/register/Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.remobjects.com/psUTellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
            • URL Reputation: safe
            		unknown
            ftp://http://HTTP/1.0SBTLogServiceWindows.exe, 0000000C.00000002.3977131380.000000006C6F1000.00000020.00000001.01000000.00000016.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://crl.thawte.com/ThawteTimestampingCA.crl0RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmp, Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, alttiff.ocx.0.drfalse
              		high
              http://www.symauth.com/rpa00RangerCore_4.2.18.0.exe, 00000007.00000002.2912508861.0000000000409000.00000004.00000001.01000000.00000008.sdmp, RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpfalse
                		high
                http://www.fiserv.com/0RangerRemoteSecureInstaller.exe, 0000001B.00000002.3964159230.000000000040A000.00000004.00000001.01000000.00000024.sdmpfalse
                  		high
                  http://www.alternatiff.com/alttiff.ocx.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.digitalcheck.com/&TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://www.openssl.org/)OpenSSL License.txt.32.drfalse
                      		high
                      http://www.remobjects.com/psTellerScanDriverV1107.exe, 0000000E.00000003.2950019051.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.2949128221.0000000002440000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000000.2951655920.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://activity.windows.comsvchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.microsofSetup.exe, 00000009.00000003.2809931762.0000000000708000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.digitalcheck.com/.TellerScanDriverV1107.exe, 0000000E.00000003.2948598070.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.exe, 0000000E.00000003.3068448593.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.3063788714.0000000002368000.00000004.00001000.00020000.00000000.sdmp, TellerScanDriverV1107.tmp, 0000000F.00000003.2954368008.0000000002368000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://www.sbulletsupport.com/forum/index.php?topic=308.0RangerImageFromBase64.html.32.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.microsofteula.rtf2.8.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://%s.dnet.xboxlive.comsvchost.exe, 00000001.00000002.3969225661.0000022933E40000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		low

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:38.0.0 Beryl
                          Analysis ID:1300719
                          Start date and time:2023-08-30 23:38:42 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 43s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                          Number of analysed new started processes analysed:51
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample file name:Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                          Detection:MAL
                          Classification:mal48.bank.evad.winEXE@82/346@0/0
                          EGA Information:
                          • Successful, ratio: 75%
                          HDC Information:
                          • Successful, ratio: 17.1% (good quality ratio 15.8%)
                          • Quality average: 76%
                          • Quality standard deviation: 29.6%
                          HCA Information:
                          • Successful, ratio: 88%
                          • Number of executed functions: 191
                          • Number of non-executed functions: 204
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe
                          • Excluded domains from analysis (whitelisted): www.bing.com, login.live.com
                          • Execution Graph export aborted for target Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, PID 6676 because there are no executed function
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\2c943420539b5d851ede182b60\1028\SetupResources.dllhttp://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                            https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                              dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                  TinyTakeSetup_v_5_2_16.exeGet hashmaliciousUnknownBrowse
                                    C:\2c943420539b5d851ede182b60\1031\SetupResources.dllhttp://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                      https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                        dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                          https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                            TinyTakeSetup_v_5_2_16.exeGet hashmaliciousUnknownBrowse

                                              Created / dropped Files

                                              C:\2c943420539b5d851ede182b60\$shtdwn$.req

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):788
                                              Entropy (8bit):0.09823380614560741
                                              Encrypted:false
                                              SSDEEP:3:lbll/:lB
                                              MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                              SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                              SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                              SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                              Malicious:false
                                              Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1028\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):30672
                                              Entropy (8bit):4.2936704552740705
                                              Encrypted:false
                                              SSDEEP:384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
                                              MD5:7FC06A77D9AAFCA9FB19FAFA0F919100
                                              SHA1:E565740E7D582CD73F8D3B12DE2F4579FF18BB41
                                              SHA-256:A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
                                              SHA-512:466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

                                              C:\2c943420539b5d851ede182b60\1028\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14168
                                              Entropy (8bit):5.9724110685335825
                                              Encrypted:false
                                              SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                              MD5:7C136B92983CEC25F85336056E45F3E8
                                              SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                              SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                              SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: TinyTakeSetup_v_5_2_16.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1028\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):188446
                                              Entropy (8bit):4.98936861773382
                                              Encrypted:false
                                              SSDEEP:3072:vjB8N7T+SN6FY5PmQlivKawlrIMUkYfkv8CshgJNgRJAoJvIrOJBElrhzxQXK6uG:o7SSN6FYtmQlivKawlrIMUkYfkv8Cs4U
                                              MD5:129D8E8824B0D545ADC29E571A6E2C02
                                              SHA1:5A1DDFCD2AE21D96C818D315CB5E263F525A39CD
                                              SHA-256:83B8268E2874699227F9B1AD3F72A06CBF474EFA3983F5C5EE9BFE415DB98476
                                              SHA-512:1048F646D5866DC8736DB0A023A65A7E208A5F56774FA8EC5D59E4272A54A9A6E94B01B84293A7EC9F889BAD7865522E783AF30BF61BB9249687DCEAC62066D8
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\fa

                                              C:\2c943420539b5d851ede182b60\1031\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41622
                                              Entropy (8bit):3.577523249714746
                                              Encrypted:false
                                              SSDEEP:384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
                                              MD5:B83C3803712E61811C438F6E98790369
                                              SHA1:61A0BC59388786CED045ACD82621BEE8578CAE5A
                                              SHA-256:2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
                                              SHA-512:E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

                                              C:\2c943420539b5d851ede182b60\1031\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.135663555520085
                                              Encrypted:false
                                              SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                              MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                              SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                              SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                              SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                              • Filename: , Detection: malicious, Browse
                                              • Filename: TinyTakeSetup_v_5_2_16.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1031\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):163866
                                              Entropy (8bit):5.029712171633306
                                              Encrypted:false
                                              SSDEEP:3072:oiJ+vgRJA8J/snalBEm0OgKXIJR10GZybh2C:aQ
                                              MD5:117DABB5A055B09B6DB6BCBA8F911073
                                              SHA1:E8F5D907939400824CC5DADB681852C35CA7BB79
                                              SHA-256:DAEA9CD8151A2C24A87C3254DEC1DE0463234E44922C8E0AA4E01AB58EC89664
                                              SHA-512:E995D03998BE9F07F9E9B8566E429D3795ADBDEEEFB2048D6B8877CE15A0ABFCE4FAAEE8DC773250495C15CC35FD0040D81593B51067533836D5F3CF8612D3C4
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fpr

                                              C:\2c943420539b5d851ede182b60\1033\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):39246
                                              Entropy (8bit):3.5443876937052083
                                              Encrypted:false
                                              SSDEEP:192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
                                              MD5:D642E322D1E8B739510CA540F8E779F9
                                              SHA1:36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
                                              SHA-256:5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
                                              SHA-512:E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                              C:\2c943420539b5d851ede182b60\1033\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):17240
                                              Entropy (8bit):5.151474565875158
                                              Encrypted:false
                                              SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                              MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                              SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                              SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                              SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1033\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                              Category:dropped
                                              Size (bytes):7080
                                              Entropy (8bit):4.934776172726828
                                              Encrypted:false
                                              SSDEEP:192:9fcddvfbS9u6zZ+kodpj4eQ1lhcgi5X90vJqpsSih2:y/fbSZ/odpjmlhcgi5NSkRA2
                                              MD5:19D028345AADCC05697EEC6D8C5B5874
                                              SHA1:70BD3D4D51373FB82F0257F28D5F3609BFC82520
                                              SHA-256:F4FF4EACE31B75176A0806E1693041D546D2599AEC0C77D295BAD09CAC7D9FE7
                                              SHA-512:9B3DFFEC7C1595197AF69E59094588541558BEF56982475DDDD2C9E3D75FC8B970B384452713632AE20435EC0CAEC6CC4CD8CEC9CD4B4809335FDC9F2CC7B842
                                              Malicious:false
                                              Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\f1\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f2\'b7\tab\f0 updates,\f1\par..\f2\'b7\tab\f0 supplements,\f1\par..\f2\'b7\tab\f0 Internet-based services, and \f1\par..\f2\'b7\tab\f0 support services\f1\par.

                                              C:\2c943420539b5d851ede182b60\1036\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41492
                                              Entropy (8bit):3.5522209001567364
                                              Encrypted:false
                                              SSDEEP:192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
                                              MD5:E382ABC19294F779D2833287242E7BC6
                                              SHA1:1CEAE32D6B24A3832F9244F5791382865B668A72
                                              SHA-256:43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
                                              SHA-512:06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

                                              C:\2c943420539b5d851ede182b60\1036\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.112489568342605
                                              Encrypted:false
                                              SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                              MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                              SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                              SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                              SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1036\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):162915
                                              Entropy (8bit):5.023428742885146
                                              Encrypted:false
                                              SSDEEP:3072:Xn6ipERiA7JzI3ilBEBr97dQnKG5zpZ27KN4:KiZ
                                              MD5:BBBBB0BDA00FDA985BB39FEE5FD04FF8
                                              SHA1:3053CF30FAD92F133AD3EA7EEFB8C729D323EA00
                                              SHA-256:3CB591E6801E91FE58E79449F7C99B88C3BA0ACE5D922B4AA0C8F2CDD81854BD
                                              SHA-512:32CC1B0F033B13D7614F8BD80DE4D3F9D4668632010BCB563E90773FB2F4971D19206C46B0C2B0E55308CA14F4DEAF5EB415DAE5F2C0C4331B5DF0AE44B2F61E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fswiss\f

                                              C:\2c943420539b5d851ede182b60\1040\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40338
                                              Entropy (8bit):3.5295538496820984
                                              Encrypted:false
                                              SSDEEP:384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
                                              MD5:0AF948FE4142E34092F9DD47A4B8C275
                                              SHA1:B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
                                              SHA-256:C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
                                              SHA-512:D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

                                              C:\2c943420539b5d851ede182b60\1040\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18264
                                              Entropy (8bit):5.142702232041524
                                              Encrypted:false
                                              SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                              MD5:E4860FC5D4C114D5C0781714F3BF041A
                                              SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                              SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                              SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1040\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):189369
                                              Entropy (8bit):4.993456059906976
                                              Encrypted:false
                                              SSDEEP:3072:8K91dpBgRJA8J/snalBEm0OgKXIJR10GZybh2C:8aK
                                              MD5:F1602100F6C135AB5D8026E9248BAF02
                                              SHA1:DEBE92E8761F5320352DCFFE844FB25A10E9EA14
                                              SHA-256:284A8BBA438DA22A1B4F497B0B4ED1D9886184859527B87FF7350C83F198AB2D
                                              SHA-512:2A0FBEF3114B54EDB400D913D317A5097801834BEE0FB536B0FF645DD1CA40A1451945AD563119A5BA80F26B51CDA8B23E93BE71D7C82723AFEDE3CBF1DA00C6
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ?????????????????????????????\'a1\'ec?};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                              C:\2c943420539b5d851ede182b60\1041\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):34318
                                              Entropy (8bit):4.3825885013202255
                                              Encrypted:false
                                              SSDEEP:192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
                                              MD5:7FCFBC308B0C42DCBD8365BA62BADA05
                                              SHA1:18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
                                              SHA-256:01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
                                              SHA-512:CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

                                              C:\2c943420539b5d851ede182b60\1041\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):15704
                                              Entropy (8bit):5.929554826924656
                                              Encrypted:false
                                              SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                              MD5:278FD7595B580A016705D00BE363612F
                                              SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                              SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                              SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1041\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):181054
                                              Entropy (8bit):4.962328655200384
                                              Encrypted:false
                                              SSDEEP:3072:7vykJ9MRJAwJjAXetBE1rRbe+KusGWqcJ2V:fJ
                                              MD5:89D66A0B94450729015D021BC8F859E9
                                              SHA1:C9AD4C7DCDAFEAD282DAA1C214E7A0EAB567FFD5
                                              SHA-256:6A1884515CC4378D732F681934658252A4B45D76CE7F53CF8650BE794CC8D390
                                              SHA-512:336A5B1CBF2F52DF5B151A564C8452826D253F9FC565C865D7BA37B91229996D9AE59603350BD5CD99352ED63D265D8578095560CB7DE67DA7E1AA2135FBF0FB
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a8\'ac};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\f

                                              C:\2c943420539b5d851ede182b60\1042\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):32962
                                              Entropy (8bit):4.366055142656104
                                              Encrypted:false
                                              SSDEEP:192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
                                              MD5:71DFD70AE141F1D5C1366CB661B354B2
                                              SHA1:C4B22590E6F6DD5D39E5158B831AE217CE17A776
                                              SHA-256:CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
                                              SHA-512:5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

                                              C:\2c943420539b5d851ede182b60\1042\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):15192
                                              Entropy (8bit):5.9622226182057325
                                              Encrypted:false
                                              SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                              MD5:FCFD69EC15A6897A940B0435439BF5FC
                                              SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                              SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                              SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1042\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):351492
                                              Entropy (8bit):4.844773730829239
                                              Encrypted:false
                                              SSDEEP:768:bNK7z5n/OLs3+lAB4HeqyOOZjYCrv1MT2hhO0kN9okLgd80UKdF8K8Zb4ajD/y9m:bI79kaIDUhOhQAUiK/9/MjZr
                                              MD5:8203E9FC25A5720AFB8C43E8BE10C3B0
                                              SHA1:FC7D9B452B6D5475FD1EF61B78E8BC6E32F08974
                                              SHA-256:0EBD62213F41DFFA0BCD939BDC6ABC25096E95112C217FDF27CE661A19AD0866
                                              SHA-512:F95DCB9C25436AE322C240A0D0ABD9F4904A5AF313CAC5CB8C90C1A5460DAD8E983347AD7540C672046E4210945B053B75313BB6D10B44B2A0BF0024B400E81E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a1\'a7};}{\f20\fbidi \froman\fcharset129\f

                                              C:\2c943420539b5d851ede182b60\1049\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40428
                                              Entropy (8bit):4.232828720335164
                                              Encrypted:false
                                              SSDEEP:384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
                                              MD5:0EEB554D0B9F9FCDB22401E2532E9CD0
                                              SHA1:08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
                                              SHA-256:BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
                                              SHA-512:2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

                                              C:\2c943420539b5d851ede182b60\1049\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18264
                                              Entropy (8bit):5.548909804205606
                                              Encrypted:false
                                              SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                              MD5:7EF74AF6AB5760950A1D233C582099F1
                                              SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                              SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                              SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\1049\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):213363
                                              Entropy (8bit):4.934134633374225
                                              Encrypted:false
                                              SSDEEP:6144:D/fSz7yMsMyN1FyRtXSWS3SoSalsySMDS7SmSJ8SUSPsBa5IqDSySipSAS6ASGS+:pG
                                              MD5:5B95EFBC01DC97EE9A6C6F64A49AA62D
                                              SHA1:A99C984A0D5E316FE60D588A3519F2D5C805C1DE
                                              SHA-256:0CFACFF2B63121AD1D71376E4A3799B93B7E6D278209FE4806CCA0F74830CFC1
                                              SHA-512:A0B19864E68945A74BCE24C8D5EB0050ABB66C6FF6A53D0482FFA70E93EEE2957608BB9BDE535718D56CD5D7509B4DD7A1786C99BC2120344293234B7A6C2A3B
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????????};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\p

                                              C:\2c943420539b5d851ede182b60\2052\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):31138
                                              Entropy (8bit):4.240036868712424
                                              Encrypted:false
                                              SSDEEP:192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
                                              MD5:52B1DC12CE4153AA759FB3BBE04D01FC
                                              SHA1:BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
                                              SHA-256:D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
                                              SHA-512:418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

                                              C:\2c943420539b5d851ede182b60\2052\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14168
                                              Entropy (8bit):6.010838262457833
                                              Encrypted:false
                                              SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                              MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                              SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                              SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                              SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\2052\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):225202
                                              Entropy (8bit):4.985888615397263
                                              Encrypted:false
                                              SSDEEP:3072:0pvaMOA6EOEGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Kho:6v+Ez0
                                              MD5:6E5BDDF58163B11C79577B35A87A4424
                                              SHA1:8AAA1008360F7B255A6A88AD02D3A00DEB8B0AE6
                                              SHA-256:D4A26E3756437CA8BA132AE3A73AA7A829478A847D6B9AB69A8090515CE9A60A
                                              SHA-512:21DD9D754C0A3A383F20259E87AA4769D6ECB36753039DCE8B644E16E0ABC3C94B4B850648E0369474C914655140E7F3CC3E808ED27E70892A863F61F8588C6E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????\'a1\'a7????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi

                                              C:\2c943420539b5d851ede182b60\3082\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40912
                                              Entropy (8bit):3.5296334743141515
                                              Encrypted:false
                                              SSDEEP:384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
                                              MD5:5397A12D466D55D566B4209E0E4F92D3
                                              SHA1:FCFFD8961FB487995543FC173521FDF5DF6E243B
                                              SHA-256:F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
                                              SHA-512:7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

                                              C:\2c943420539b5d851ede182b60\3082\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.182140892959793
                                              Encrypted:false
                                              SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                              MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                              SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                              SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                              SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\3082\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):152458
                                              Entropy (8bit):5.013297113523102
                                              Encrypted:false
                                              SSDEEP:3072:4zkouwFDNSMUYugRJA8J/snalBEm0OgKXIJR10GZybh2U:4zDNIYt
                                              MD5:A920D4F55EAE5FEBAB1082AB2BCC2439
                                              SHA1:CBD631427871B620E9C95417788BFCDD1CD0A2A5
                                              SHA-256:2FFF2122C4D176E074365775227D4208AF48F2F921BE7623EDC315CD345ACF0B
                                              SHA-512:28135FBD9D940F0DEEC7A059AB2998B034575CC5D6DD31B1BE501B60689860478B0A0AB5183C69B2ACBBB9C1A074BBAA215960B3FACC6A9A3B0170E27E7B2B47
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a8\'ac??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                              C:\2c943420539b5d851ede182b60\DHtmlHeader.html

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):16118
                                              Entropy (8bit):3.6434775915277604
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                              MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                              SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                              SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                              SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\2c943420539b5d851ede182b60\DisplayIcon.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                              Category:dropped
                                              Size (bytes):88533
                                              Entropy (8bit):7.210526848639953
                                              Encrypted:false
                                              SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                              MD5:F9657D290048E169FFABBBB9C7412BE0
                                              SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                              SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                              SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                              Malicious:false
                                              Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\Graphics\Print.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):4.923507556620034
                                              Encrypted:false
                                              SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                              MD5:7E55DDC6D611176E697D01C90A1212CF
                                              SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                              SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                              SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate1.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5118974066097444
                                              Encrypted:false
                                              SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                              MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                              SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                              SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                              SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                              Malicious:false
                                              Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate2.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5178766234336925
                                              Encrypted:false
                                              SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                              MD5:8419CAA81F2377E09B7F2F6218E505AE
                                              SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                              SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                              SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                              Malicious:false
                                              Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate3.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5189797450574103
                                              Encrypted:false
                                              SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                              MD5:924FD539523541D42DAD43290E6C0DB5
                                              SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                              SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                              SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate4.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5119705312617957
                                              Encrypted:false
                                              SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                              MD5:BB55B5086A9DA3097FB216C065D15709
                                              SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                              SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                              SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                              Malicious:false
                                              Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate5.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5083713071878764
                                              Encrypted:false
                                              SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                              MD5:3B4861F93B465D724C60670B64FCCFCF
                                              SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                              SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                              SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate6.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5043420982993396
                                              Encrypted:false
                                              SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                              MD5:70006BF18A39D258012875AEFB92A3D1
                                              SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                              SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                              SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate7.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.4948009720290445
                                              Encrypted:false
                                              SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                              MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                              SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                              SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                              SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                              Malicious:false
                                              Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Rotate8.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.513882730304912
                                              Encrypted:false
                                              SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                              MD5:D1C53003264DCE4EFFAF462C807E2D96
                                              SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                              SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                              SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                              Malicious:false
                                              Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                              C:\2c943420539b5d851ede182b60\Graphics\Save.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):4.824239610266714
                                              Encrypted:false
                                              SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                              MD5:7D62E82D960A938C98DA02B1D5201BD5
                                              SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                              SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                              SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                              C:\2c943420539b5d851ede182b60\Graphics\Setup.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                              Category:dropped
                                              Size (bytes):36710
                                              Entropy (8bit):5.3785085024370805
                                              Encrypted:false
                                              SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                              MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                              SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                              SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                              SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                              Malicious:false
                                              Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\Graphics\SysReqMet.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):5.038533294442847
                                              Encrypted:false
                                              SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                              MD5:661CBD315E9B23BA1CA19EDAB978F478
                                              SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                              SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                              SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                              C:\2c943420539b5d851ede182b60\Graphics\SysReqNotMet.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):5.854644771288791
                                              Encrypted:false
                                              SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                              MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                              SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                              SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                              SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                              C:\2c943420539b5d851ede182b60\Graphics\stop.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                              Category:dropped
                                              Size (bytes):10134
                                              Entropy (8bit):6.016582854640062
                                              Encrypted:false
                                              SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                              MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                              SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                              SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                              SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                              Malicious:false
                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                              C:\2c943420539b5d851ede182b60\Graphics\warn.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                              Category:dropped
                                              Size (bytes):10134
                                              Entropy (8bit):4.3821301214809045
                                              Encrypted:false
                                              SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                              MD5:B2B1D79591FCA103959806A4BF27D036
                                              SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                              SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                              SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                              Malicious:false
                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                              C:\2c943420539b5d851ede182b60\ParameterInfo.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8968
                                              Entropy (8bit):3.5907064103424333
                                              Encrypted:false
                                              SSDEEP:192:gCwdBdVv3CL021BqG2ahBCw2G2X2BCEj2G2KQ6G2nCw+KFl:kRPGiGPKGPGYCrKFl
                                              MD5:66590F13F4C9BA563A9180BDF25A5B80
                                              SHA1:D6D9146FAEEC7824B8A09DD6978E5921CC151906
                                              SHA-256:BF787B8C697CE418F9D4C07260F56D1145CA70DB1CC4B1321D37840837621E8F
                                              SHA-512:ABA67C66C2F3D9B3C9D71D64511895F15F696BE8BE0EEDD2D6908E1203C4B0CF318B366F9F3CD9C3B3B8C0770462F83E6EEA73E304C43F88D0CBEDF69E7C92B3
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

                                              C:\2c943420539b5d851ede182b60\Setup.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):78152
                                              Entropy (8bit):6.011592088917562
                                              Encrypted:false
                                              SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                              MD5:006F8A615020A4A17F5E63801485DF46
                                              SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                              SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                              SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\SetupEngine.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):807256
                                              Entropy (8bit):6.357664904941565
                                              Encrypted:false
                                              SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                              MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                              SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                              SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                              SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\SetupUi.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):295248
                                              Entropy (8bit):6.262127887617593
                                              Encrypted:false
                                              SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                              MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                              SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                              SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                              SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\SetupUi.xsd

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):30120
                                              Entropy (8bit):4.990211039591874
                                              Encrypted:false
                                              SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                              MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                              SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                              SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                              SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                              C:\2c943420539b5d851ede182b60\SplashScreen.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                              Category:dropped
                                              Size (bytes):41078
                                              Entropy (8bit):0.3169962482036715
                                              Encrypted:false
                                              SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                              MD5:43B254D97B4FB6F9974AD3F935762C55
                                              SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                              SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                              SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                              Malicious:false
                                              Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                              C:\2c943420539b5d851ede182b60\Strings.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):14246
                                              Entropy (8bit):3.70170676934679
                                              Encrypted:false
                                              SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                              MD5:332ADF643747297B9BFA9527EAEFE084
                                              SHA1:670F933D778ECA39938A515A39106551185205E9
                                              SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                              SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                              C:\2c943420539b5d851ede182b60\UiInfo.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):36342
                                              Entropy (8bit):3.0937266645670003
                                              Encrypted:false
                                              SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                              MD5:812F8D2E53F076366FA3A214BB4CF558
                                              SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                              SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                              SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                              C:\2c943420539b5d851ede182b60\header.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                              Category:dropped
                                              Size (bytes):7308
                                              Entropy (8bit):3.7864255453272464
                                              Encrypted:false
                                              SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                                              MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                              SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                              SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                              SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                              Malicious:false
                                              Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\sqmapi.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):144416
                                              Entropy (8bit):6.7404750879679485
                                              Encrypted:false
                                              SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                              MD5:3F0363B40376047EFF6A9B97D633B750
                                              SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                              SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                              SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                              C:\2c943420539b5d851ede182b60\vc_red.cab

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Microsoft Cabinet archive data, 4186145 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 354 datablocks, 0x1503 compression
                                              Category:dropped
                                              Size (bytes):4192089
                                              Entropy (8bit):7.999755784501758
                                              Encrypted:true
                                              SSDEEP:98304:YHgT57PlfosWFk9TRxWCP/kbNfS2g92D7epPC1txsBDDfifN7wVH:YHmPxFik99xlnANfcM3YDIN7YH
                                              MD5:6C59FECF51931FB4540E571AE0310098
                                              SHA1:DB5B0E9F7D20D2B1CCD61320ECCA7A60E118619B
                                              SHA-256:08E4D5BAD48C0203FDF02FDC28794F820DFB1D4480BDCAC562E7BC6E15FFAAD3
                                              SHA-512:D9CC7C6EF54105C981AACAAFDE890019AF766B53417E765FA7636C3B8A4400CE6F987CCEF1A54B4521412A8E45C011476C065CEBC892688AEED1B027E3E761BA
                                              Malicious:false
                                              Preview:MSCF....!.?.....D...........................!.?.8...........Y...b...H.........r<.I .F_CENTRAL_atl100_x86.HAB.H.....r<.I .F_CENTRAL_mfc100_x86.P....\D...r<.I .F_CENTRAL_mfc100chs_x86.P.....D...r<.I .F_CENTRAL_mfc100cht_x86.P...0wE...r<.I .F_CENTRAL_mfc100deu_x86.P....rF...r<.I .F_CENTRAL_mfc100enu_x86.P....IG...r<.I .F_CENTRAL_mfc100esn_x86.P... CH...r<.I .F_CENTRAL_mfc100fra_x86.P...p>I...r<.I .F_CENTRAL_mfc100ita_x86.P....1J...r<.I .F_CENTRAL_mfc100jpn_x86.P.....J...r<.I .F_CENTRAL_mfc100kor_x86.P...`.K...r<.I .F_CENTRAL_mfc100rus_x86.P.B..sL...r<.I .F_CENTRAL_mfc100u_x86.P9........r<.I .F_CENTRAL_mfcm100_x86.P;..PV....r<.I .F_CENTRAL_mfcm100u_x86.Pm........r<.I .F_CENTRAL_msvcp100_x86.P.........r<.I .F_CENTRAL_msvcr100_x86.P...@.....r<.I .F_CENTRAL_vcomp100_x86.P3........r<.. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8...W..:..[..... '.."S`$..n...W..de`e. .(.$.gV...2..X@A..ra*NR<cq|...{.`.p.M.. .).JM....q..........Q.......?.........2..nL......U.f#[v..#--

                                              C:\2c943420539b5d851ede182b60\vc_red.msi

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                              Category:dropped
                                              Size (bytes):155136
                                              Entropy (8bit):6.337010677866242
                                              Encrypted:false
                                              SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                              MD5:CD2B99BB86BA6A499110C72B78B9324E
                                              SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                              SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                              SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                              Malicious:false
                                              Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\2c943420539b5d851ede182b60\watermark.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                              Category:dropped
                                              Size (bytes):309032
                                              Entropy (8bit):6.583379857106919
                                              Encrypted:false
                                              SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                                              MD5:1A5CAAFACFC8C7766E404D019249CF67
                                              SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                              SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                              SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                              Malicious:false
                                              Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\$shtdwn$.req

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):788
                                              Entropy (8bit):0.09823380614560741
                                              Encrypted:false
                                              SSDEEP:3:lbll/:lB
                                              MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                              SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                              SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                              SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                              Malicious:false
                                              Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1028\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):30672
                                              Entropy (8bit):4.2936704552740705
                                              Encrypted:false
                                              SSDEEP:384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
                                              MD5:7FC06A77D9AAFCA9FB19FAFA0F919100
                                              SHA1:E565740E7D582CD73F8D3B12DE2F4579FF18BB41
                                              SHA-256:A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
                                              SHA-512:466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

                                              C:\686fc0c283be14fef7\1028\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14168
                                              Entropy (8bit):5.9724110685335825
                                              Encrypted:false
                                              SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                              MD5:7C136B92983CEC25F85336056E45F3E8
                                              SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                              SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                              SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1028\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):188446
                                              Entropy (8bit):4.98936861773382
                                              Encrypted:false
                                              SSDEEP:3072:vjB8N7T+SN6FY5PmQlivKawlrIMUkYfkv8CshgJNgRJAoJvIrOJBElrhzxQXK6uG:o7SSN6FYtmQlivKawlrIMUkYfkv8Cs4U
                                              MD5:129D8E8824B0D545ADC29E571A6E2C02
                                              SHA1:5A1DDFCD2AE21D96C818D315CB5E263F525A39CD
                                              SHA-256:83B8268E2874699227F9B1AD3F72A06CBF474EFA3983F5C5EE9BFE415DB98476
                                              SHA-512:1048F646D5866DC8736DB0A023A65A7E208A5F56774FA8EC5D59E4272A54A9A6E94B01B84293A7EC9F889BAD7865522E783AF30BF61BB9249687DCEAC62066D8
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\fa

                                              C:\686fc0c283be14fef7\1031\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41622
                                              Entropy (8bit):3.577523249714746
                                              Encrypted:false
                                              SSDEEP:384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
                                              MD5:B83C3803712E61811C438F6E98790369
                                              SHA1:61A0BC59388786CED045ACD82621BEE8578CAE5A
                                              SHA-256:2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
                                              SHA-512:E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

                                              C:\686fc0c283be14fef7\1031\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.135663555520085
                                              Encrypted:false
                                              SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                              MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                              SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                              SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                              SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1031\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):163866
                                              Entropy (8bit):5.029712171633306
                                              Encrypted:false
                                              SSDEEP:3072:oiJ+vgRJA8J/snalBEm0OgKXIJR10GZybh2C:aQ
                                              MD5:117DABB5A055B09B6DB6BCBA8F911073
                                              SHA1:E8F5D907939400824CC5DADB681852C35CA7BB79
                                              SHA-256:DAEA9CD8151A2C24A87C3254DEC1DE0463234E44922C8E0AA4E01AB58EC89664
                                              SHA-512:E995D03998BE9F07F9E9B8566E429D3795ADBDEEEFB2048D6B8877CE15A0ABFCE4FAAEE8DC773250495C15CC35FD0040D81593B51067533836D5F3CF8612D3C4
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fpr

                                              C:\686fc0c283be14fef7\1033\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):39246
                                              Entropy (8bit):3.5443876937052083
                                              Encrypted:false
                                              SSDEEP:192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
                                              MD5:D642E322D1E8B739510CA540F8E779F9
                                              SHA1:36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
                                              SHA-256:5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
                                              SHA-512:E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                              C:\686fc0c283be14fef7\1033\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):17240
                                              Entropy (8bit):5.151474565875158
                                              Encrypted:false
                                              SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                              MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                              SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                              SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                              SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1033\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                              Category:dropped
                                              Size (bytes):7080
                                              Entropy (8bit):4.934776172726828
                                              Encrypted:false
                                              SSDEEP:192:9fcddvfbS9u6zZ+kodpj4eQ1lhcgi5X90vJqpsSih2:y/fbSZ/odpjmlhcgi5NSkRA2
                                              MD5:19D028345AADCC05697EEC6D8C5B5874
                                              SHA1:70BD3D4D51373FB82F0257F28D5F3609BFC82520
                                              SHA-256:F4FF4EACE31B75176A0806E1693041D546D2599AEC0C77D295BAD09CAC7D9FE7
                                              SHA-512:9B3DFFEC7C1595197AF69E59094588541558BEF56982475DDDD2C9E3D75FC8B970B384452713632AE20435EC0CAEC6CC4CD8CEC9CD4B4809335FDC9F2CC7B842
                                              Malicious:false
                                              Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\f1\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f2\'b7\tab\f0 updates,\f1\par..\f2\'b7\tab\f0 supplements,\f1\par..\f2\'b7\tab\f0 Internet-based services, and \f1\par..\f2\'b7\tab\f0 support services\f1\par.

                                              C:\686fc0c283be14fef7\1036\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41492
                                              Entropy (8bit):3.5522209001567364
                                              Encrypted:false
                                              SSDEEP:192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
                                              MD5:E382ABC19294F779D2833287242E7BC6
                                              SHA1:1CEAE32D6B24A3832F9244F5791382865B668A72
                                              SHA-256:43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
                                              SHA-512:06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

                                              C:\686fc0c283be14fef7\1036\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.112489568342605
                                              Encrypted:false
                                              SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                              MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                              SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                              SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                              SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1036\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):162915
                                              Entropy (8bit):5.023428742885146
                                              Encrypted:false
                                              SSDEEP:3072:Xn6ipERiA7JzI3ilBEBr97dQnKG5zpZ27KN4:KiZ
                                              MD5:BBBBB0BDA00FDA985BB39FEE5FD04FF8
                                              SHA1:3053CF30FAD92F133AD3EA7EEFB8C729D323EA00
                                              SHA-256:3CB591E6801E91FE58E79449F7C99B88C3BA0ACE5D922B4AA0C8F2CDD81854BD
                                              SHA-512:32CC1B0F033B13D7614F8BD80DE4D3F9D4668632010BCB563E90773FB2F4971D19206C46B0C2B0E55308CA14F4DEAF5EB415DAE5F2C0C4331B5DF0AE44B2F61E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fswiss\f

                                              C:\686fc0c283be14fef7\1040\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40338
                                              Entropy (8bit):3.5295538496820984
                                              Encrypted:false
                                              SSDEEP:384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
                                              MD5:0AF948FE4142E34092F9DD47A4B8C275
                                              SHA1:B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
                                              SHA-256:C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
                                              SHA-512:D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

                                              C:\686fc0c283be14fef7\1040\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18264
                                              Entropy (8bit):5.142702232041524
                                              Encrypted:false
                                              SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                              MD5:E4860FC5D4C114D5C0781714F3BF041A
                                              SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                              SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                              SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1040\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):189369
                                              Entropy (8bit):4.993456059906976
                                              Encrypted:false
                                              SSDEEP:3072:8K91dpBgRJA8J/snalBEm0OgKXIJR10GZybh2C:8aK
                                              MD5:F1602100F6C135AB5D8026E9248BAF02
                                              SHA1:DEBE92E8761F5320352DCFFE844FB25A10E9EA14
                                              SHA-256:284A8BBA438DA22A1B4F497B0B4ED1D9886184859527B87FF7350C83F198AB2D
                                              SHA-512:2A0FBEF3114B54EDB400D913D317A5097801834BEE0FB536B0FF645DD1CA40A1451945AD563119A5BA80F26B51CDA8B23E93BE71D7C82723AFEDE3CBF1DA00C6
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ?????????????????????????????\'a1\'ec?};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                              C:\686fc0c283be14fef7\1041\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):34318
                                              Entropy (8bit):4.3825885013202255
                                              Encrypted:false
                                              SSDEEP:192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
                                              MD5:7FCFBC308B0C42DCBD8365BA62BADA05
                                              SHA1:18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
                                              SHA-256:01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
                                              SHA-512:CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

                                              C:\686fc0c283be14fef7\1041\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):15704
                                              Entropy (8bit):5.929554826924656
                                              Encrypted:false
                                              SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                              MD5:278FD7595B580A016705D00BE363612F
                                              SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                              SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                              SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1041\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):181054
                                              Entropy (8bit):4.962328655200384
                                              Encrypted:false
                                              SSDEEP:3072:7vykJ9MRJAwJjAXetBE1rRbe+KusGWqcJ2V:fJ
                                              MD5:89D66A0B94450729015D021BC8F859E9
                                              SHA1:C9AD4C7DCDAFEAD282DAA1C214E7A0EAB567FFD5
                                              SHA-256:6A1884515CC4378D732F681934658252A4B45D76CE7F53CF8650BE794CC8D390
                                              SHA-512:336A5B1CBF2F52DF5B151A564C8452826D253F9FC565C865D7BA37B91229996D9AE59603350BD5CD99352ED63D265D8578095560CB7DE67DA7E1AA2135FBF0FB
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a8\'ac};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\f

                                              C:\686fc0c283be14fef7\1042\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):32962
                                              Entropy (8bit):4.366055142656104
                                              Encrypted:false
                                              SSDEEP:192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
                                              MD5:71DFD70AE141F1D5C1366CB661B354B2
                                              SHA1:C4B22590E6F6DD5D39E5158B831AE217CE17A776
                                              SHA-256:CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
                                              SHA-512:5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

                                              C:\686fc0c283be14fef7\1042\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):15192
                                              Entropy (8bit):5.9622226182057325
                                              Encrypted:false
                                              SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                              MD5:FCFD69EC15A6897A940B0435439BF5FC
                                              SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                              SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                              SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1042\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):351492
                                              Entropy (8bit):4.844773730829239
                                              Encrypted:false
                                              SSDEEP:768:bNK7z5n/OLs3+lAB4HeqyOOZjYCrv1MT2hhO0kN9okLgd80UKdF8K8Zb4ajD/y9m:bI79kaIDUhOhQAUiK/9/MjZr
                                              MD5:8203E9FC25A5720AFB8C43E8BE10C3B0
                                              SHA1:FC7D9B452B6D5475FD1EF61B78E8BC6E32F08974
                                              SHA-256:0EBD62213F41DFFA0BCD939BDC6ABC25096E95112C217FDF27CE661A19AD0866
                                              SHA-512:F95DCB9C25436AE322C240A0D0ABD9F4904A5AF313CAC5CB8C90C1A5460DAD8E983347AD7540C672046E4210945B053B75313BB6D10B44B2A0BF0024B400E81E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a1\'a7};}{\f20\fbidi \froman\fcharset129\f

                                              C:\686fc0c283be14fef7\1049\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40428
                                              Entropy (8bit):4.232828720335164
                                              Encrypted:false
                                              SSDEEP:384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
                                              MD5:0EEB554D0B9F9FCDB22401E2532E9CD0
                                              SHA1:08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
                                              SHA-256:BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
                                              SHA-512:2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

                                              C:\686fc0c283be14fef7\1049\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18264
                                              Entropy (8bit):5.548909804205606
                                              Encrypted:false
                                              SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                              MD5:7EF74AF6AB5760950A1D233C582099F1
                                              SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                              SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                              SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\1049\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):213363
                                              Entropy (8bit):4.934134633374225
                                              Encrypted:false
                                              SSDEEP:6144:D/fSz7yMsMyN1FyRtXSWS3SoSalsySMDS7SmSJ8SUSPsBa5IqDSySipSAS6ASGS+:pG
                                              MD5:5B95EFBC01DC97EE9A6C6F64A49AA62D
                                              SHA1:A99C984A0D5E316FE60D588A3519F2D5C805C1DE
                                              SHA-256:0CFACFF2B63121AD1D71376E4A3799B93B7E6D278209FE4806CCA0F74830CFC1
                                              SHA-512:A0B19864E68945A74BCE24C8D5EB0050ABB66C6FF6A53D0482FFA70E93EEE2957608BB9BDE535718D56CD5D7509B4DD7A1786C99BC2120344293234B7A6C2A3B
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????????};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\p

                                              C:\686fc0c283be14fef7\2052\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):31138
                                              Entropy (8bit):4.240036868712424
                                              Encrypted:false
                                              SSDEEP:192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
                                              MD5:52B1DC12CE4153AA759FB3BBE04D01FC
                                              SHA1:BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
                                              SHA-256:D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
                                              SHA-512:418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

                                              C:\686fc0c283be14fef7\2052\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14168
                                              Entropy (8bit):6.010838262457833
                                              Encrypted:false
                                              SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                              MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                              SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                              SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                              SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\2052\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):225202
                                              Entropy (8bit):4.985888615397263
                                              Encrypted:false
                                              SSDEEP:3072:0pvaMOA6EOEGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Kho:6v+Ez0
                                              MD5:6E5BDDF58163B11C79577B35A87A4424
                                              SHA1:8AAA1008360F7B255A6A88AD02D3A00DEB8B0AE6
                                              SHA-256:D4A26E3756437CA8BA132AE3A73AA7A829478A847D6B9AB69A8090515CE9A60A
                                              SHA-512:21DD9D754C0A3A383F20259E87AA4769D6ECB36753039DCE8B644E16E0ABC3C94B4B850648E0369474C914655140E7F3CC3E808ED27E70892A863F61F8588C6E
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????\'a1\'a7????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi

                                              C:\686fc0c283be14fef7\3082\LocalizedData.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):40912
                                              Entropy (8bit):3.5296334743141515
                                              Encrypted:false
                                              SSDEEP:384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
                                              MD5:5397A12D466D55D566B4209E0E4F92D3
                                              SHA1:FCFFD8961FB487995543FC173521FDF5DF6E243B
                                              SHA-256:F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
                                              SHA-512:7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

                                              C:\686fc0c283be14fef7\3082\SetupResources.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):18776
                                              Entropy (8bit):5.182140892959793
                                              Encrypted:false
                                              SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                              MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                              SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                              SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                              SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\3082\eula.rtf

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                              Category:dropped
                                              Size (bytes):152458
                                              Entropy (8bit):5.013297113523102
                                              Encrypted:false
                                              SSDEEP:3072:4zkouwFDNSMUYugRJA8J/snalBEm0OgKXIJR10GZybh2U:4zDNIYt
                                              MD5:A920D4F55EAE5FEBAB1082AB2BCC2439
                                              SHA1:CBD631427871B620E9C95417788BFCDD1CD0A2A5
                                              SHA-256:2FFF2122C4D176E074365775227D4208AF48F2F921BE7623EDC315CD345ACF0B
                                              SHA-512:28135FBD9D940F0DEEC7A059AB2998B034575CC5D6DD31B1BE501B60689860478B0A0AB5183C69B2ACBBB9C1A074BBAA215960B3FACC6A9A3B0170E27E7B2B47
                                              Malicious:false
                                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a8\'ac??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                              C:\686fc0c283be14fef7\DHtmlHeader.html

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):16118
                                              Entropy (8bit):3.6434775915277604
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                              MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                              SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                              SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                              SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\686fc0c283be14fef7\DisplayIcon.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                              Category:dropped
                                              Size (bytes):88533
                                              Entropy (8bit):7.210526848639953
                                              Encrypted:false
                                              SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                              MD5:F9657D290048E169FFABBBB9C7412BE0
                                              SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                              SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                              SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                              Malicious:false
                                              Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\Graphics\Print.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):4.923507556620034
                                              Encrypted:false
                                              SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                              MD5:7E55DDC6D611176E697D01C90A1212CF
                                              SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                              SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                              SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                              C:\686fc0c283be14fef7\Graphics\Rotate1.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5118974066097444
                                              Encrypted:false
                                              SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                              MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                              SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                              SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                              SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                              Malicious:false
                                              Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate2.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5178766234336925
                                              Encrypted:false
                                              SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                              MD5:8419CAA81F2377E09B7F2F6218E505AE
                                              SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                              SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                              SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                              Malicious:false
                                              Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate3.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5189797450574103
                                              Encrypted:false
                                              SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                              MD5:924FD539523541D42DAD43290E6C0DB5
                                              SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                              SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                              SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate4.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5119705312617957
                                              Encrypted:false
                                              SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                              MD5:BB55B5086A9DA3097FB216C065D15709
                                              SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                              SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                              SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                              Malicious:false
                                              Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate5.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5083713071878764
                                              Encrypted:false
                                              SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                              MD5:3B4861F93B465D724C60670B64FCCFCF
                                              SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                              SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                              SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate6.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.5043420982993396
                                              Encrypted:false
                                              SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                              MD5:70006BF18A39D258012875AEFB92A3D1
                                              SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                              SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                              SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                              Malicious:false
                                              Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate7.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.4948009720290445
                                              Encrypted:false
                                              SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                              MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                              SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                              SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                              SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                              Malicious:false
                                              Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Rotate8.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):894
                                              Entropy (8bit):2.513882730304912
                                              Encrypted:false
                                              SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                              MD5:D1C53003264DCE4EFFAF462C807E2D96
                                              SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                              SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                              SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                              Malicious:false
                                              Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                              C:\686fc0c283be14fef7\Graphics\Save.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):4.824239610266714
                                              Encrypted:false
                                              SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                              MD5:7D62E82D960A938C98DA02B1D5201BD5
                                              SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                              SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                              SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                              C:\686fc0c283be14fef7\Graphics\Setup.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                              Category:dropped
                                              Size (bytes):36710
                                              Entropy (8bit):5.3785085024370805
                                              Encrypted:false
                                              SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                              MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                              SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                              SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                              SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                              Malicious:false
                                              Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\Graphics\SysReqMet.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):5.038533294442847
                                              Encrypted:false
                                              SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                              MD5:661CBD315E9B23BA1CA19EDAB978F478
                                              SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                              SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                              SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                              C:\686fc0c283be14fef7\Graphics\SysReqNotMet.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                              Category:dropped
                                              Size (bytes):1150
                                              Entropy (8bit):5.854644771288791
                                              Encrypted:false
                                              SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                              MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                              SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                              SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                              SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                              Malicious:false
                                              Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                              C:\686fc0c283be14fef7\Graphics\stop.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                              Category:dropped
                                              Size (bytes):10134
                                              Entropy (8bit):6.016582854640062
                                              Encrypted:false
                                              SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                              MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                              SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                              SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                              SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                              Malicious:false
                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                              C:\686fc0c283be14fef7\Graphics\warn.ico

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                              Category:dropped
                                              Size (bytes):10134
                                              Entropy (8bit):4.3821301214809045
                                              Encrypted:false
                                              SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                              MD5:B2B1D79591FCA103959806A4BF27D036
                                              SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                              SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                              SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                              Malicious:false
                                              Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                              C:\686fc0c283be14fef7\ParameterInfo.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8968
                                              Entropy (8bit):3.5907064103424333
                                              Encrypted:false
                                              SSDEEP:192:gCwdBdVv3CL021BqG2ahBCw2G2X2BCEj2G2KQ6G2nCw+KFl:kRPGiGPKGPGYCrKFl
                                              MD5:66590F13F4C9BA563A9180BDF25A5B80
                                              SHA1:D6D9146FAEEC7824B8A09DD6978E5921CC151906
                                              SHA-256:BF787B8C697CE418F9D4C07260F56D1145CA70DB1CC4B1321D37840837621E8F
                                              SHA-512:ABA67C66C2F3D9B3C9D71D64511895F15F696BE8BE0EEDD2D6908E1203C4B0CF318B366F9F3CD9C3B3B8C0770462F83E6EEA73E304C43F88D0CBEDF69E7C92B3
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

                                              C:\686fc0c283be14fef7\Setup.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):78152
                                              Entropy (8bit):6.011592088917562
                                              Encrypted:false
                                              SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                              MD5:006F8A615020A4A17F5E63801485DF46
                                              SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                              SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                              SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\SetupEngine.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):807256
                                              Entropy (8bit):6.357664904941565
                                              Encrypted:false
                                              SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                              MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                              SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                              SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                              SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\SetupUi.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):295248
                                              Entropy (8bit):6.262127887617593
                                              Encrypted:false
                                              SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                              MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                              SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                              SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                              SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\SetupUi.xsd

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):30120
                                              Entropy (8bit):4.990211039591874
                                              Encrypted:false
                                              SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                              MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                              SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                              SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                              SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                              C:\686fc0c283be14fef7\SplashScreen.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                              Category:dropped
                                              Size (bytes):41078
                                              Entropy (8bit):0.3169962482036715
                                              Encrypted:false
                                              SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                              MD5:43B254D97B4FB6F9974AD3F935762C55
                                              SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                              SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                              SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                              Malicious:false
                                              Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                              C:\686fc0c283be14fef7\Strings.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):14246
                                              Entropy (8bit):3.70170676934679
                                              Encrypted:false
                                              SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                              MD5:332ADF643747297B9BFA9527EAEFE084
                                              SHA1:670F933D778ECA39938A515A39106551185205E9
                                              SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                              SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                              C:\686fc0c283be14fef7\UiInfo.xml

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):36342
                                              Entropy (8bit):3.0937266645670003
                                              Encrypted:false
                                              SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                              MD5:812F8D2E53F076366FA3A214BB4CF558
                                              SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                              SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                              SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                              Malicious:false
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                              C:\686fc0c283be14fef7\header.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                              Category:dropped
                                              Size (bytes):7308
                                              Entropy (8bit):3.7864255453272464
                                              Encrypted:false
                                              SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                                              MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                              SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                              SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                              SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                              Malicious:false
                                              Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\sqmapi.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):144416
                                              Entropy (8bit):6.7404750879679485
                                              Encrypted:false
                                              SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                              MD5:3F0363B40376047EFF6A9B97D633B750
                                              SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                              SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                              SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                              C:\686fc0c283be14fef7\vc_red.cab

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Microsoft Cabinet archive data, 4186145 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 354 datablocks, 0x1503 compression
                                              Category:dropped
                                              Size (bytes):4192089
                                              Entropy (8bit):7.999755784501758
                                              Encrypted:true
                                              SSDEEP:98304:YHgT57PlfosWFk9TRxWCP/kbNfS2g92D7epPC1txsBDDfifN7wVH:YHmPxFik99xlnANfcM3YDIN7YH
                                              MD5:6C59FECF51931FB4540E571AE0310098
                                              SHA1:DB5B0E9F7D20D2B1CCD61320ECCA7A60E118619B
                                              SHA-256:08E4D5BAD48C0203FDF02FDC28794F820DFB1D4480BDCAC562E7BC6E15FFAAD3
                                              SHA-512:D9CC7C6EF54105C981AACAAFDE890019AF766B53417E765FA7636C3B8A4400CE6F987CCEF1A54B4521412A8E45C011476C065CEBC892688AEED1B027E3E761BA
                                              Malicious:false
                                              Preview:MSCF....!.?.....D...........................!.?.8...........Y...b...H.........r<.I .F_CENTRAL_atl100_x86.HAB.H.....r<.I .F_CENTRAL_mfc100_x86.P....\D...r<.I .F_CENTRAL_mfc100chs_x86.P.....D...r<.I .F_CENTRAL_mfc100cht_x86.P...0wE...r<.I .F_CENTRAL_mfc100deu_x86.P....rF...r<.I .F_CENTRAL_mfc100enu_x86.P....IG...r<.I .F_CENTRAL_mfc100esn_x86.P... CH...r<.I .F_CENTRAL_mfc100fra_x86.P...p>I...r<.I .F_CENTRAL_mfc100ita_x86.P....1J...r<.I .F_CENTRAL_mfc100jpn_x86.P.....J...r<.I .F_CENTRAL_mfc100kor_x86.P...`.K...r<.I .F_CENTRAL_mfc100rus_x86.P.B..sL...r<.I .F_CENTRAL_mfc100u_x86.P9........r<.I .F_CENTRAL_mfcm100_x86.P;..PV....r<.I .F_CENTRAL_mfcm100u_x86.Pm........r<.I .F_CENTRAL_msvcp100_x86.P.........r<.I .F_CENTRAL_msvcr100_x86.P...@.....r<.I .F_CENTRAL_vcomp100_x86.P3........r<.. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8...W..:..[..... '.."S`$..n...W..de`e. .(.$.gV...2..X@A..ra*NR<cq|...{.`.p.M.. .).JM....q..........Q.......?.........2..nL......U.f#[v..#--

                                              C:\686fc0c283be14fef7\vc_red.msi

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                              Category:dropped
                                              Size (bytes):155136
                                              Entropy (8bit):6.337010677866242
                                              Encrypted:false
                                              SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                              MD5:CD2B99BB86BA6A499110C72B78B9324E
                                              SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                              SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                              SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                              Malicious:false
                                              Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\686fc0c283be14fef7\watermark.bmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                              Category:dropped
                                              Size (bytes):309032
                                              Entropy (8bit):6.583379857106919
                                              Encrypted:false
                                              SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                                              MD5:1A5CAAFACFC8C7766E404D019249CF67
                                              SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                              SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                              SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                              Malicious:false
                                              Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Config.Msi\40406e.rbs

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):21582
                                              Entropy (8bit):5.6210846221910735
                                              Encrypted:false
                                              SSDEEP:384:Bip/WPACjw4AJCK+nMUQA9qXMAPlClPea6AR/e:BgWvw4AJCK+nMUQA9qXMAkrG
                                              MD5:126D8A1D700E737240CCB7466821A86D
                                              SHA1:1EADD2113FFC5B8548C43772E1FC01E94BDAE7D4
                                              SHA-256:B5C4CC476B18779D73F978B7A0C794DDF8BB4502A0EBFA516975F0098C33024F
                                              SHA-512:7F559B95618189580DDD691097A068C39711201322BFDA05206A4804A45E5FC3489011907D8329C5DC1556DC092B31B5A2AE9FA6CCBE167D0BBE2F686D48B7E0
                                              Malicious:false
                                              Preview:...@IXOS.@.....@..W.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{9983C931-37BE-3C6E-AD32-8B6E789B6881}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E822F933-C70D-3CF4-A92D-7263B8ACCF30}&.{196BB40D-1578

                                              C:\Config.Msi\40af16.rbs

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1155
                                              Entropy (8bit):5.5758780390660245
                                              Encrypted:false
                                              SSDEEP:24:NgimCk64Nfja6JfW7mU4fPmCOFm5FPnH4YOCRYVoDEl:NpmfrNfJJfWmDHmCOFmPPnYYOCRYVoIl
                                              MD5:9F8E31A472DA3CE405B0EAC5EC149B23
                                              SHA1:E471AFBD33FFC9E01E84D31EB2C2499AF55757BE
                                              SHA-256:7976CFBB1BC373DA8E1E62871DDCBCD7078F4510D126EE60B9C62705A8FBB4C3
                                              SHA-512:269F4DAF76E41C5E9B1AA0C7A66464FFCC4B9A707BC337E6056F40F146C23A51F653A9C623D9DEB12797A7513CC381013B6856B66B2AEB4CD8FDFC6A2FF36CE9
                                              Malicious:false
                                              Preview:...@IXOS.@.....@...W.@.....@.....@.....@.....@.....@......&.{B64ED1C1-67C0-47C8-91DE-E75B66145206}..Ranger Remote Secure 1.4.2.1..RangerRemoteSecureInstaller.msi.@.....@.....@.....@........&.{9C9EEB3F-182B-4DBC-94C7-8E9605B2A9A9}.....@.....@.....@.....@.......@.....@.....@.......@......Ranger Remote Secure 1.4.2.1......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3C1BBADB-FABF-43F8-A8BC-10707C4EF240}&.{B64ED1C1-67C0-47C8-91DE-E75B66145206}.@......&.{272795E3-2968-4FB8-8E5B-696FEB809297}&.{B64ED1C1-67C0-47C8-91DE-E75B66145206}.@......&.{88E13337-6F6E-4550-8B38-42F971AFAFED}&.{B64ED1C1-67C0-47C8-91DE-E75B66145206}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..6.C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\....S.C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat....Z.C:\Program Files (x86)\Carreker\Ranger Remote 1

                                              C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):7078224
                                              Entropy (8bit):7.998041554101775
                                              Encrypted:true
                                              SSDEEP:196608:f9wzXHkQMAFKeqeRDTKpP0HtDRMqdmkwDnp8FpvQQf:fKz33EebNNtMim7Q7
                                              MD5:57C3754A9113DFAFE11AD022B9BE5C33
                                              SHA1:0211D7AE0A44BA7E464203A28D0814B68A74D4F1
                                              SHA-256:38D0584E18FCB9EA1AFBC1906EA13708CBE30613DDBBE8AC392FED791B095D34
                                              SHA-512:8D3C6CC03802E20DABC56A5646B9B67C359BA2C95A09A0D3EAE3475B4A91BEFEB85842A04B521D5C10DE61763D70BCF9F87D15A040CE81212C0467137A0F8C93
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 5%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@.................................],l.....................................$u..........@...........8.k..............................................................p..|............................text...f^.......`.................. ..`.rdata.......p.......d..............@..@.data....]...........x..............@....ndata...................................rsrc...@............~..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):232
                                              Entropy (8bit):4.755932229993111
                                              Encrypted:false
                                              SSDEEP:6:pYsLBLMw2AYaei7ZgSFAQU9hwQluMYVlQXLSD:pYsLdnxrRmQEh3sYX+D
                                              MD5:0FF96C849BC62ADFF0BAA20B9A06C0D5
                                              SHA1:2AAC19DD410C2BFB6ECE1D2192461219D8858293
                                              SHA-256:E3EB97E51FA6E53792A83C8C292A39930E235E2DA79019C3FD9D0145EEF3A90B
                                              SHA-512:3D83DBCF5C5761CC429BB4C80577C7BD6A5954E244443D4CEB5C7240C5A91FA7F2E70383CAEF382E0E4A4B81F566AA7D9B730177929A61D2DE7BDEAAB457ECC2
                                              Malicious:false
                                              Preview:TITLE "Installing Ranger Remote Secure"....REM This file is a simple script to Ranger Remote Install Package EXE from Silver Bullet with secure certificates and silent mode..REM..REM.."Ranger Remote_v1.4.2.1_Installer.exe" /wss /S..

                                              C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\startupRangerRemote.bat

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):683
                                              Entropy (8bit):5.210391408738588
                                              Encrypted:false
                                              SSDEEP:12:tOj7Adk1pm0g/QYxSYxSIxT0QA4rf8Zk1pmnrLU1DmRh2IDo0QA4p4hZVAJ:kj7Adopb5YxSYxSIxTIZopkc8oSu
                                              MD5:FD4DA1F83FE9F74F8349A09FA18D4E48
                                              SHA1:EEA1906478902F9D3E75368097123F31F30318D6
                                              SHA-256:20A6349696EA179BAC8E04EB561722A7298D0789D7A12FA7A51E04A66EE21271
                                              SHA-512:913448D32C579BDADCB8709101ACF72B40330B94F09B478630CFCB2D7C88A7F21590CCA8B71C9D09D67B9DBD5D41F4C6F4FEC706142159D4156AFADA9973FE5A
                                              Malicious:false
                                              Preview:@echo off..SETLOCAL EnableExtensions..set EXE=RangerRemote.exe....REM |******* Check if Ranger Remote is Installed *******|..IF NOT DEFINED programfiles(x86) set programfiles(x86)=%programfiles%..IF NOT EXIST "%programfiles(x86)%\Silver Bullet Technology\Ranger\Ranger Remote" exit /B 1....REM |******* Check if Ranger Remote is already running *******|..FOR /F %%x IN ('tasklist /NH /FI "IMAGENAME eq %EXE%" /FI "USERNAME eq %username%"') DO IF %%x == %EXE% goto FOUND..rem echo Not running..start /d "%programfiles(x86)%\Silver Bullet Technology\Ranger\Ranger Remote\" %EXE% -a..rem echo After start Ranger Remote EXE..goto FIN..:FOUND..rem echo Ranger Remote already running..:FIN

                                              C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):799568
                                              Entropy (8bit):6.390606039798855
                                              Encrypted:false
                                              SSDEEP:12288:XpFqy6cpZ4jhWZFmihMuDj8Ze6U8+yJ/x7ZI2lptCatFW8ExY+P/9:TFZjZsiuuD8X+y5tlpoGNExTPF
                                              MD5:AAC7ED76E8DE83F80D866EFE99121F2A
                                              SHA1:3A7AE94AE160FEE6F539CA0AA12FAFF2C19F84F2
                                              SHA-256:6C45957E8BFE773FC4F9055F8E1F88C4C7105C23B039526B07FB1921410F7574
                                              SHA-512:78DED5095F3081847D39DCC5A3F5447583962BBFD8A7DB72FC139872B05067E756AC8BA9F55A383861DEFA9FBB52EF0CE310F385577418B79713A9A4727D338A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.yp..*p..*p..*y.D*t..*.._*q..*..Y*h..*..m*..*..l*9..*y.T*s..*p..*..*..i*i..*..\*q..*..]*q..*..Z*q..*Richp..*........PE..L......K.........."!.....t...................................................`............@.................................z..(.......................P..............................................@...................Dx.......................text....s.......t.................. ..`.data....K.......&...x..............@....rsrc...............................@..@.reloc..............^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):904208
                                              Entropy (8bit):6.589704313188588
                                              Encrypted:false
                                              SSDEEP:24576:eISgtdpp/sDBKr87j/1KxD9S/yYVH/8SH4II6bV3caTV+kjC4:0Kr8lwD9m9VHuII6bzTu4
                                              MD5:0D38C11D3B4E2AC438C6CA3A5973B074
                                              SHA1:FB48660BD8545E6BD090C165233BED72B84155D4
                                              SHA-256:D08151B05F278D11BA7C23A07756B2E1B9466E00629112CC9430C607F43176A3
                                              SHA-512:6C559BCA359092F86BE626FE630B81618F5D17F64EBD0CE98DD0A28C539BC4A83420844BAFF9BD68F97C0ACAC7CF9E86D6E8AA5D7572A51D3BFB5D8AE9D99209
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{...?...?...?...6...>...6...3......6...P...7...P...8...?.......P......P.......P...>...P...>...P...>...Rich?...........PE..L...Q.hR..................................... ....@..........................P...........@..............................D..D....................................W...'..................................@............ ...............................text...J........................... ..`.rdata....... ...0..................@..@.data...<....P.......6..............@....rsrc................d..............@..@.reloc...j.......l...H..............@..B................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\IQA\SilverBulletIQA.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1329176
                                              Entropy (8bit):6.416098393771814
                                              Encrypted:false
                                              SSDEEP:24576:Wcv592mIYl3EE9/e9NAfuwu6maVx2RKY2TIpKJWQrr8TjRdinymP:zttA9NtwuT0x2KIMJWk8TldyP
                                              MD5:B2435BCADB4AF397A66ACE6F6D8E3347
                                              SHA1:753BB074B7B794C2C8510982EEBFCB31100C3685
                                              SHA-256:E4C75C213DA43155CA3BE42065B904D1C06183B8954899041DB2C29090C89D2B
                                              SHA-512:7CE9CE692D6928F48C227924B994AF70997C90724AE4515EFAE948F1BE83C2445D6E45F41E6FA32255557DD1BF156A1D46E440441EEF2D80D439D326F759D325
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.W.,...,...,...T=..,..Pb6..,...0..,......,...2..,...,.......Z...,...Z..M,......,...5..,...4..,...3..,..Rich.,..........PE..L...H).M...........!.........f......................................................R.....@..........................m...D..,V.......p...............0.......P..........................................@...............l............................text...D........................... ..`.rdata..V...........................@..@.data...x........2..................@....rsrc........p......................@..@.reloc..4....P......................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\License.dat

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):256
                                              Entropy (8bit):3.8721299860556053
                                              Encrypted:false
                                              SSDEEP:6:IlrjMBHC4VJUIOi0xn/tR5H2CUVRwUVRwUVRwUVRwUVRwUVRwUVRn:Ilrj46B5/tnJUgUgUgUgUgUgUX
                                              MD5:2A67713D0B0012D8748068F357C6D904
                                              SHA1:A225903006D14D2B0194071150DA6301345745E1
                                              SHA-256:50A67743BAF44BF3A0D60265545EC388705D1CCA6D3570BA11DC161D894DD442
                                              SHA-512:6B3989DD407DB833175E1FAAFBDD6129506472DEF2E7C6F1D851DF86426A87A5983F7E37128EA01333CF595225AD5A352ABEB94229DC211CD52FDA35F074BA83
                                              Malicious:false
                                              Preview:5826C7369515F67B9B4ACF05653D91AC120C9EA872404C6ADBC0FBDA8182D1E15138843DDC8EA908EBC8DF9287C74222B2730B38C112158024D207E9D57BBC4C0ACE73B68620D71E2E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF4

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1788928
                                              Entropy (8bit):6.428057069001982
                                              Encrypted:false
                                              SSDEEP:49152:gN1RrRtEEqUGMyNFMq6becirSQ/tWv1Kj9p3fDN+WTAFRTZHkGeJLcIG:gFrRtEEqUGFi3irSQFWv1Kj9p3rNiFHY
                                              MD5:C862D88E9911CFEA250FE5781B60F13E
                                              SHA1:3344388446C00ABE32958EC1F4F8A5F1F4CFDA44
                                              SHA-256:D582EC45EF3082FCFFC887C628650F1668A7E10727B38862C0B3FEDC6F6A2EA4
                                              SHA-512:2E4B71BA6A6FE08C61AD2284A386B2C1086079E192A152A092D5BDE9DDCAC914FCEE57FB5CFA090C03075BD9EE8FC40B8D848C5EADC77D84DE4A6AB7B04FCA59
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y.BN8..N8..N8...vB.L8..G@^.O8..G@Y.A8..G@I.k8..N8..k;..U.D.`8..U.p..8..U.q..9..U.@.O8..U.G.O8..RichN8..........................PE..L...y;.M............................u........@....@..................................#....@..................................m..|............................@..|................................... ...@............@...............................text....,.......................... ..`.rdata..bb...@...d...2..............@..@.data............d..................@....rsrc...............................@..@.reloc..f....@......................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):46592
                                              Entropy (8bit):5.912560275783756
                                              Encrypted:false
                                              SSDEEP:768:5FK4sf4pAgicRDvMA+vaHEgObU+wAiFbUwp:5FK4sfvkRD8vMO2AiFb
                                              MD5:3DA62E5B5A9B3797A29E00EA2F3F186D
                                              SHA1:447E866BD87069F24BC337590AFAEB880A8A2FE7
                                              SHA-256:6EF70EB21F163C947DB03D6C6DB3057414710F55B20A6D165EBBEED2981F1334
                                              SHA-512:267C67274B0B90795CA054B7FA6DFD0CBD16CC4A9F13E38BC4F89C55A02A3E6EE42A244568BD3BC4B49DBB78C347E46ED9816E089EC5846AB14513EE72BBCE05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.S.4^S.4^S.4^Z..^_.4^...^R.4^H$.^R.4^H$.^@.4^H$.^V.4^S.5^b.4^H$.^C.4^H$.^R.4^H$.^R.4^RichS.4^................PE..L....:.M.................R...`.......U.......p....@......................................@............................................................................................................@............p...............................text....Q.......R.................. ..`.rdata..@1...p...2...V..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):42496
                                              Entropy (8bit):6.512951555194718
                                              Encrypted:false
                                              SSDEEP:768:SDorxLZLaxUc82wHIzRTIgLa1dhutE39SoOGO+e3HVk9cre:SDGLZDF2wHIlTJLarUAbOX3Hm
                                              MD5:80FAD3429D5F9AD94441BBF01580F701
                                              SHA1:69973CCBCD479ADEB02D10061EEC6F90E77AED9A
                                              SHA-256:C05FC990330D2C98650D8F6DB3AD0B09572516A1E98005E829A7376225EA4925
                                              SHA-512:D7134DF51F042ED00EEC82B7736BE7162E28BDDDCE60CBE499F45131AE3203FA8519F9B6506B0C54BF890DA10FA8205129D4B5845CA05510AF2298D66701CCE6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..Vie..ie..ie...+D.je..r.B.je..r.v.ze..r.@.oe..`.O.`e..ie...e..r.w.xe..r.F.he..r.A.he..Richie..................PE..L....:.M.................V...L......M[.......p....@..................................P....@............................................,..............................................................@............p...............................text...[U.......V.................. ..`.rdata...4...p...6...Z..............@..@.data...............................@....rsrc...,...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):151
                                              Entropy (8bit):4.83635523452514
                                              Encrypted:false
                                              SSDEEP:3:tM7AICEMJJlIRMRVRhFGbZj4I52MJWFQULjNnilixoOmCMQGEvnTLzHFn:20wQpFC52MJCQULjNnWawwPln
                                              MD5:1A5407A7144C327255D0AEB47D53A1E2
                                              SHA1:F45DA437ABEEEDD2DF231ACBB0EB5B40A7B51725
                                              SHA-256:A8F7E47F0666114A9AAD463A7B09D5CD64A4E9E40530043361980425CC23C934
                                              SHA-512:4E31E769524C9270B7A3D0C29D74C1344BE1C3EA3DF6EB8CA7DB1111D080C2BC0D7782245473862140F43C69CF23E31AD1B4DDD182E3367E2F9BD11C2423A25A
                                              Malicious:false
                                              Preview: "C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem"

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\README.md

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1568
                                              Entropy (8bit):4.800745036592286
                                              Encrypted:false
                                              SSDEEP:24:YuWyhymMHx24O+kDT6FZdkORXaOJhOX6/olip0132qiFQdHh/CssSXwoY6WfgHjH:kyhymMHQ43+WFZS/sfFOGqdlCxeIfgHz
                                              MD5:76FA2DFE8F6B78C334B95EC323C5674B
                                              SHA1:A44F04611FFF2FD5B61289D5CE9BE57B8AD19D63
                                              SHA-256:24952570B2B9A29D281E3295CADE2439CCAA60F9CD628C795C819568062D2EE2
                                              SHA-512:CDB42BE1024C7C701A5FFBAF4AA378568CD2C8E08196E862E265814C2E32C03665389CCC21853AD6C0EEFF250B594B6B59B176A6EA58B29CF4123E35AD253AC5
                                              Malicious:false
                                              Preview:firefox_add-certs..===========....script to add new CA certificates to the Firefox trusted certificate store on Windows......Description..-------------..Unlike other browsers, Firefox doesn't use the Windows certificate store, but comes with its own hardcoded list of trusted Certificate Authorities. New CA certificates can be added through the GUI and are stored in the user's Firefox profile...This cmd script is a very thin wrapper around Mozilla's NSS certutil command line tool, that adds all CA certificates from a given folder as trusted to:..- the default Firefox profile (so that any newly created Firefox profile will automatically have them)..- the Firefox profiles of all users on the local Windows machine (appropriate write permissions to these user profiles needed)....The release download includes a build of the NSS `certutil.exe`.....Usage..-------------..- download and extract the ZIP file from the [release page](https://github.com/christian-korneck/firefox_add-certs/releases)

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3370
                                              Entropy (8bit):5.3162971659912435
                                              Encrypted:false
                                              SSDEEP:48:PcnAfhDzmbAjhTBvXRIyqA3y/hXy6jg1SBvb/IOBh/XMm8:E8zmbAjhWACh2G/XMb
                                              MD5:19D34259253158006FE1F3681F81C977
                                              SHA1:92F2F3F992DD9967D29052EA7DA374E5E43A8F00
                                              SHA-256:25801C78550AB23A39A830E73DD0FF98EF3A46607ABBEB52D9C04782800420A3
                                              SHA-512:981900CC777580C01A329822E642997119CA54E0BFA6D0779E2F32C86B0248F28FFF9755D5EC5902909948B91F473492DDC5441F81837E3EE9E56259E0550EA3
                                              Malicious:false
                                              Preview:@if /i "%1" NEQ "-verbose" @echo off..setlocal....REM #### general config..set programFilesWithMozilla=%programfiles%..if not exist "%programFilesWithMozilla%\Mozilla Firefox" set programFilesWithMozilla=%programfiles(x86)%..if not exist "%programFilesWithMozilla%\Mozilla Firefox" exit /B 1....REM #### default firefox profile..set firefoxdefaultprofile=%programFilesWithMozilla%\Mozilla Firefox\browser\defaults\Profile..if not exist "%firefoxdefaultprofile%" mkdir "%firefoxdefaultprofile%"..if not exist "%firefoxdefaultprofile%\cert8.db" copy /y "%~dp0db\empty\cert8.db" "%firefoxdefaultprofile%\" >NUL..if not exist "%firefoxdefaultprofile%\key3.db" copy /y "%~dp0db\empty\key3.db" "%firefoxdefaultprofile%\" >NUL..if not exist "%firefoxdefaultprofile%\secmod.db" copy /y "%~dp0db\empty\secmod.db" "%firefoxdefaultprofile%\" >NUL....setlocal ENABLEDELAYEDEXPANSION..set replacepath="%~dp0cacert"\..FOR /R "%~dp0" %%C IN (cacert\*.pem) DO (..set certpath=%%C..set certfile=!certpath:%replacepath

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\certutil.exe

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):90112
                                              Entropy (8bit):6.049203086148785
                                              Encrypted:false
                                              SSDEEP:1536:LAflGYt7/Ti4XbE3gIf8CRl6x9J7ii/A5X0AhiGlPv5vRPvzvo:cflGYh/Tix3gIfL6d7N/A5X0AIGBP7
                                              MD5:D2AFFBD28E04FB3B25A31919FFD3AA03
                                              SHA1:11FF367C6E18D40BF6DAE98F826263203AD9323C
                                              SHA-256:AE835DEC6E709F035606AD26EDA564BCAEA8CAD23FB41EAC750B0237472A17C2
                                              SHA-512:67B14C725D7BF4DED7B255FCBBEA8CEF1E4A630A8369ABFB6DEDD239CCE8682E9156D9C2978D40636D1E31D151C293EAFD5CF696173463437A16660BDC418985
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q1..0_..0_..0_.,S..0_..U..0_.z,Q..0_..[..0_..0^."0_...[..0_..U..0_.Rich.0_.........................PE..L....*.C..........................................@..........................p..................................................x.......................................................................................@............................text...`........................... ..`.rdata...).......0..................@..@.data...t...........................@...................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\freebl3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):172032
                                              Entropy (8bit):6.373336403812237
                                              Encrypted:false
                                              SSDEEP:3072:X8E0P8fIARaDSEiJIkc75mzPDuMqqDL2/DY/y/jPGHrIswL:X8EK8f1YDSEiJIkc6DFqqDL6XGHrIr
                                              MD5:C9F52428ED01EF0F8B7AD1E2F53B6DC6
                                              SHA1:4A15E7C076B41569D90C0F1196F46222DC2276D8
                                              SHA-256:529B1D287EAA85F94130E49F1810001061085AC1A3D8E8167894CCF5B7F1F8AF
                                              SHA-512:BD3AFD9085516918DB54728BDCAAE6224C6F53D6ECE38A5C5C41434AC0B09AEA17D6551D480AFCE122615B9313444B2E1FDB1CBD2C791FC7C106AB481458A61D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I...........o......v...........P.....P........2..R..,..................Rich...................PE..L...<*.C...........!................................................................................................Pm.......h..x....................................................................................................................text...P........................... ..`.rdata..............................@..@.data...t....p.......p..............@....rsrc...............................@..@.reloc..^...........................@..B................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\jss4.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):126976
                                              Entropy (8bit):6.053779774514229
                                              Encrypted:false
                                              SSDEEP:1536:lKQ/GSoZEXeIfxYTXpH8rjc5/gdIdwp9sI/B8CbqdDwAUyOfRPyvojA/V1i7ouv:lZboZEsoje/Vwd/0DWyOtyuiV07
                                              MD5:F8E24818D9EF9146948195603A4DD422
                                              SHA1:711E43243084A6F96758D805195EF1881EEB16AA
                                              SHA-256:15C19C38BEB20A81CA63EDCEEECFF48F65284213B0C38FF40F37C7355B0EC2B9
                                              SHA-512:99B61508FC83869A5DF2667562A4AFB17B1E8DD3DF5DBFAE51E5D73159B0B9630610353D5A65C750A25923B8674DD18FD2FAF8B91409BEAB45A73319728058BD
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?4J.{U$T{U$T{U$T&w.T~U$T&w TyU$T.J7T.U$T{U%TST$T$w.TeU$T.S"TzU$T.u TuU$TRich{U$T........................PE..L....,.C...........!....................................................................................................\3..h........................................................................................................................text............................... ..`.rdata...`.......p..................@..@.data...@m...`...p...`..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libnspr4.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):208896
                                              Entropy (8bit):6.3362137447403555
                                              Encrypted:false
                                              SSDEEP:3072:Cavia0x2eob0u7m4t07zcFPBJ2QsmO1/3rAqpeMWXcxpL2rrIHNtdv19OLR9:7Ka0sb0wt0cJhsmO1/3rJpeMWE0rI9v
                                              MD5:691FF94BBC3541733A7CA0E12469411F
                                              SHA1:BA46CDBB9C1A18C7CFA1D7B356EC7163969C9BF2
                                              SHA-256:102BE0B368E2862754673C19A91BDBF97D3ACF0E9F83A350649F576B1736CB26
                                              SHA-512:64299E818932E8DEF414CA2827ECEC2AB7DB7D71815864F0C1826E37597D3FB275C70AF64DB7135053D1DF2C20B62750EFE3CB12DAC99AFDD77ECF5FABC77885
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-..L...L...L..P...L..rP...L..n...L..n...L...L..OL..S...L..n..L..6J...L...l...L..Rich.L..................PE..L....).C...........!.....P...........U.......`.....0.........................@......................................@....*.....d....................................................................................`...............................text...`F.......P.................. ..`.rdata...l...`...p...`..............@..@.data...h...........................@....tls................................@....rsrc...............................@..@.reloc..V#.......0..................@..B................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplc4.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):28672
                                              Entropy (8bit):3.011015841534798
                                              Encrypted:false
                                              SSDEEP:192:XNXI9lF8Elho4GezZKpJB2IIHN5NqPCtgP6QDLuxUnnnqCv/qWARuPsBQVhmmTCR:9XI9vXqSHt7Or6QD0OAyOkdplLVW0R
                                              MD5:92B8A7D872B030F398CC53A2E2BFB555
                                              SHA1:C6BED9698115B0B418CF6AF7A5F46500CD1777BC
                                              SHA-256:B11741132679F25E0239EB89FDC2C017BB1049CDBE58D82F88551F3BEF1C21B1
                                              SHA-512:E85B53F7712AB560870FBCC718837F3B707E3DE20A75D1BBD07126125D0B20A31C6FE6A3A870B49F128A47ABAA43487F7E05D925465018C740897355A934ADCE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E..P$n.P$n.P$n.2;}.R$n...d.U$n...j.R$n.P$o.D$n...d._$n.."h.Q$n...j.T$n.RichP$n.................PE..L....).C...........!..... ...@.......!.......0.....0.........................p.......................................;.......9..P....P.......................`..`....................................................0..T............................text...^........ .................. ..`.rdata..l....0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\libplds4.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):24576
                                              Entropy (8bit):2.0051022828029756
                                              Encrypted:false
                                              SSDEEP:96:LGp5gzc96kQuFBUcmOHeV6Yqebl6swLmwi2gGhTul10vynrJ3K1SxMRN3L6CM45j:L05v96qF6cqSE1wi2gGVuEa9aYyFfv
                                              MD5:6AC014A4BF68C61B5E622DAA911953B5
                                              SHA1:3C53B35535FEAE8E39B025D2793B50CD6A560A92
                                              SHA-256:0A74C6FBB378F7AA0A24ED750CEEB5874778374F338C06A257118AD8E661431B
                                              SHA-512:E2669EC18C5F457E28AAFF0D564C32C2CC845C13A6B0491F77BB212AB75688992D946FDF68D137EF5027ADB15BF422686AE1287985FA4DBA5A3D484A8BA413D2
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..Y3...3...3...Q...1...n...6...n...1...3...<...l...0.......2......7...Rich3...................PE..L....).C...........!.........@......[........ .....0.........................`......................................`"....... ..P....@.......................P....................................................... ..@............................text............................... ..`.rdata..F.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nss3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):368640
                                              Entropy (8bit):6.3270042575508345
                                              Encrypted:false
                                              SSDEEP:6144:SJHM/lU/fUYje77oOHUYtap6HFoAQltlmjmXIJcNC8aXAcvZM8YtVdynqI4dJlU2:SJHM/lUXUYje77oOHUYwpQupux7fvO8C
                                              MD5:E723BEC5A8AD28814A4156D961EAC891
                                              SHA1:37D2D00E7C44CBC274EE9B67599DD024A8EF7540
                                              SHA-256:CDD559D807D4A1599F16577C931FB1392487C271AAE1A7010B7E53FB6FB0B0F8
                                              SHA-512:DF82B0659E36AE9366889244F31A3632ED82EA1E240BB7CEBE2C01F8A4E26462737AF3E5D6FBD5CE0800688A1EA06E70207E0799210DE2FC132AB444D4B3FF1C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8-.H|L..|L..|L...S..~L...P..}L...P..~L..!n..yL..!n..~L..|L...L..#n..#L...J..}L...l..vL..Rich|L..................PE..L...|*.C...........!......................... .......................................................................w......n.......`.......................p....................................................... ...............................text............................... ..`.rdata..~.... ....... ..............@..@.data....4... ...@... ..............@....rsrc........`.......`..............@..@.reloc...!...p...0...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\nssutil3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):110592
                                              Entropy (8bit):6.4887902817222995
                                              Encrypted:false
                                              SSDEEP:1536:QlEUXeNbfEzPX5FdEsom/cbvczqvooFPrSd8kBlUT1SB:qlybfEbXTd5wbvYqf0d8kBlUT1SB
                                              MD5:C19416E9CF9E571068CA14276C6E0620
                                              SHA1:B5E8EE4659B678FB3B234055B1EEDA920EB20B30
                                              SHA-256:BA9341807B42E90BB0380D51A83D3D6A0DE7D57B6820A8B0CBE5E36E978860FA
                                              SHA-512:5CDE579F66E0677F1419DC11723E1F7B5A7D408B4B3250E26AA0C0863A46B6FD86F17813416769F1EEC89375F3C9C83FED468A17D1EF80F83FF1744927E7DA79
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qY.+58gx58gx58gx..x78gx...x78gxsi.x78gxsi.x48gxsi.x98gxsi.x78gx8j.x28gx58fxP8gx8j.x.8gx8j.x48gx8j.x48gx8j.x48gxRich58gx................PE..L......U...........!......................................................................@.................................D...x...............................|.......................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\smime3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):110592
                                              Entropy (8bit):5.628747503274973
                                              Encrypted:false
                                              SSDEEP:3072:RGUeQZF6wq9iDZEa5pFDRc/JdGvZmWyPVpj2VKvNE7z:RJYv9iDTpFDRc3hPt2
                                              MD5:0F44FC09CDED58859D780C5696382D4A
                                              SHA1:A249FD04A8562E54F4C5E1CB655D492B4E2280B7
                                              SHA-256:8363C76A7B74D01A16DE2A7A3F24AEA1779373239701245EC13E36C8B7BB3FE9
                                              SHA-512:78D8FFBBACD005826C545CCD302E004C50F58366F63F1A94F00A185D175A498AA144F1E265539CF007FC307E58E38CAA211EC63D1A5AC8DEF99CA41E6A417FD0
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D.n.D.n.D.n.&.}.F.n...d.A.n...j.F.n.D.o...n...d.g.n...h.E.n...j.L.n.RichD.n.................PE..L....*.C...........!..... ........... .......0......................................................................`e.......N..x....................................................................................0..8............................text............ .................. ..`.rdata..sM...0...P...0..............@..@.data...@...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\softokn3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):245760
                                              Entropy (8bit):6.2479300877143755
                                              Encrypted:false
                                              SSDEEP:6144:194KxewOcu56nPRX6nh0HpN4VysvOPuu4v:194QSQxOh8f4dvYuuM
                                              MD5:18F930AEA63CF5B19DE10400D0704249
                                              SHA1:55A956C1292328B8CF04A9281631F7B34ECDBE00
                                              SHA-256:EBD42144F51DC25ABA3C955D40E740D73F6837C4726261E77ECB488710C5FAF5
                                              SHA-512:31DB8D7F6C6EAD09E1786B08CEBCF3197CD6C8FABD8002254742E8C97B6F6FFA0D61F1DF7C14F71804ECF71A7D655516B3813EA8500F9C7B9EEFC22CB188F0E6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........WR...R...R...0...P...)...X......S.......W.......P...R...;...............S.......Z...RichR...................PE..L...H*.C...........!................g................................................................................S......PK..x....................................................................................................................text...p........................... ..`.rdata...U.......`..................@..@.data........`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\bin\ssl3.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):114688
                                              Entropy (8bit):6.0617319997199175
                                              Encrypted:false
                                              SSDEEP:1536:6OYGBnySsyuPdEXWWIR0PRxE8VtTnrEs/3pSAd+tC7ZU7lw2dZqn5zlNAJfB6wwX:65GBn1syoq6088VhAsw/65/Ss2
                                              MD5:CB2E85E0DB79744F7B25C6E269B167CD
                                              SHA1:61C53CF7706FE75A6271AB15D9616B8A48AACCB6
                                              SHA-256:49B3D905686EE916D6FCE0DF7162FA6F306A5A51E95FC2D02D66F102BE39F9D8
                                              SHA-512:97F7B71FCE3E6A24E7F02286B9A3EFA467927F90270EC81E265C40E2CA6B256FFFF07B9F97823A818243F1E0D8C4E76120F5652D38A6B3288207069D5C4F1EFE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...................Y..........................................%......Rich............................PE..L....*.C...........!.....P...`.......[.......`..............................................................................pr..x...............................P....................................................`..(............................text....L.......P.................. ..`.rdata...,...`...0...`..............@..@.data...X...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\CACert_RootDistributionLicense.txt

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with very long lines (916), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3705
                                              Entropy (8bit):5.079761760664148
                                              Encrypted:false
                                              SSDEEP:96:kkL3IxL/xgR2bJUaCm32ht13z9y+Ok0HQucYgy6:kkYxbxj32ht13By+Oxmb/
                                              MD5:AD690AEB54AEA59BFA537DCBAD62330F
                                              SHA1:525212EDE3F3D137C76F6F1F8B720491C1B2825F
                                              SHA-256:852B75288C55EBBE152AAC1DE497E4512746ADA66E60A591307E74E88BD7CDC1
                                              SHA-512:F632685832939F54ED704F7571315DA6A6586B4EB0E0767A37C5F81F9E6E9D2E209ECE5E3DC03EF739E2DC89C6913EA692C0CEABCCD42DEF676AC7A7FD34389A
                                              Malicious:false
                                              Preview:..Name: RDL COD14..Status: POLICY p20140731..Editor: Mark Lipscombe..Licence: CC-by-sa+DRP .RDL Status - POLICY........Root Distribution License..1. Terms...."CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia..."CAcert Community Agreement" means the agreement entered into by each person wishing to RELY..."Member" means a natural or legal person who has agreed to the CAcert Community Agreement..."Certificate" means any certificate or like device to which CAcert Inc's digital signature has been affixed..."CAcert Root Certificates" means any certificate issued by CAcert Inc to itself for the purposes of signing further CAcert Roots or for signing certificates of Members..."RELY" means the human act in taking on a risk or liability on the basis of the claim(s) bound within a certificate issued by CAcert..."Embedded" means a certificate that is contained within a software application or hardware system, when and only when, that softwa

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\README.txt

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.6864194113487736
                                              Encrypted:false
                                              SSDEEP:3:Izq4GPDHEBTL:IzpQs
                                              MD5:D051C687225FA1E4EF5EDCF2AB6A18B7
                                              SHA1:93B90E091366C037D8B6AD8B6681DADC9B2D0CCA
                                              SHA-256:982F5AF8AB74D992E607AF8D711262BB965AC064BD0E6189387FE924C271D416
                                              SHA-512:FB07DE308A1F1C87D87424DD8DA4D1045D790CDF9011C83F92F876A4DE1CE90104213621F7A02675CFD420DE636FC55907431C389C7103FA8DF40B83D1CED7F0
                                              Malicious:false
                                              Preview:Add pem certificates here.

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\cacert\rootCA.pem

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PEM certificate
                                              Category:dropped
                                              Size (bytes):1497
                                              Entropy (8bit):5.8717440011342115
                                              Encrypted:false
                                              SSDEEP:24:LrcfLTQP8yitqitdha+n0GzmyGKCBTTXkSOshNPZLdbBdTfnWzVlnlHzc5zJ:LrcfH88yixhT0GK7HBTTXkSO8PZLlPWy
                                              MD5:045DB9619918C658510991FCD0317A11
                                              SHA1:17C822C2080042671225A6CDFE237CB7657FF91C
                                              SHA-256:77EF9805CA86BFA678B86188BBC74417681F47A8068E33DE733696E281C6BAB1
                                              SHA-512:8468F08F91183DAC0D064D50F2A4402E382A890CB163D5F23F39090511B0415CD17938BE96BA6F735DD4695FB21C004643BD1FA0A2C3367D0B7C6423D6FA1034
                                              Malicious:false
                                              Preview:-----BEGIN CERTIFICATE-----.MIIEJTCCAw2gAwIBAgIJAJ/gAGfktb4TMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD.VQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJUGVuc2Fjb2xhMScw.JQYDVQQKDB5TaWx2ZXIgQnVsbGV0IFRlY2hub2xvZ3ksIEluYy4xDDAKBgNVBAsM.A1NCVDEYMBYGA1UEAwwPd3d3LnNidWxsZXQuY29tMSIwIAYJKoZIhvcNAQkBFhNz.dXBwb3J0QHNidWxsZXQuY29tMB4XDTE3MDUwMTE4NTA0NFoXDTIwMDIxOTE4NTA0.NFowgagxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRIwEAYDVQQHDAlQ.ZW5zYWNvbGExJzAlBgNVBAoMHlNpbHZlciBCdWxsZXQgVGVjaG5vbG9neSwgSW5j.LjEMMAoGA1UECwwDU0JUMRgwFgYDVQQDDA93d3cuc2J1bGxldC5jb20xIjAgBgkq.hkiG9w0BCQEWE3N1cHBvcnRAc2J1bGxldC5jb20wggEiMA0GCSqGSIb3DQEBAQUA.A4IBDwAwggEKAoIBAQClWcl6+zEHIi5MgNKtmx00F7hhDZ/VZl5hxmotgZHzUzvA.jUWwLeK5Ne6zeXQ+l6o/RduC0EofV9RGLpgwU35SpCK+9OnEOkNQ7CFw2aJCn2Sp.smi2V2bvGTRQKMtcIA2Feim0WIE0r9yjn/kI8P3MGrHn/jRVTmU0ykTBt56VL7T4.75pIX8sTxuEa03B2G8gmYQKskt9GcGYDVxO+t0EyTYUOz/yzGvHhw6A59t1QxIX7.NlTwAcPtW8aFIVSSAT/xq43twGTA9c5XofBeG9Qb2kn5WVg0eVUGXXzS/ypu8+aw.fVtJN+MJeKG/+JeEd+4LaSxQ0Vabjx8wAE2ENG5HAgMBAAGjUDBOMB0GA1UdDg

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):833
                                              Entropy (8bit):5.1304260712951235
                                              Encrypted:false
                                              SSDEEP:12:RcFppqUHssLqptPUHssXJ2WzOM2OOzHss0DAPo3rqLoFNH0H2VFNH0H2VFNH0H20:yFpFqXoDzOX38H3rCoFbFbFbFgoksXqr
                                              MD5:807C387557EB018238DB305264D2CA5F
                                              SHA1:2D71CC55C184C8F8BAA574517152E269E2D4C8F2
                                              SHA-256:C7263DE14C6EFC86CB59150E8F3884D42BCCE1309C51C7471004DDF1F7DEEFDE
                                              SHA-512:ABEB27D86551C4CCAE26F5EE45AEBBC9B8DAE174D2EBF03D3AFEA8C5B5105FBF103538FCC4E0432C1C2520DC82C3405C763E94B2CF959085AC51E3D325F66E38
                                              Malicious:false
                                              Preview:REM #### general config..set programFilesWithMozilla=%programfiles%..if not exist "%programFilesWithMozilla%\Mozilla Firefox" set programFilesWithMozilla=%programfiles(x86)%..if not exist "%programFilesWithMozilla%\Mozilla Firefox" exit /B 1..REM #### default firefox profile..set firefoxdefaultprofile=%programFilesWithMozilla%\Mozilla Firefox\browser\defaults\Profile..REM ####user profiles..FOR /D %%U IN ("%systemdrive%\Users\*") DO (..FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO (..FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO (..FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO (..FOR /D %%P IN ("%%U\AppData\Roaming\Mozilla\Firefox\Profiles\*") DO (.. "%~dp0bin\certutil.exe" -D -n "support@sbullet.com" -d "%%P".. @echo %%P..)..))))..REM #### eof..exit /B 0..

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):71
                                              Entropy (8bit):4.4172156985089845
                                              Encrypted:false
                                              SSDEEP:3:tM7AICEMJJlI2JFApFySSiwHv:20wkApFe
                                              MD5:CDF20AD4387EEDB595DDD0AD37D0E8C8
                                              SHA1:CA4DF1192A41A4FE351E75CEC02E8CEFFAED75DA
                                              SHA-256:A55D500D88FF4B5304E1C1D3333CEB17E8308055C394BAA6E0004F2FA7E9A13A
                                              SHA-512:94B0E3B2D54A28E2F053100A8DCEDF8A8CD1078E0E9FE1EEDDC10BB2B8778DDF961B4EB5BA530DC5529B32B0447C8E08C59BEEDDDBCEC4555031A758AAEA34E0
                                              Malicious:false
                                              Preview: "C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com"

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PEM certificate
                                              Category:dropped
                                              Size (bytes):1497
                                              Entropy (8bit):5.8717440011342115
                                              Encrypted:false
                                              SSDEEP:24:LrcfLTQP8yitqitdha+n0GzmyGKCBTTXkSOshNPZLdbBdTfnWzVlnlHzc5zJ:LrcfH88yixhT0GK7HBTTXkSO8PZLlPWy
                                              MD5:045DB9619918C658510991FCD0317A11
                                              SHA1:17C822C2080042671225A6CDFE237CB7657FF91C
                                              SHA-256:77EF9805CA86BFA678B86188BBC74417681F47A8068E33DE733696E281C6BAB1
                                              SHA-512:8468F08F91183DAC0D064D50F2A4402E382A890CB163D5F23F39090511B0415CD17938BE96BA6F735DD4695FB21C004643BD1FA0A2C3367D0B7C6423D6FA1034
                                              Malicious:true
                                              Preview:-----BEGIN CERTIFICATE-----.MIIEJTCCAw2gAwIBAgIJAJ/gAGfktb4TMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD.VQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJUGVuc2Fjb2xhMScw.JQYDVQQKDB5TaWx2ZXIgQnVsbGV0IFRlY2hub2xvZ3ksIEluYy4xDDAKBgNVBAsM.A1NCVDEYMBYGA1UEAwwPd3d3LnNidWxsZXQuY29tMSIwIAYJKoZIhvcNAQkBFhNz.dXBwb3J0QHNidWxsZXQuY29tMB4XDTE3MDUwMTE4NTA0NFoXDTIwMDIxOTE4NTA0.NFowgagxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRIwEAYDVQQHDAlQ.ZW5zYWNvbGExJzAlBgNVBAoMHlNpbHZlciBCdWxsZXQgVGVjaG5vbG9neSwgSW5j.LjEMMAoGA1UECwwDU0JUMRgwFgYDVQQDDA93d3cuc2J1bGxldC5jb20xIjAgBgkq.hkiG9w0BCQEWE3N1cHBvcnRAc2J1bGxldC5jb20wggEiMA0GCSqGSIb3DQEBAQUA.A4IBDwAwggEKAoIBAQClWcl6+zEHIi5MgNKtmx00F7hhDZ/VZl5hxmotgZHzUzvA.jUWwLeK5Ne6zeXQ+l6o/RduC0EofV9RGLpgwU35SpCK+9OnEOkNQ7CFw2aJCn2Sp.smi2V2bvGTRQKMtcIA2Feim0WIE0r9yjn/kI8P3MGrHn/jRVTmU0ykTBt56VL7T4.75pIX8sTxuEa03B2G8gmYQKskt9GcGYDVxO+t0EyTYUOz/yzGvHhw6A59t1QxIX7.NlTwAcPtW8aFIVSSAT/xq43twGTA9c5XofBeG9Qb2kn5WVg0eVUGXXzS/ypu8+aw.fVtJN+MJeKG/+JeEd+4LaSxQ0Vabjx8wAE2ENG5HAgMBAAGjUDBOMB0GA1UdDg

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\server.pem

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PEM certificate
                                              Category:dropped
                                              Size (bytes):2197
                                              Entropy (8bit):5.9575423883923575
                                              Encrypted:false
                                              SSDEEP:48:LrcE88yBvkXeKm/w0/wCnddIt8m1Ja2o+0XEF0KKS:LrcEvjfmpzd6tYhc0a
                                              MD5:C3CC0CA86A46A13FAE50E027644CCFF9
                                              SHA1:FDDE0B2F6360BD7CB13C50C8DF264FBD4FD6F33C
                                              SHA-256:A929276ACBB15BDA4A9985D3A3DD3272E0ECD14AFA3B014AB907E8B355727314
                                              SHA-512:D4FB4C8827EA90AB2809E096D4A8CAD3D7CA8F86C43AEF1344A06F3814798C4247E12334F71177B60F54F9BEF47D7E8608CE289273244AC0F43F3EDC9E9F0780
                                              Malicious:false
                                              Preview:-----BEGIN CERTIFICATE-----.MIIDlzCCAn+gAwIBAgIJAMTKWBZ0QSAwMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD.VQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJUGVuc2Fjb2xhMScw.JQYDVQQKDB5TaWx2ZXIgQnVsbGV0IFRlY2hub2xvZ3ksIEluYy4xDDAKBgNVBAsM.A1NCVDEYMBYGA1UEAwwPd3d3LnNidWxsZXQuY29tMSIwIAYJKoZIhvcNAQkBFhNz.dXBwb3J0QHNidWxsZXQuY29tMB4XDTE3MDUwMTE4NTA1MVoXDTE4MDkxMzE4NTA1.MVowgaIxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRIwEAYDVQQHDAlQ.ZW5zYWNvbGExJzAlBgNVBAoMHlNpbHZlciBCdWxsZXQgVGVjaG5vbG9neSwgSW5j.LjEMMAoGA1UECwwDU0JUMRIwEAYDVQQDDAkxMjcuMC4wLjExIjAgBgkqhkiG9w0B.CQEWE3N1cHBvcnRAc2J1bGxldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ.AoGBANb/E+tDbwXG2I5ZxP57QvvMlPqN0JOizufHY4BOuUm6KKuPx3mWPftQikS1.Szrw9lygdwaY/ElULpNUqCPVFfMm22GhHaebferWuTXq6VM2+to8WCSFdKjLNJrm.b8mvmQxfGEiD79jNreLyKVDMIq0xu1hNA2beS8WdwoH9oktZAgMBAAGjTDBKMB8G.A1UdIwQYMBaAFE5Ga5YMxz4dJgrdBvpzPd/B6cCFMAkGA1UdEwQCMAAwCwYDVR0P.BAQDAgTwMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAHTqO2Ad.9Xq5xajOt0ZGOmp1W1gPUI1Smyzvx8A5QC3DkThL0wbqusTKqVA6csRU464KLH

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Demo\DefaultWebSocketUrl.js

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):137
                                              Entropy (8bit):5.133866572829365
                                              Encrypted:false
                                              SSDEEP:3:RZKF2DD0URIXVLL2MdyFQULjNnMRAQvMQqX2wAV9VvmtVFv:2UuxrdWQULjNn+AQU9X2w06r
                                              MD5:26DFE52A7FA8CF1F3D5F356E2CDA39A6
                                              SHA1:6B7CD25935A8E19C712AC8F364F89A4AE0874266
                                              SHA-256:40C1489276D12823CE4684307B67CB26B99050CDF0BDEC22EC55A79F589CDD00
                                              SHA-512:5DB38327734644E1D9C71C5B00019178AD21243E07DC7AF055F021F8D03526649708049E4B2726A5907559DA5EA75E1F916F6FB6310B45478198ADB1688DE0E7
                                              Malicious:false
                                              Preview://..// Copyright . 2014-2017, Silver Bullet Technology, Inc...//....function GetUserDefinedUrl() {.. return "wss://127.0.0.1:9003"..}..

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Demo\Ranger.js

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):58222
                                              Entropy (8bit):4.894413450340355
                                              Encrypted:false
                                              SSDEEP:768:zsFlRtiy5lpCGgp82bWwbStFBreHav8NQySj97LyDHVJ:zsnnlpC5VbZbStTeH9NQySj97LyL
                                              MD5:AB74D3102C8BA92D7C696D271156DA9F
                                              SHA1:D80B155A8DA5519E6DF10CA806B106F7AE11A360
                                              SHA-256:46CA42A20C2A2828EF7DEB2EA94508C0B191F818E38B880BF49AA0C301592F6D
                                              SHA-512:ED97419D618B36B95465032590BC7EB88BC5B683D9170C1C8201495AC114F2212454D57467AEC8EE92B84ED26EEFD748A9B000CEC4112ACEBC43C49B35A028DB
                                              Malicious:false
                                              Preview://..// Copyright . 2014-2017, Silver Bullet Technology, Inc...//....function MakeRanger()..{.. //=======START OF INTERNAL FUNCTIONALITY=====================.. //declarations with "var" are private.. var self = this; //use self to access "this" functionality.. var websocket = null;.. var itemData = null;.. var internalRangerStateBuffer = 0; //Using ShutDown as more applications will be compatible but Unknown is more correct... var GenericOptionsBuffer = null;.. var DriverOptionsBuffer = null;.. var TransportInfoBuffer = null;.. var ExceptionData = null;.. var IqaData = null;.. var ItemSuspended = false;.. var InShutDownCall = false;.. var GetVersionBuffer = "";.... var objectArray = [];.... var jsonSendId = new jsonSendIdObj();.... //.. //findAndRemoveFromObjectArray() searches through the objectArray for the.. //passed id. If the id is found in objectArray, the object containing the.. //matching id gets spliced and returned. If matching id's are not found,.. //fuc

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Demo\RangerImageFromBase64.html

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):31284
                                              Entropy (8bit):4.924918810802086
                                              Encrypted:false
                                              SSDEEP:384:pwNYVBZBaH1vnlQUNj2Zsw9QAd1UJvyiClRlolVlclZlPl5l4lzEkcJDjZvlwMWs:pubJEnZiMtlwb2AsgaiUf
                                              MD5:C55D4B71735BA82E0B8B70E2F26195E6
                                              SHA1:9956BF0E81074705DF476A86C550D44EA58DD971
                                              SHA-256:574EA81A7C6852D46FCE55D005AFBDAE1B27780E9E405AC72DAC0187870039C9
                                              SHA-512:5C9793B7B6837E1467516D9B755685E338E77B11226DE75380D888ACAE37C0F52EC8C6940F2652564A4FF160D1E2EC2E35B0EE5C2ABF08D9F55D3B1753EF0947
                                              Malicious:false
                                              Preview: Copyright . 2014-2017, Silver Bullet Technology, Inc. -->....<!DOCTYPE html>..<html lang="en-US">..<head>..<link type="text/css" href="Sbullet.css" rel="stylesheet" media="screen" />..<title>Ranger WebSocket Example Page</title>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />......<script src="Ranger.js"></script>..<script src="DefaultWebSocketUrl.js"></script>..<script type="text/javascript"> .. var Ranger;.. function onLoadFunction().. {.. try{.. document.getElementById("url").value = GetUserDefinedUrl();.. }catch (err) {}.. }.. function myRanger().. {.. return Ranger;.. }.. function getstatus().. {.. document.getElementById('Status').innerHTML = 'Status: ' + Ranger.GetTransportStateString();.. }.. function popup( obj, L, T ) .. {.. document.getElementById('EnableRanger').disabled = true;.. document.getElementById('EditOptions').disabled = true;.. document.getElementById('StopFeeding').disabled = true;.. document.g

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Demo\sbullet.css

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:Unicode text, UTF-8 text
                                              Category:dropped
                                              Size (bytes):1891
                                              Entropy (8bit):4.9696284167423
                                              Encrypted:false
                                              SSDEEP:24:J4pJGmQJ2xFzogcNYN6NlgY3TqRhGVzDI156AbRKgaR2cTW2fK0pNnRK5a:J4pJGnIxFzirmAuGxDIqMKgO2cy2fpDp
                                              MD5:CAB7761C0DA8765AEC835740E4385875
                                              SHA1:37A9CACDE306D8746BA0DBA53017A1B05A53379B
                                              SHA-256:52445A1EB8AAE74E9EE1AA62FF332586368832643B7CA26D10FBC54600588CD2
                                              SHA-512:35994D1E06F000C4984EE014969E2EF63650832E79B8F8A5A5BC34E49418C1D44F115781A06CD60AD0AF8687018383FEA8CCDB056BD674088F42131ADA8853F7
                                              Malicious:false
                                              Preview:/* Copyright . 2014-2017, Silver Bullet Technology, Inc. */..body {.background-color: #e1ddd9;.font-size: 11px;.font-family: Verdana, Arial, SunSans-Regular, Sans-Serif;.color:#564b47;.padding:0px;.margin:0px;.}..h1 {.font-size: 11px;.text-transform:uppercase;.background-color: #666699;.border-top:1px solid #564b47;.border-bottom:1px solid #564b47;.padding:5px 15px;.margin:0px;.color: white; }..h2 {.font-size:20px;.font-weight: normal;.padding: 5px 10px;.margin:0px;}../* ----------container to center the layout-------------- */.#container {.width: 800px;.margin-bottom: 10px;.margin-left: auto;.margin-right: auto;.background-color: #f5f5f5;.}../* ----------banner for logo-------------- */.#banner {.background-color: #666699;.text-align: right;.padding: 0px;.margin: 0px;.color: white;.}.../* -----------------content--------------------- */.#content {.background-color: #ffffff;.padding: 3px;.margin-left: 200px;.margin-right: 0px;.}.div#content { .min-height:600px;.height:expression(this.

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\OpenSSL License.txt

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):6404
                                              Entropy (8bit):5.1598390009806225
                                              Encrypted:false
                                              SSDEEP:192:Die+xrsXrsy/QZ93OWZ762ROrsMrsSe13C3didCJ:DivrsXrsyilHo5rsMrsxdsdyCJ
                                              MD5:CDAD00DCB0CE5844C78B65A3435B8567
                                              SHA1:8F71D2B16416498BB416B0955402E266A1EED2AA
                                              SHA-256:652884D9FCD49780FFD894235E84FD860B72F73938844581E94CFF749EF0DE23
                                              SHA-512:9686A81001989F7007F25D1FB6EFACE944B39681D4367DB003138733D401E87B6ED3FDFC70C89E7B380B280BCA87E98A01A3B265E906259BC5BACA27F100E6E4
                                              Malicious:false
                                              Preview:.. LICENSE ISSUES.. ==============.... The OpenSSL toolkit stays under a dual license, i.e. both the conditions of.. the OpenSSL License and the original SSLeay license apply to the toolkit... See below for the actual license texts. Actually both licenses are BSD-style.. Open Source licenses. In case of any license issues related to OpenSSL.. please contact openssl-core@openssl.org..... OpenSSL License.. ---------------..../* ====================================================================.. * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved... *.. * Redistribution and use in source and binary forms, with or without.. * modification, are permitted provided that the following conditions.. * are met:.. *.. * 1. Redistributions of source code must retain the above copyright.. * notice, this list of conditions and the following disclaimer. .. *.. * 2. Redistributions in binary form must reproduce the above copyright.. * notice, this list of conditions an

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemote.exe

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):517168
                                              Entropy (8bit):6.20146805516535
                                              Encrypted:false
                                              SSDEEP:12288:tGFkkQ48ME4LAeZPf18LqZpXk+oFYdENSTT7pbNw:k1+OKFYdEETT7pbNw
                                              MD5:EEE610BCC6EC798ECBB06BE0266C7007
                                              SHA1:9D6002070DCCD83B4A1BDFDE92EA86795DCDF353
                                              SHA-256:E211BC6DF01E107532EE2ACE83F244EEA782961C63E55307E161BAF8D8A92CDF
                                              SHA-512:5375E0359050503339360B559FA3C41D17C53EE5BB0FCDC9E13AF4EC1452B4B15E0E8B98F311428CFD73BD082821549320206BB9FFA90B2BD7AA783E3474205D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.T54.:f4.:f4.:f=.f$.:f...f6.:f/).f>.:f/).f .:f/).f<.:f/).f3.:f4.;f.:f/).f,.:f/).f5.:f/).f5.:fRich4.:f........PE..L...h..Y..................................... ....@.................................q.....@.................................X ..........t...............0........[...'..............................@...@............ ...............................text............................... ..`.rdata....... ......................@..@.data...$....@.......$..............@....rsrc...t...........................@..@.reloc...z.......|...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\RangerRemoteLogViewer.exe

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):80960
                                              Entropy (8bit):6.429371688579577
                                              Encrypted:false
                                              SSDEEP:1536:XgLiTVdmae0eSzeToB1B7URt6LONaSUMFCvJgZP1aV8Ro5tDh:XgIwt0Zze83pUeLONaSoEPgV8Ro5tV
                                              MD5:39FC6C22316B32FBBA11231ACCD03D52
                                              SHA1:9B9A4E6754AEE9A9379C23551F80F65310AD8765
                                              SHA-256:64536986EA02CAD651080A6057AB5B6491B2D4B2B55ABD25EAABB763C998A98A
                                              SHA-512:69F60D35755DD0227111E73090D57F91541DE810E80264B93FF5DFFA7358D777998414EF56FBCF777271D1B03B0CE2819684E774EC84A44699C891AA5A17ED32
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.Y..b7W.b7W.b7W...W.b7W.,.W.b7W...W.b7W...W.b7W...W.b7W.b6W.c7W...W.b7W...W.b7W...W.b7WRich.b7W........PE..L......Y.................h...........g............@..........................`...........@............................................xa...........$..@....@......@...................................@............................................text...$f.......h.................. ..`.rdata...<.......>...l..............@..@.data...............................@....rsrc...xa.......b..................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ReadMe.txt

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):2741
                                              Entropy (8bit):4.98244928958579
                                              Encrypted:false
                                              SSDEEP:48:ZmiGwKvc0tIM432s2qv32s3Eon3tGHP70HAqc8OdPcrP9Da0qMyNX1u:ejIv3lv3zpAj0HPc8Od0zda0EVE
                                              MD5:B2AC81609CC396B57D58EF97D203919E
                                              SHA1:CFA29E541C1B8E283327FD8C7AAF18740816460D
                                              SHA-256:9232B943EAE53C705B3794B22146899D6E18632FEB0839D3A614402926545853
                                              SHA-512:6330C80C09A61065A878EF3F92905F98B7A046D3A3F994E769EB9C73C76DC0AC52D7D764F04A19AB19FCF41D2CA2BB8B75B505BCA6E826587C637DC334AA7F3E
                                              Malicious:false
                                              Preview:=============================================================================..OpenSSL v1.0.1k Precompiled Binaries for Win32..-----------------------------------------------------------------------------.... *** Release Information ***....Release Date: Jan 10, 2015....Author: Frederik A. Winkelsdorf (opendec.wordpress.com).. for the Indy Project (www.indyproject.org)....Requirements: Indy 10.5.5+ (SVN Version or Delphi 2009 and newer)....Dependencies: The libraries have no noteworthy dependencies....Installation: Copy both DLL files into your application directory....Supported OS: Windows 2000 up to Windows 8....-----------------------------------------------------------------------------.... *** Legal Disclaimer ***....THIS SOFTWARE IS PROVIDED BY ITS AUTHOR AND THE INDY PROJECT "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, T

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\libeay32.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1279488
                                              Entropy (8bit):6.841554244371631
                                              Encrypted:false
                                              SSDEEP:24576:ixFFs6+KpPyDxdLLSWyYPIIgQFTYF3OpSECtOaMgpoCAMBc6sSl:We1eQFTYlOpaOa9poCAMCSl
                                              MD5:2E5B111EFF60D137E53F1EEB07554733
                                              SHA1:89C4065A2B4DCF13F46AEF59C1E92EC29B296E70
                                              SHA-256:5FF8CB31407E1BC4548B62DFE09F49472349A5EAE34DB620B9B01BAAB14EBA85
                                              SHA-512:BB511C43D07994C3AF0E02E62412CC358F8FA0210531BA42A876B885A116D49D193AB37E7801F63972C1E77D52BEB79E8791219BB983247F444CD0A462822C06
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 4%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..X".w.".w.".w.+.....w.+...9.w.".v...w.....).w.".w.7.w.+....}w.+...#.w.+...#.w.+...#.w.Rich".w.........................PE..L...]..T...........!.....B...~......sl.......`......................................................................`...f...\...x....0..(....................@.....pb..................................@............`..4............................text...rA.......B.................. ..`.rdata.......`.......F..............@..@.data............r...d..............@....rsrc...(....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\ssleay32.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):340480
                                              Entropy (8bit):6.508905342502536
                                              Encrypted:false
                                              SSDEEP:6144:Mq1YxCwk2fIyuFGmSmAssekaps/vN+wlBjpRcow4uS+9gy/H5eSC0lzYmJaGFVtt:M5xCw1fIyuFumAshTpAvN+wzjpRcow4Y
                                              MD5:92C1A614BF55C3C8FAAC7F7FE85A96AE
                                              SHA1:E382A3B7BE562E6ACCA93616039AD323AAF82EF9
                                              SHA-256:2EB21FC0F30CAF74D13F1BAE433C985137ECF9A8A2676C5D48E0CA0BDA06ED1A
                                              SHA-512:35453DF16FC6176D9E553955D98135881B57454EFE2E1F40E1472D1C0BBFBAD523B30AD417B20177B95E63EB46B99D1EAED57DFBF42E2B187BF39CFB2E3CC2AC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W?v.6Q%.6Q%.6Q%..*%.6Q%.N.%.6Q%.N.%.6Q%.N.%.6Q%.6P%.7Q%.N.%96Q%.N.%.6Q%.N.%.6Q%.N.%.6Q%Rich.6Q%................PE..L...]..T...........!.........f.......2..............................................................................P...p$..$...<....0..(....................@..,,..................................P...@............................................text............................... ..`.rdata..............................@..@.data....\.......B..................@....rsrc...(....0......................@..@.reloc...2...@...4..................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):101921
                                              Entropy (8bit):6.648341410430738
                                              Encrypted:false
                                              SSDEEP:1536:9pgpHzb9dZVX9fHMvG0D3XJEriRg42KO2S9lc1tXuH8qXBCdG9jWY1sx:PgXdZt9P6D3XJEDH2Vp3qXgdwjWY1sx
                                              MD5:BDDE432A4AD428A31E3D503A4D1BCF1F
                                              SHA1:C261456C28EE8F2DFD7CDAC5CB267DF6115CA8EA
                                              SHA-256:4765A2DF178A54447E7CF90A0DE83127608D533EC682C173027BCA7C1E4F3737
                                              SHA-512:87FA540160B8D26B1895499FF519D920E8E0215A75B8C4A3AD5EB241B0BDD64E60A544A09A3DF80E7985E078D653FE357E83FC8A85BADE42963CA0D7EF8B1729
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................^...........0.......p....@.................................7+|......................................t..........`.............{..............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...`............z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):995360
                                              Entropy (8bit):6.258321825115797
                                              Encrypted:false
                                              SSDEEP:12288:wJDbToOxDHxhENEoHsgYHqN5T0UaPjX7/EsHDjT/vrCTgihEjtHrpRFAgM9vsuFf:6oID49taEsHPT/vr6EjRrTFAgMl7Ff3
                                              MD5:407AF4205D186FE953781B6F9C576981
                                              SHA1:BE40E6F508005DA45935D6FC13A726EDBB573DF7
                                              SHA-256:C924E844C5191588B323F950EDE3B9FAC89DADA3A0F749FA89F80AF4477690C4
                                              SHA-512:4A60CE4DFEE44A4D19372555A2C7EC71EBD656DE2083697E9C68FD790D4C4FB59CFACBB54937A4798F21C3B94C04E946587D477407FED2CF3DAF8716A6A4835A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U{/=..An..An..An.b.n..An.T.n..An~l.n..An~l.n..An~l.n..An..@n6.An...n..An~l.n\.An~l.n..An~l.n..An~l.n..AnRich..An........PE..L...e..T...........!.........\....../........................................p......,.....@..........................N..Y....8..........`............... ............................................'..@............................................text............................... ..`.rdata..............................@..@.data....I...`.......H..............@....rsrc...`............f..............@..@.reloc..n............4..............@..B................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger.ocx

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):439840
                                              Entropy (8bit):5.004336104184789
                                              Encrypted:false
                                              SSDEEP:3072:/O8gdCK2+HoKFoDpUr+xpdglOBXl32d0iH3yRu2OSqavmzxYmqIp:2TW4kpmlOBXl32GiHiRUSXAvq+
                                              MD5:86CAB8C031145CC0F267F8365D7DE012
                                              SHA1:6CAABE3659FCA76903A74ED54BB3CAF70E28C43E
                                              SHA-256:9664F93E2B50615FFE5A5C49525F0C04525CB18B0DCC03974E38F328DA14F8BF
                                              SHA-512:D4822E8B0FAA6002BA22E8F1B531BAEED876CAEA0C80F9AF56F0C49343D8D99C08A70BF1B39BB96A478C04CAA933290A5F0B81B08E17B60C2FF3CDC20725EBF5
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........FD..'*B.'*B.'*B._.B.'*B._.B.'*B.Q.B.'*B.Q.B.'*B.Q.B.'*B.'+BI&*B.i.B.'*B.Q.B.'*B.Q.B.'*B.Q.B.'*B.Q.B.'*BRich.'*B................PE..L...'..T...........!................................................................J....@.........................0U......LG..........d............... .......|....................................0..@............................................text............................... ..`.rdata.............................@..@.data........`.......J..............@....rsrc...d............X..............@..@.reloc..T5.......6...h..............@..B........................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\ReleaseNotice.txt

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):73690
                                              Entropy (8bit):4.500452553488922
                                              Encrypted:false
                                              SSDEEP:384:iS8+s3wQpN4d9SFTfqqaCF+uufNFfNt8ZjQttRQrPlxQmt0Bi/1YkBGgoFj7Lwo6:eS9WRSAQP9Rs9
                                              MD5:F60B67A8BD0F3D6E6B659E43623AABC5
                                              SHA1:D9A5CE765356E3B3D5C5056D71306F74BF6DA1AD
                                              SHA-256:E02DA44E7292FFA55A30CFB2E3DEB925ECB0898CF712AFB8085A0B2F08765F4D
                                              SHA-512:8130A3DA094B78C112FB598BF55AF0650EE8B9B93195F8474C35005BC2F41B2429B2E1ADF11E4EC8B8EDA14491FEE14EED2725004DB8E06277A49F0C17A786B6
                                              Malicious:false
                                              Preview:***************************************************************************..Silver Bullet Technology, Inc. Silver Bullet Confidential.... Ranger Core - Release Notice .. ..Version: 4.2.18.0 January 14, 2015..***************************************************************************..1. PURPOSE OF THIS RELEASE.... + Maintenance Release....2. INSTALLATION INSTRUCTIONS.... After stopping all Ranger-based applications and web browsers, .. run the Ranger installation program.....3. NEW FEATURES AND ENHANCEMENTS.... + Digital Signature checking updated.....4. PROBLEMS ADDRESSED WITH THIS RELEASE.. .. + None....5. KNOW ISSUES WITH THIS RELEASE.. .. + None..***************************************************************************..Silver Bullet Technology, Inc. Silver Bullet Confidential.... Ranger Core - Release Notice ..

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.plugin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):211488
                                              Entropy (8bit):6.490036442499628
                                              Encrypted:false
                                              SSDEEP:6144:wF3FH+2UHzb4tB9hzWY27r6THGt9vAxnyGUcOfvsP2Z2:wFBHXz92yjkTGUo28
                                              MD5:BEE788261448F4F48BA967A759D591DD
                                              SHA1:6B8A0DD7E83BA8BE4341DC12EAECD11FC8B86D35
                                              SHA-256:CA8CAEEA226144779EB405B0D0B2291125C017C849882058BA34CEC1843C9EFD
                                              SHA-512:7F51F3AEB2E09E8BDBFA224A8E3A5A96B6EA03A0DA9E57B50E3134E6AC2421472F2AB96938F85AAF18DF5067CC3C000E15FED12258213510428B52A889B4EEED
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........9.xdj.xdj.xdj...j.xdj.6.j.xdj...j.xdj...j.xdj...j.xdjag`j.xdj.xej.ydj...j.xdj...j.xdj...j.xdj...j.xdjRich.xdj........................PE..L.....T...........!........."...............................................`............@.............................c...d...x.......`............".. ........B..................................P...@...............\............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...`...........................@..@.reloc...P.......R..................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Plugin_ReleaseNotes.txt

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):21297
                                              Entropy (8bit):4.696568769707984
                                              Encrypted:false
                                              SSDEEP:96:22k4eP5d8CA2P4ePl6NzCe2nePgoCe2WePwCx2SePeCe2KePc/Ce2fePWCe2kePE:cd806b/onQcnLij/p4rtw9ofCulpGv5
                                              MD5:807BDA9B728BAEA33292383506CB1BA1
                                              SHA1:38CE071E5EB4F94FBB8A96039A67A6A71CF1048C
                                              SHA-256:E76EF6CE6A0491588B8F173CF4825A7AFDC759326557D40E07A5C0E4433F61C4
                                              SHA-512:D64F1EE0E135503E16BFE9A057C1B8574D18F5F434527756280E1ECBE0837455EB2CDC70C433D19C5F9A3EA8FAD020E15071920568A009984778B40E7F7D53AA
                                              Malicious:false
                                              Preview:***************************************************************************..Silver Bullet Technology, Inc. Silver Bullet Confidential.... Digital Check TS/CX/BX Series Ranger Plug-in.. Release Notice ......Version: 1.3.1.0 January 14, 2015..***************************************************************************..IQA Version 1.4.0..DCC API 12.11..DCC Driver version 11.07....1. PURPOSE OF THIS RELEASE.... + Maintenance release.....2. INSTALLATION INSTRUCTIONS.... After stopping all Ranger-based applications and web browsers, .. run the Plug-in installation program.....3. NEW FEATURES AND ENHANCEMENTS.. .. + None ....4. PROBLEMS ADDRESSED WITH THIS RELEASE.. .. + Corrected a Color Tiff image issue.....5. KNOW ISSUES WITH THIS RELEASE.... + Remove all previous Digital Check drivers before running installation...*********************************************************

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1202023
                                              Entropy (8bit):7.985938532773839
                                              Encrypted:false
                                              SSDEEP:24576:ynaqDyWn9adRbhZZBpNAjz6OMYfjx8t69PwFbUlK3g4iTQZaxdpg8+6dk:yaqTsJpNAjzJN8t6KmAgfe8ddk
                                              MD5:8C66A75D40D8C12F3AF108AA2E0DA538
                                              SHA1:92D3CEB5C5CD555EC3BC744177EB594EF0702E3B
                                              SHA-256:17DEAC7994692EBAD200083C7DC133B4B3FAE9A748C7CA8F19356E8B6BE504F9
                                              SHA-512:92AE7D9ABE04AB852A14DD9668A7D316EE62AD399D86F40F1B5C7091C338631D418C2D6533520B0B00B9B9BE5C08C99624FADFDF3B067BA729CFAEF85CC50F97
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................n......@.............@..........................p...................@..............................P.......|]..........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS.....L................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...|].......^..................@..P.............@......................@..P........................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstaller.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):98917
                                              Entropy (8bit):6.5853448388914595
                                              Encrypted:false
                                              SSDEEP:3072:mgXdZt9P6D3XJUDH2Vp3qXY5A0LjWY1sX:me34eqVp3qX90mYSX
                                              MD5:A0F968EF32C01ADFAA225DA81B344EEF
                                              SHA1:D5B0352142C3ADE04C6A2FAFF7F5C15997188124
                                              SHA-256:59B778E1453C20114FD0B0B837DE74667FDE470AD2D5319FB155D9976BBEF004
                                              SHA-512:86246D49E9FEAF019499242004112B74775DD9F6100406CB2A5CB9DC69949C0150213FB3F8732C03A9E47E24A9FCD8D716C37651F459DF65BEA802B72EFEEEAD
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................^...........0.......p....@..........................p...............................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\SoftLockResource.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):2560
                                              Entropy (8bit):4.2283678787607295
                                              Encrypted:false
                                              SSDEEP:48:66bWtyVlQ/axF1W2qSpNt2sxlilzZUCSC1:temlQ/axF1I6RzilNUCt1
                                              MD5:35E9095A4A7E58AD4A5F0F5491DAB1B8
                                              SHA1:A2AE6CDD78C5D9A2CC6161488A3F30B7BCC05B12
                                              SHA-256:336679C72CC0C214F387E5755D4E1B930EDD4EDFFCBC934FEE69301634F34D15
                                              SHA-512:89E9ABEE4165663C9A19C879E8EBFC1C01983267F931A3E7BBAE2F335D4F1C7A817799FF0B30071FCE536377914F1A77475E72AC812A928C08B5BEAFBF3ED13E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...D[.M...........!......................................................... .......n....@.............................................0............................................................................................................rsrc...0...........................@..@.................................................... .......8.......................P.......................h.......................................................4...............Z........................3.......U.n.l.o.c.k. .S.i.l.v.e.r. .B.u.l.l.e.t. .P.r.o.d.u.c.t.....M.S. .S.a.n.s. .S.e.r.i.f........P....G.F....................P....k.F....................P......F....................P......F....................P......F....................P......F....................P......F....................P....G.m.........

                                              C:\Program Files (x86)\Silver Bullet Technology\Ranger\Website.url

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows 95 Internet shortcut text (URL=<http://www.sbullet.com>), ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):48
                                              Entropy (8bit):4.519102928664277
                                              Encrypted:false
                                              SSDEEP:3:HRAbABGQYm/0S41H6vn:HRYFVm/r4gv
                                              MD5:CE8808C8921B719013BC1B9EAD11B0E1
                                              SHA1:2C39759B1C9BD4CDD739337C3C5901263DEAF441
                                              SHA-256:A26CE9B15A1077AF3C79A68DA1872FC8BF409957C2063ED447FB572336D90919
                                              SHA-512:9DFA3E71865EB1D4FF48537C563761E8F9C795F81C1CBC04609711680C5F3C3E44EB70DB3ED54ECA78EDF7B591B846044A35A3A7AA8AECB392EE9E94EEF34FCC
                                              Malicious:false
                                              Preview:[InternetShortcut]..URL=http://www.sbullet.com..

                                              C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):935480
                                              Entropy (8bit):5.755206277882018
                                              Encrypted:false
                                              SSDEEP:6144:vJQu49F5tc5Y8HWJffsLr+kHqwLOyfld9lYBT15sS9oQHfSgtoqbc/XFBLPjVkHe:xCjcdHEffoqKFBS+QXtzcHLPh2eJ
                                              MD5:E90140FF5F5FF7521EA52F94BEC29F8C
                                              SHA1:A3AAF4D6705984D2F0B97D277766EBC82A26011F
                                              SHA-256:0E25AFC6F2C17E08AFC91F7717B3669CB4DE6F77DD62B78674B09E0D59E4AA3C
                                              SHA-512:F644E4C22BE81AEDDF380EC8B550C3774A6C8678B9AD4CB210235AE440BD9F1E16DF84832BABAC21672B69A57EBD779BBFB562DD6158F91CC48367EF3E383A3E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.hA].;A].;A].;f..;C].;f..;U].;f..;`].;A].;.\.;f..;.].;f..;f].;f..;@].;f..;@].;f..;@].;RichA].;........................PE..d...1j.H..........".................T........................................`............@.......... ......................................`...@........r...P...r......8(...P..8....................................................................................text............................... ..`.data........0......................@....pdata...r...P...t...(..............@..@.rsrc............t..................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\64-bit\DPInst.xml (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):146
                                              Entropy (8bit):4.915542858529481
                                              Encrypted:false
                                              SSDEEP:3:vFWWMNHUzlsyb/Zu7fWOGPNv4QGJGTybK0j/1DQJcEDNv4vD5RAKKQIy:TMV0a7f/GVv4Qu3LVQJc4v4b5RARG
                                              MD5:5F993CD9A8F04E14AF2488ACC1B47BDD
                                              SHA1:FC31C678B0C0C2FFA18B4FF52799BCBD7716D996
                                              SHA-256:9907BE6D7FD79596A6DD82D1903FBD3A85ABBE118078ED6580B91A071D496DE0
                                              SHA-512:CEBA58BB58256A0B17E5DF9CD09E3027B06224C593693962ECFAB2B3E1E753BB655E7A2CD966C384485DF3516F105EF1E9C994101C6E88A5A0D67E047613AD3F
                                              Malicious:false
                                              Preview:<?xml version="1.0"?>..<dpInst>...<enableNotListedLanguages/>...<forceIfDriverIsNotBetter/>...<suppressEulaPage/>...<suppressWizard/>..</dpInst>..

                                              C:\Program Files\TellerScan\Drivers\64-bit\TsUsb2.inf (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Program Files\TellerScan\Drivers\64-bit\TsUsb2.sys (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\64-bit\is-J40RI.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):146
                                              Entropy (8bit):4.915542858529481
                                              Encrypted:false
                                              SSDEEP:3:vFWWMNHUzlsyb/Zu7fWOGPNv4QGJGTybK0j/1DQJcEDNv4vD5RAKKQIy:TMV0a7f/GVv4Qu3LVQJc4v4b5RARG
                                              MD5:5F993CD9A8F04E14AF2488ACC1B47BDD
                                              SHA1:FC31C678B0C0C2FFA18B4FF52799BCBD7716D996
                                              SHA-256:9907BE6D7FD79596A6DD82D1903FBD3A85ABBE118078ED6580B91A071D496DE0
                                              SHA-512:CEBA58BB58256A0B17E5DF9CD09E3027B06224C593693962ECFAB2B3E1E753BB655E7A2CD966C384485DF3516F105EF1E9C994101C6E88A5A0D67E047613AD3F
                                              Malicious:false
                                              Preview:<?xml version="1.0"?>..<dpInst>...<enableNotListedLanguages/>...<forceIfDriverIsNotBetter/>...<suppressEulaPage/>...<suppressWizard/>..</dpInst>..

                                              C:\Program Files\TellerScan\Drivers\64-bit\is-QF250.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Program Files\TellerScan\Drivers\64-bit\is-S4G1Q.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\64-bit\is-SIRCF.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):935480
                                              Entropy (8bit):5.755206277882018
                                              Encrypted:false
                                              SSDEEP:6144:vJQu49F5tc5Y8HWJffsLr+kHqwLOyfld9lYBT15sS9oQHfSgtoqbc/XFBLPjVkHe:xCjcdHEffoqKFBS+QXtzcHLPh2eJ
                                              MD5:E90140FF5F5FF7521EA52F94BEC29F8C
                                              SHA1:A3AAF4D6705984D2F0B97D277766EBC82A26011F
                                              SHA-256:0E25AFC6F2C17E08AFC91F7717B3669CB4DE6F77DD62B78674B09E0D59E4AA3C
                                              SHA-512:F644E4C22BE81AEDDF380EC8B550C3774A6C8678B9AD4CB210235AE440BD9F1E16DF84832BABAC21672B69A57EBD779BBFB562DD6158F91CC48367EF3E383A3E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.hA].;A].;A].;f..;C].;f..;U].;f..;`].;A].;.\.;f..;.].;f..;f].;f..;@].;f..;@].;f..;@].;RichA].;........................PE..d...1j.H..........".................T........................................`............@.......... ......................................`...@........r...P...r......8(...P..8....................................................................................text............................... ..`.data........0......................@....pdata...r...P...t...(..............@..@.rsrc............t..................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\64-bit\is-UM847.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Program Files\TellerScan\Drivers\64-bit\tsusb2_x64.cat (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Program Files\TellerScan\Drivers\DCC.ico (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:MS Windows icon resource - 4 icons, 16x15, 24 bits/pixel, 32x29, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):17741
                                              Entropy (8bit):6.94879550948492
                                              Encrypted:false
                                              SSDEEP:384:M08OK+mZUlm7Rl9f2qpAvhvTfWfqYjIr/8BEB5df+acLSQCqpB2Ul5AmAPcOR2CC:Bi+maU7Rl9f2aAvhvTfWfqYjIrEyB5dY
                                              MD5:9F764A38CB5BD5CD426629BF1E5E392C
                                              SHA1:AF73927C1C41EA7440056EE685020C4C9A333599
                                              SHA-256:2B3EF38E26FC154263828E4F0DF2CA4E7C1CD667E51ED3DDE82AD7F3763286DB
                                              SHA-512:1C8AECCCFC101FAD94C1D6B86AE597D0DA29DFAB8510C38EAFEEB417D1055F37396AAC2E6B5859C9340C86488035D0B7AB10079060945421D51B662B148CCD04
                                              Malicious:false
                                              Preview:..............4...F... .......|...z...0,......H...................>)..(.......................................x&.y'.y'.y'.u".r..d..f..n..k.._..m..s..w".x'.x'.y'.w%.|,..mW.............................p\.F*u ...t..........................................................................................................x........................................7$w%.y'.y&.l........................................s..x&.z(.y'.z*...................................s..y'.y'.z(..U;..............................~/.z(.z(.y'.w%...............................t!.z(.y'.y'..Q6...........................YBu!.y'.y'.z(.~0....t..p...2..6..A).:!~1.q..v#.y&.w$.h...;............v..i.kT.jS.iR.kT.{d..s..............................................................................................................................................................................(... ...:...............................w%.x&.y'.y'.y'.y'.y'.y'.y'.y'.y'.y'.y'.z(.y(.x&.x&.x%.x&.y'.y(.z(.y'.y

                                              C:\Program Files\TellerScan\Drivers\DevCon.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):55808
                                              Entropy (8bit):4.916379698656311
                                              Encrypted:false
                                              SSDEEP:768:xgEuhGUsQ9Z7lVQpjagwpKsQt2IJU1evxHs4gZWk:+1/9ZisQtBU4xHeW
                                              MD5:C4B470269324517EE838789C7CF5E606
                                              SHA1:7005597D55FB26C6260E0772F301C79F030E6D56
                                              SHA-256:5F9B898315AD8192E87E21A499FD87D31B886513BB39D368476174AAA89A2BF9
                                              SHA-512:DBADCA544434A847238BF107E59AA84BF8DF9DF899D0C2DA2EE62CC28E12D175A81D4E4E0F85D7C394323BF66FB4AC0F413C949700ECDEC9A73ED5CF9340AEBB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?%..Qv..Qv..Qv5.^v..Qv5..v..Qv..Pv.Qv8..v..Qv8.1v..Qv5..v..Qv5..v..QvRich..Qv........PE..L.....=.................P...........R.......`......................................m............ ..........................hT..x....p..0...............................................................@............................................text....O.......P.................. ..`.data........`.......T..............@....rsrc...0....p.......V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\is-C9CL8.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:MS Windows icon resource - 4 icons, 16x15, 24 bits/pixel, 32x29, 24 bits/pixel
                                              Category:dropped
                                              Size (bytes):17741
                                              Entropy (8bit):6.94879550948492
                                              Encrypted:false
                                              SSDEEP:384:M08OK+mZUlm7Rl9f2qpAvhvTfWfqYjIr/8BEB5df+acLSQCqpB2Ul5AmAPcOR2CC:Bi+maU7Rl9f2aAvhvTfWfqYjIrEyB5dY
                                              MD5:9F764A38CB5BD5CD426629BF1E5E392C
                                              SHA1:AF73927C1C41EA7440056EE685020C4C9A333599
                                              SHA-256:2B3EF38E26FC154263828E4F0DF2CA4E7C1CD667E51ED3DDE82AD7F3763286DB
                                              SHA-512:1C8AECCCFC101FAD94C1D6B86AE597D0DA29DFAB8510C38EAFEEB417D1055F37396AAC2E6B5859C9340C86488035D0B7AB10079060945421D51B662B148CCD04
                                              Malicious:false
                                              Preview:..............4...F... .......|...z...0,......H...................>)..(.......................................x&.y'.y'.y'.u".r..d..f..n..k.._..m..s..w".x'.x'.y'.w%.|,..mW.............................p\.F*u ...t..........................................................................................................x........................................7$w%.y'.y&.l........................................s..x&.z(.y'.z*...................................s..y'.y'.z(..U;..............................~/.z(.z(.y'.w%...............................t!.z(.y'.y'..Q6...........................YBu!.y'.y'.z(.~0....t..p...2..6..A).:!~1.q..v#.y&.w$.h...;............v..i.kT.jS.iR.kT.{d..s..............................................................................................................................................................................(... ...:...............................w%.x&.y'.y'.y'.y'.y'.y'.y'.y'.y'.y'.y'.z(.y(.x&.x&.x%.x&.y'.y(.z(.y'.y

                                              C:\Program Files\TellerScan\Drivers\is-Q0CBT.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):55808
                                              Entropy (8bit):4.916379698656311
                                              Encrypted:false
                                              SSDEEP:768:xgEuhGUsQ9Z7lVQpjagwpKsQt2IJU1evxHs4gZWk:+1/9ZisQtBU4xHeW
                                              MD5:C4B470269324517EE838789C7CF5E606
                                              SHA1:7005597D55FB26C6260E0772F301C79F030E6D56
                                              SHA-256:5F9B898315AD8192E87E21A499FD87D31B886513BB39D368476174AAA89A2BF9
                                              SHA-512:DBADCA544434A847238BF107E59AA84BF8DF9DF899D0C2DA2EE62CC28E12D175A81D4E4E0F85D7C394323BF66FB4AC0F413C949700ECDEC9A73ED5CF9340AEBB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?%..Qv..Qv..Qv5.^v..Qv5..v..Qv..Pv.Qv8..v..Qv8.1v..Qv5..v..Qv5..v..QvRich..Qv........PE..L.....=.................P...........R.......`......................................m............ ..........................hT..x....p..0...............................................................@............................................text....O.......P.................. ..`.data........`.......T..............@....rsrc...0....p.......V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\is-SQJEO.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):727838
                                              Entropy (8bit):6.553559615177615
                                              Encrypted:false
                                              SSDEEP:12288:hRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZOsMEDEx9Qa:bObekYkfohrP337uzHnA6cgqpeEFHR9A
                                              MD5:ED6C91834F74FCFF7676E1055C391323
                                              SHA1:56044105AB95A572D254D9CF74E1B33DB9EBB0C8
                                              SHA-256:E13146A54874085036B88F0580703938FCC665AECF02CCF00919980DC07C133D
                                              SHA-512:C36F07842ED8038A00A19823097E39CD457C8EC7A1C3AB76CE1F649DDD35A00E3113DC72C415673B94FA3D2795295A54BEEDB53B9D2810308BB993F472BF6558
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 4%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%......PM..........................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................|...................idata...%.......&...|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...PM.......N..................@..P.....................J..............@..P........................................................................................................................................

                                              C:\Program Files\TellerScan\Drivers\unins000.dat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:InnoSetup Log 64-bit TellerScan 32-bit and 64-bit Combined Driver {29E98AE7-A193-40A1-BF4A-5B84B435E2DB}, version 0x30, 4335 bytes, 066656\user, "C:\Program Files\TellerScan\Drivers"
                                              Category:dropped
                                              Size (bytes):4335
                                              Entropy (8bit):5.201608822646016
                                              Encrypted:false
                                              SSDEEP:96:YPt7t1fxvTxvn+97ICSss/L3jmQPK8R8WOPorHq8b8Zx6:YPX/vlvMICSsAXRrHqPQ
                                              MD5:7FF04E0C15C4FC3BAFDE8F88A8A7A42B
                                              SHA1:867B7AE2059CBB675365D31987494DBD92ED9922
                                              SHA-256:203ADC890CB1CCE10EF9A0615D53C10ACD849DCF8D780820D3E8867BA377663C
                                              SHA-512:0415FC161F97B4C7DCF0F72A456BC22C811E418CCDF09CA39541D79260F3FBE81F4FA5ABA6B4A9A645E3A7D156E24ACE4F2EF107C7A1690A3121495A12675184
                                              Malicious:false
                                              Preview:Inno Setup Uninstall Log (b) 64-bit.............................{29E98AE7-A193-40A1-BF4A-5B84B435E2DB}..........................................................................................TellerScan 32-bit and 64-bit Combined Driver....................................................................................0...........%................................................................................................................J~.#.......~q=.......E....066656.user#C:\Program Files\TellerScan\Drivers...........'. .H.. .....|....2.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TNEWSTATICTEXT....TNEWSTATICTEXT...........................!MAIN....-1.............CURPAGECHANGED....-1 @10..REGKEYEXISTS.........WIZARDFORM......."...class:TWIZARDFORM|STATUSLABEL|......"...class:TNEWSTATICTEXT|CAPTION@|......EXEC.............EXPANDCONSTANT.........../.......CU

                                              C:\Program Files\TellerScan\Drivers\unins000.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):727838
                                              Entropy (8bit):6.553559615177615
                                              Encrypted:false
                                              SSDEEP:12288:hRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZOsMEDEx9Qa:bObekYkfohrP337uzHnA6cgqpeEFHR9A
                                              MD5:ED6C91834F74FCFF7676E1055C391323
                                              SHA1:56044105AB95A572D254D9CF74E1B33DB9EBB0C8
                                              SHA-256:E13146A54874085036B88F0580703938FCC665AECF02CCF00919980DC07C133D
                                              SHA-512:C36F07842ED8038A00A19823097E39CD457C8EC7A1C3AB76CE1F649DDD35A00E3113DC72C415673B94FA3D2795295A54BEEDB53B9D2810308BB993F472BF6558
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 4%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%......PM..........................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................|...................idata...%.......&...|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...PM.......N..................@..P.....................J..............@..P........................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Ranger Uninstall.exe - Ranger.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Aug 30 20:39:28 2023, mtime=Wed Aug 30 20:39:28 2023, atime=Wed Aug 30 20:39:28 2023, length=101921, window=hide
                                              Category:dropped
                                              Size (bytes):1371
                                              Entropy (8bit):4.6364569424822415
                                              Encrypted:false
                                              SSDEEP:24:8mlCQdOEIhcLxEBJATdqduPmduMUUp9n59TabwMb1m2:8mlVdOriEBKTdqd+mdkwa0M5
                                              MD5:DEA203A1EA4B5789B036DC54B542227B
                                              SHA1:89AFCD7C26D150F15A8E31F5FB518E2079F74000
                                              SHA-256:E8038DA3D5756A8BC654B6379FC9131F75DB8FA1E1532CE296222013971BB6AF
                                              SHA-512:92DEF9815C2EF32A0D76380DAE2C08516A8914F39FA36CF98BECEB999D22BFC40BABA1B653E7368A3F9D21DF2015D13E95549E6CB4F58329A39A83DD76156E00
                                              Malicious:false
                                              Preview:L..................F.... ...tB.s.......s.......s....!............................P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a.....................R..R.a.n.g.e.r.....v.2.!....W. .RANGER~1.EXE..Z.......W..W.....3b........................R.a.n.g.e.r. .U.n.i.n.s.t.a.l.l...e.x.e.......z...............-.......y.............&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Uninstall.exe..].....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.\.R.a.n.g.e.r.\.R.a.n.g.e.r. .U.n.i.n.s.t.a.l.l...e.x.e.6.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\RangerFlex.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 14 17:55:42 2015, mtime=Wed Aug 30 20:39:27 2023, atime=Wed Jan 14 17:55:42 2015, length=904208, window=hide
                                              Category:dropped
                                              Size (bytes):1444
                                              Entropy (8bit):4.585368839104796
                                              Encrypted:false
                                              SSDEEP:24:8mJbZkCQdOEIhMKMxHAKseQAkdFzdu9dudUUbnrTabwMb1m2:8mhZkVdOrWH7nkdFdkdLwa0M5
                                              MD5:3C2655057B30E0D05806AA9653536494
                                              SHA1:23CB2323B303F40ED9515F8E260A477E56490C2F
                                              SHA-256:1F3CE9D464C3F320D9B300FB90CA59AA4885CBCAD980F4562EDD97ABD7511092
                                              SHA-512:149FED8666060311916996287CDFB3920DF4FFCCD52D887F0CBE2578E02FC3BF082F53BFD8FAD98D1E1AF8F6930D094F07E9D36E6F8372393B4DEC9945BF0240
                                              Malicious:false
                                              Preview:L..................F.... ....K.+0..D..s.....K.+0..........................M....P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a.....................Zp.R.a.n.g.e.r.....N.1......W...Flex..:.......W..W......a.....................P..F.l.e.x.....j.2......F.. .RANGER~1.EXE..N.......F...W......a........................R.a.n.g.e.r.F.l.e.x...e.x.e.......y...............-.......x.............&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Flex\RangerFlex.exe..\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.\.R.a.n.g.e.r.\.F.l.e.x.\.R.a.n.g.e.r.F.l.e.x...e.x.e.;.C.:.\.P.r.o.g.r.a.m. .F.

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstall.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Aug 30 20:39:44 2023, mtime=Wed Aug 30 20:39:44 2023, atime=Wed Aug 30 20:39:44 2023, length=98917, window=hide
                                              Category:dropped
                                              Size (bytes):1835
                                              Entropy (8bit):4.562983060116448
                                              Encrypted:false
                                              SSDEEP:48:8mIVdOrimn5lnzi/1FdRIrd9Gl2h8rCyWGl1Ia0M5:8m9LLzURReGl2hWCjGl1InM
                                              MD5:E5A3F9F2BF4F7856C2E2AC49A8E7C9D0
                                              SHA1:29B5A95F0CB5E7B3985082617C1108A3260B1B1D
                                              SHA-256:350551D1B981DDCDA8BBB0C36AA84B791D29690E92806282CA2F836DA1443D1E
                                              SHA-512:E9747A56A17B5FF6BCE14FAD3269A48182E66544298AFD5C2A0364F5EBE15E4ECD65CD853CAFC4D84567FE486335D243E8037E30915B1B1F890B9ED437FFFFBF
                                              Malicious:false
                                              Preview:L..................F.... ...F..}....7..}....7..}....e............................P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a.....................R..R.a.n.g.e.r.....j.1......W...SCANNE~1..R.......W..W......a....................dV..S.c.a.n.n.e.r. .P.l.u.g.-.i.n.s.....t.1......W....DIGITA~1..\.......W..W......Ub.....................[..D.i.g.i.t.a.l.C.h.e.c.k.-.T.S.S.e.r.i.e.s.....l.2.e....W.. .UNINST~1.EXE..P.......W...W......rb.....................p..U.n.i.n.s.t.a.l.l.e.r...e.x.e.......................-.....................&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Uninstaller.exe........\.....\.....\.....\.....\

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Tools\SBT Log Options.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 14 13:59:10 2015, mtime=Wed Aug 30 20:39:27 2023, atime=Wed Jan 14 13:59:10 2015, length=46592, window=hide
                                              Category:dropped
                                              Size (bytes):1544
                                              Entropy (8bit):4.5608457785188055
                                              Encrypted:false
                                              SSDEEP:24:8mmVCQdOEIhMKMxX2XmeyASdF2KttsduWx/jCylRUUJ9nZ9TabwMb1m2:8mmVVdOrWom2SdFjudfrCyAwa0M5
                                              MD5:520B47A0D31E57A47EEDD1C3E046DAAC
                                              SHA1:1EF835C6A2BF3C8A66B821B72E1E4BBD8B787932
                                              SHA-256:C67A60C0367891B0A01EF749CE58711CDF9032E05782884836BE21C0CA7927D3
                                              SHA-512:0119701CC6D520B3C19BCAF48FE7B5491885A9E57AE08CEC80668D534F859654540660D8DFB6EBB5AADB053CAF98F9F46EAFA6E4D07F0E7E04D1C50D82DCA39A
                                              Malicious:false
                                              Preview:L..................F.... .......0...:.s........0..........................[....P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a.....................Zp.R.a.n.g.e.r.....V.1......W...Logging.@.......W..W......a....................;PG.L.o.g.g.i.n.g.....p.2......Few .LOGPRE~1.EXE..T.......Few.W......a........................L.o.g.P.r.e.f.E.d.i.t.o.r...e.x.e.......................-.......~.............&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\LogPrefEditor.exe..e.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.\.R.a.n.g.e.r.\.L.o.g.g.i.n.g.\.L.o.g.P.r.e.f.E.d.i.t.

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Ranger\Tools\SBT Log Viewer.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 14 13:59:10 2015, mtime=Wed Aug 30 20:39:27 2023, atime=Wed Jan 14 13:59:10 2015, length=1788928, window=hide
                                              Category:dropped
                                              Size (bytes):1529
                                              Entropy (8bit):4.584924674437464
                                              Encrypted:false
                                              SSDEEP:24:8m4OCQdOEIhMKMxX2XgPKWAldF6OduEx/jCylRUURnhTabwMb1m2:8m4OVdOrWoSMldF9dprCyAsa0M5
                                              MD5:FD155C9F0D7781AB3E49C40C994A724F
                                              SHA1:35682CA2286142ED8EE837293691EA1C0D7D03C3
                                              SHA-256:70EBA90B1946D71ABD6778455DC48ED47993606424EEFB1817A8C53D392FCD9E
                                              SHA-512:62D20DA25CD5406515906E8F3290BB8BDE22D95B12BEC180A595AE1A82EDCC41F0AFD7572FE7F87AA0EEB6F6A0419334617E837A4F4809B19943A2365B1BEE69
                                              Malicious:false
                                              Preview:L..................F.... .......0....s........0...L......................U....P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a.....................Zp.R.a.n.g.e.r.....V.1......W...Logging.@.......W..W......a....................;PG.L.o.g.g.i.n.g.....j.2..L...Few .BLOODH~1.EXE..N.......Few.W......a........................B.l.o.o.d.h.o.u.n.d...e.x.e.......|...............-.......{.............&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\Bloodhound.exe..b.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.\.R.a.n.g.e.r.\.L.o.g.g.i.n.g.\.B.l.o.o.d.h.o.u.n.d...e.x.e.Z.C

                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver Bullet Technology\Silver Bullet Website.lnk

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Aug 30 20:39:28 2023, mtime=Wed Aug 30 20:39:28 2023, atime=Wed Aug 30 20:39:28 2023, length=48, window=hide
                                              Category:dropped
                                              Size (bytes):1364
                                              Entropy (8bit):4.605651402488578
                                              Encrypted:false
                                              SSDEEP:24:8mhAVCQdOEIhcLxLmAkLd7duS/jCyvVUUtIn9ITabwMb1m2:8mhAVVdOriLd8d7drrCyvWsa0M5
                                              MD5:4B6C4DC4067BBBD68CF7A6F576D9EAFF
                                              SHA1:88221FD37D2A2DD3B5D0B1212DC64FAABB1F40F4
                                              SHA-256:F44A5F3C53D068CF9DC6EE521DE653CEE3AF3AD307FD31C19ECE70EDCF6BD895
                                              SHA-512:048C91A9122954CDF58CDAA535000959187BA4C449C47BAD2B28811F716B7617D8AB597920DA329C66AD3AAE7C60EBD6ABBBD4F9E65A08444BA209C7120CB4B6
                                              Malicious:false
                                              Preview:L..................F.... ...P..s....P..s....P..s....0............................P.O. .:i.....+00.../C:\.....................1......W...PROGRA~2.........sN.&.W.....^...............V.....km..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1......W...SILVER~1..b.......W..W......a.....................F..S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.....T.1......W...Ranger..>.......W..W......a........................R.a.n.g.e.r.....b.2.0....W. .Website.url.H.......W..W......b........................W.e.b.s.i.t.e...u.r.l.......q...............-.......p.............&c.....C:\Program Files (x86)\Silver Bullet Technology\Ranger\Website.url..Q.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.h.n.o.l.o.g.y.\.R.a.n.g.e.r.\.W.e.b.s.i.t.e...u.r.l.M.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.i.l.v.e.r. .B.u.l.l.e.t. .T.e.c.

                                              C:\ProgramData\Silver Bullet Technology\IQA\IQAOptions.ini

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26829
                                              Entropy (8bit):4.926094710648771
                                              Encrypted:false
                                              SSDEEP:192:BOu7MSN3DsvapUCEjosoQdBn0UUAEP0SFzefRTpER+vC4TpUqSp25g0UppRgVC4p:BhbXEjoshdB0FbMMifRvvCmSp25LbVCE
                                              MD5:E9451495C88585AE7FA623FC20204F6B
                                              SHA1:22E7D17D8E3CB2B4A9361D7BAFFDB99085B4D944
                                              SHA-256:D3E9FDF8A454875A91D7464FD1D218DA1C58FF224F2CAE7349F4E39D887C8A36
                                              SHA-512:3496D9591F103BA95331B55E94AD96770B0BC6C89507BE73789AFA18724BA7FE2BCBDFA8062CEEBB61FCB60561085F9E31D742A94051529E7A302108A3B22FE9
                                              Malicious:false
                                              Preview://-------------------------------------------------..// [IQA.General]..//..// General - This section defines high level configuration parameters related ..// to Silver Bullet Technology's Image Quality Assurance (IQA) engine...//..// Boolean variables must be set to "true" to be turned on. ..// - Any value other than "true" is considered "false"...// ..// "EnableIQA": (Boolean "true"/"false", read only)..// If "false", no IQA testing will be done..//..// "DocumentType1": (Text, such as "IQA.DefaultDocType")..// Defines a unique document type. Each document type has its own set of ..// tests and parameters. ..// ..// "DocumentType2"=..// "DocumentTypeN"=..// SBT IQA will stop reading doc types when it encounters a blank or missing ..// DocumentTypeN variable...//..// "ReturnFailureReasons": ("All", "One per image")..// "All" - Return all failure reasons for each test...// "One per image" - For tests that have multiple failure modes, only the ..// first fail

                                              C:\ProgramData\Silver Bullet Technology\IQA\IQAReleaseNotice.txt

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):20965
                                              Entropy (8bit):4.693537206845658
                                              Encrypted:false
                                              SSDEEP:384:L2dxfhpi9oyqtJK429R18Nwstf9LqiQQmF1u:kq9ovtDDbrQTu
                                              MD5:74176FE6FB4889C2F44DCB46651BAAC6
                                              SHA1:D8992BB29A113137B79919BBF5C3662632D5A79A
                                              SHA-256:0B6BB42A5553A0D282B01C240863AA947137B985D870B6A41F21D69DC44E2728
                                              SHA-512:8627C0CB5B8F2677890C64924EE9CA8B4530E697BC10DDA49BBC830F0E7034BC20B36DDED99D91E6EC9D9B7FB4F01323F3AAB2C474855461C19F128F3BFB493B
                                              Malicious:false
                                              Preview:********************************************************************************..Silver Bullet IQA Release Notice ..Version: 1.4.0 .... March 29, 2011......1. PURPOSE OF THIS RELEASE.... * IQA is now a DLL.....2. RESOLVED ISSUES.... * None....3. KNOWN ISSUES.. * Same as version 1.1.5......********************************************************************************..********************************************************************************..Silver Bullet IQA Release Notice ..Version: 1.3.11 .... April 29, 2009......1. PURPOSE OF THIS RELEASE.... * Maintenance Release.....2. RESOLVED ISSUES.... * Thin lines across an item no longer count extra thickness for torn edges..... * Images that have incorrectly marked resolution tags will be aborted before.. conversion to bitonal images for testing..... * Image processing code is now common.....3. KNOWN ISSUES.. * Same as version 1.1.5......**************************************************

                                              C:\ProgramData\Silver Bullet Technology\Logging\Rangerlog.ini

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:Generic INItialization configuration [Logging]
                                              Category:dropped
                                              Size (bytes):291
                                              Entropy (8bit):4.993517879846025
                                              Encrypted:false
                                              SSDEEP:6:DlweDKAJeTMGb2aPypLYrjqDiAXJShmnw/purCUJSh42:2CJXW2a6pLYAw3BUCUwz
                                              MD5:355DEB8A82D667849718AF05FE0D6FBF
                                              SHA1:52E05EFE6720C1EBAB8EFF1F2D6B5F7207B21DA6
                                              SHA-256:D000EC4413C3D4C814B1FD63F385C541357A3B08E316D7E41FFDA72E83F62644
                                              SHA-512:62B6BB315CCDEF51BDFD1C9D55A4D6642BA1B288653FFBCE5487D692E48AB36FBC2930EC621E25E961AF4ABFD3139BEA62E7DF067544B0CC4A716AD26A77BA59
                                              Malicious:false
                                              Preview:[Ranger Log]..MaxRecordCount=5000..MaxRecordSize=255....[Logging]..DisableAllLogging= false....LogToDebugWindow= false..ImageSystemCallEnabled= false..XptBaseDriverEnabled= true..ApplicationLogEnabled= true..ExceptionSystemEnabled= true..LogAquireObjectEnabled= false..XptDriverEnabled= true

                                              C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):4173748
                                              Entropy (8bit):7.995859063102352
                                              Encrypted:true
                                              SSDEEP:98304:M1jn8F9+gw9LcL2f9+vAKodchI2Lwc2G8e6dmvQhq9:w8F9+nc4coehIr7RPq9
                                              MD5:6E410C4D1E5DDB837EF6CAD248EA5652
                                              SHA1:A9F5BA507DB14917BF3989A7383E7D9E1B814976
                                              SHA-256:6F5D4797CB7D4C0FE3477B06A217A5777E206665A59BBB319EF10957BE200241
                                              SHA-512:CD15EADB8C2E86C371903794F58DF328FA60D9C77B6F5021726C77554D67B0AB4976656CA67475067412ACE20FA83E3809C8977BCCC32A74E2418230FC44F099
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................^...........0.......p....@..........................p...............................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Silver Bullet Technology\Ranger\GenericOptions.ini

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):36156
                                              Entropy (8bit):4.762225077802864
                                              Encrypted:false
                                              SSDEEP:768:3T4CfTRjsTro5a1bIIT8wI3f7b8TEjoyvI:RwMf7BI
                                              MD5:C67470DC5FEC116157704087E2E6229F
                                              SHA1:5E42537234C2246D3751E24331D09EB864FBF4BF
                                              SHA-256:70149DC56F2122AECE28E441C8093CAFB00E832A813430018BF7067AB641F45E
                                              SHA-512:B91EF5A02654D28B68C3E539A64D28994BED2806D9EE78E052BA0371AC704AAF724F0A8D7B8C09D38BF3446DFA993D4AB95A1FCFFB19E4ED9D5FCF44B44D0A12
                                              Malicious:false
                                              Preview:// [OptionsLogging]..// If problems are encountered when Ranger reads this GenericOptions.ini file,..// then Ranger will write messages to a file called RangerGenericOptions.log ..// in the current directory. The log file is deleted and recreated each time ..// Ranger reads this GenericOptions.ini file...//..// Enabled: true or false (default)..// Path=Default (default) or the full path to the preferred location...//------------------------------------------------------------------------------....[OptionsLogging]..Enabled=false..Path=Default....//------------------------------------------------------------------------------..//[OptionalDevices] - Section to enable devices that impact performance on some transports...// If this section is not present or if an entry is not present, then..// the missing device(s) will be disabled...//NeedMicrEncoder = - Legal values: "true", any other value implies "false"..//NeedFrontEndorser=..//NeedRearEndors

                                              C:\ProgramData\Silver Bullet Technology\Ranger\Ranger Remote\RangerServerConfig.ini

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:Generic INItialization configuration [Server Connection]
                                              Category:dropped
                                              Size (bytes):3170
                                              Entropy (8bit):4.856229890233055
                                              Encrypted:false
                                              SSDEEP:96:RWxCbJ0eyz7QJI0+cH0nf2KTntaJOcpqF0IH:RWxCbJ0/QJIokf2TFoF08
                                              MD5:21712072C55E226DA57B502D6A4056C1
                                              SHA1:7B5C26492550CF9BF73424F6BD822B2323051B1B
                                              SHA-256:E7A9F325651DAC74F4E08EB0FCFFBA7408F4DA89F5BC9D7E3F9625476793F7D2
                                              SHA-512:0F8671116F791FD3716B2CB1D522F9B53BAECD9E012B43C9D3BAA7D5D157A0EF97ECBBD4EC8CF271A0D636A638D5BFCABEC6E59D67D2F7A89F598D59165B79F8
                                              Malicious:false
                                              Preview:;RangerServer Config file......[Server General]..;Boolean indicating whether the RangerRemote server GUI should initially be hidden..;on server startup. Note that regardless of this setting's value, the server GUI..;can always be manually displayed via menu access through RangerRemote's system..;tray icon...StartHidden=true....[Server Connection]..;Comma-separated list of ports to listen on. If the port is SSL, a letter s must be ..;appended, for example, 80,443s will open port 80 and port 443, and connections on ..;port 443 will be SSL-ed. For non-SSL ports, it is allowed to append letter r, meaning ..;'redirect'. Redirect ports will redirect all their traffic to the first configured SSL ..;port. For example, if listening_ports is 80r,443s, then all HTTP traffic coming at port ..;80 will be redirected to HTTPS port 443...;..;It is possible to specify an IP address to bind to. In this case, an IP address and a ..;colon must be pre-pended to the port number. For example, to bind to a lo

                                              C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):8100616
                                              Entropy (8bit):7.998266703196311
                                              Encrypted:true
                                              SSDEEP:196608:p9wzXHkQMAFKeqeRDTKpP0HtDRMqdmkBe3g++M+fPDAZxgP/MyGMh:pKz33EebNNtMim2Sg+riD3MyGMh
                                              MD5:4C81F04895E9C07D3F1E6DF691368C36
                                              SHA1:474513D9A702A45E65B0DD6320A2E78134951E26
                                              SHA-256:A8FB06BEEE992546C03DC6D7D6C08DF5FB0CBA1365F0640A7A9C39EE77962E11
                                              SHA-512:B1D594324D11F5721CC6041346C09788AB02F6759E7CB81249D1F3F5E0DE47F8D1EF3C68B6BB3C726470FF0510DCECB280AC58AB36110FF84CC5EA6F4130AE90
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................^...........0.......p....@.................................7+|......................................t..........`.............{..............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...`............z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\DigitalCheck-TSSeries.ini

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):12185
                                              Entropy (8bit):4.858760655066104
                                              Encrypted:false
                                              SSDEEP:192:u7xhzhuScpJRyMO+/vDF7r/qIU4Ar0b4rSgUKH7xqIKi2Ns:EvhoJRj/vR7r/J6goUKVqIKi5
                                              MD5:D0258AD84DE12A325746A2A1ADFEBCB9
                                              SHA1:A1EF865EC112C9D9A14287B9494320DDEE2EFADE
                                              SHA-256:AD1302EB5FA03016C77F757E09CF43BAFB4D08AFF5C186E9A44F3046967506B3
                                              SHA-512:5853E61407020B52D9FBC4862CEABD72176CCD7BBBF585CEB8F550A4A40D1C837191519B80E77AA474F126766410D6320925B32377880AB26F08EFF717EB6B41
                                              Malicious:false
                                              Preview:// ----------------------------------------------------------------------..// Endorsement section..//..// Use SetFixedEndorseText() from within..// your application to set the ..// endorsement text. ..// Set fixed endorse text takes a normal string ..// value for this transport..// ..// MaxPixelWidth: Width of the endorsement field in pixels (800 pixels = 4 inches at 200 dpi)..// FontHeight: The windows font size to be printed..// UseBold/UseItalic: Print the entire line using special formatting..// EdgeOffset: Offset in pixels from leading edge of the document to start of printing..// Font: Windows font name to be used..//..// Auto-increment endorsement number by placing a '%d' in your endorsement text...// BatchStart: starting number..// BatchIncrement: increment..//..// ..//..[Endorsement] ..MaxPixelWidth=800..FontHeight=15..UseBold=true..UseItalic=false..EdgeOffset=800..Font=Arial....BatchStart=1..BatchIncrement=1...

                                              C:\ProgramData\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\GenericOptions.ini

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):36156
                                              Entropy (8bit):4.762225077802864
                                              Encrypted:false
                                              SSDEEP:768:3T4CfTRjsTro5a1bIIT8wI3f7b8TEjoyvI:RwMf7BI
                                              MD5:C67470DC5FEC116157704087E2E6229F
                                              SHA1:5E42537234C2246D3751E24331D09EB864FBF4BF
                                              SHA-256:70149DC56F2122AECE28E441C8093CAFB00E832A813430018BF7067AB641F45E
                                              SHA-512:B91EF5A02654D28B68C3E539A64D28994BED2806D9EE78E052BA0371AC704AAF724F0A8D7B8C09D38BF3446DFA993D4AB95A1FCFFB19E4ED9D5FCF44B44D0A12
                                              Malicious:false
                                              Preview:// [OptionsLogging]..// If problems are encountered when Ranger reads this GenericOptions.ini file,..// then Ranger will write messages to a file called RangerGenericOptions.log ..// in the current directory. The log file is deleted and recreated each time ..// Ranger reads this GenericOptions.ini file...//..// Enabled: true or false (default)..// Path=Default (default) or the full path to the preferred location...//------------------------------------------------------------------------------....[OptionsLogging]..Enabled=false..Path=Default....//------------------------------------------------------------------------------..//[OptionalDevices] - Section to enable devices that impact performance on some transports...// If this section is not present or if an entry is not present, then..// the missing device(s) will be disabled...//NeedMicrEncoder = - Legal values: "true", any other value implies "false"..//NeedFrontEndorser=..//NeedRearEndors

                                              C:\ProgramData\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\exception.msg

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1334
                                              Entropy (8bit):4.582701411805739
                                              Encrypted:false
                                              SSDEEP:24:1BdLMhALO05+FrKLFrYJjcVmz7zVGaCEr8ligEY18:HJMhuQAVInr8ligEYK
                                              MD5:9B783485963B9185E3BCCA04EEAFCDB1
                                              SHA1:38F0245B4664F967F041DD79798EFCECA4BB3B6E
                                              SHA-256:4A4868B91B22FAC662296A4E567540166C2029147FA32CDC761C56A63B752FCE
                                              SHA-512:0049168B0ADB979FC7DC147539BF671C843F60311B97E3B50B478C491892F8F1AB6E4D19F530E83932D994593B13C347209D8BB6DFE1891AD7C0D9A21C2B36FA
                                              Malicious:false
                                              Preview:[MessagesText]..UnableToInitialize=Unable to communicate with the device.\n\nPlease reboot the computer...StartupError=Unable to open the scanner, this may be caused by an inncorrect shutdown.\n\n Please reset scanner by turning it off and back on.\n\nThen restart this application...ImageError=Unable to acquire an image or read MICR characters...Misfeed=Document feed error.\n\nPlease place items in the feeder and try again...NoPaper=Document not detected.\n\nPlease place items in the feeder and try again...PossibleJam=Possible jammed item.\n\nPlease clear the track and feed the item again...PrintError=Error printing.\n\nThe document may not have been endorsed correctly...DoubleFeed=Double-feed detected.\n\nReprocess the items in their original order...MICRDoubleFeed=Micr Double-feed detected.\n\nReprocess the items in their original order...MemoryError=Insufficient memory.\n\nClose all other programs and restart application..Thread=Insufficient resources to start scanning thread.\n\nCl

                                              C:\ProgramData\Silver Bullet Technology\SYSRNG.DLL

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:ASCII text, with very long lines (512), with no line terminators
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):3.550060427958117
                                              Encrypted:false
                                              SSDEEP:12:sUrXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDiXDic:BXDiXDiXDiXDiXDiXDiXDiXDiXDiXDik
                                              MD5:08EAF2FF5440E394BFE7EE096114B95D
                                              SHA1:4F2CD4F1D6885F85BD24EC7C75F97050C8EE3F87
                                              SHA-256:DFCD53A04681D93003AC5F65251ED456DA9E3E01F66F0EFD2A23D69BBC33A443
                                              SHA-512:B216B4E421628EBC285AC6911C86D102264B7070F3A7C37007F7666EB5BD1972C33A02C7A6A93EC0A2C13C5B9E0D9F72EC9C7385CDE91E4D99AADA35B81DF32F
                                              Malicious:false
                                              Preview:3EA38CFCDD404C21D2542FEB54CED54902143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC802143685B2692FC8

                                              C:\Users\user\AppData\Local\Fiserv\RangerRemoteSecureInstaller\RangerRemoteSecureInstaller.msi

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Fiserv Ranger Remote Secure 1.4.2.1 Installer, Author: Fiserv, Keywords: Installer, Comments: Fiserv Packaging of Ranger Remote 1.4.2.1 Installer with Secure Certificates, Template: Intel;1033, Revision Number: {9C9EEB3F-182B-4DBC-94C7-8E9605B2A9A9}, Create Time/Date: Thu May 4 15:53:12 2017, Last Saved Time/Date: Thu May 4 15:53:12 2017, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                              Category:dropped
                                              Size (bytes):7069696
                                              Entropy (8bit):7.998225611323013
                                              Encrypted:true
                                              SSDEEP:196608:zcwSqQ2JmzD+c3Lq84/eEDyA7Wgd55VivrPQFRhQKk:zvSEqf4HGA6gD5MY0
                                              MD5:5374F4FBBD0E339B7E9911848A8392CA
                                              SHA1:8508B9AF64C3ECC4EF971E5FAFBBC368378E0512
                                              SHA-256:5F73A2DA4B82AB956C5248F41E935877DBBD57331C36ECAAB2DB7ADE9CBB8944
                                              SHA-512:92045162039E6D66E3F2A3FDCABEC5A6105F0364A50B387AFDD12B8FA2B03AD76D0B701615B1B92B9A1F12AF5822CAFE013D29F66CADA0396529B57D5F02F13A
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AlternaTiff\installFiles\alttiff.inf

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):398
                                              Entropy (8bit):5.168890198215141
                                              Encrypted:false
                                              SSDEEP:6:hGkAv+BIHfXh7Nbocq2Gd1GdCNP30zlFGdl3ec13XkIL5gOSYrIhHhUWmXEGyN0W:BBIppM48T/0rYLlxaVhHeHX1ympNXy
                                              MD5:312199BCC4B0A2A1D906B1D0CBA05E8E
                                              SHA1:930158C5BD49DCA752754479D8F37EF82B951F6B
                                              SHA-256:CE098D25F4F139AB0A963AF82E1F882D330E0F00A79C7B7548B61D04E0D1D190
                                              SHA-512:713752B492830D78960641E8845BFEF468C7323077E284D1310576C2BC0323BD6C68811B2BF2D00B4903EAA287835A0FBCAC94340ECA2CE17B50552F2F3957E5
                                              Malicious:false
                                              Preview:[version]..signature="$CHICAGO$"..AdvancedINF=2.0....[Add.Code]..alttiff.ocx=alttiff.ocx..alttifflicense.dat=alttifflicense.dat....[alttiff.ocx]..file-win32-x86=thiscab..file-win32-alpha=ignore..file-win32-mips=ignore..file-win32-ppc=ignore..clsid={106E49CF-797A-11D2-81A2-00E02C015623}..FileVersion=1,9,2,1..RegisterServer=yes....[alttifflicense.dat]..file-win32-x86=thiscab..RegisterServer=no....

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AlternaTiff\installFiles\alttiff.ocx

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):889616
                                              Entropy (8bit):6.23829939927169
                                              Encrypted:false
                                              SSDEEP:12288:jn4WEC9uZ2NcpKA8Rt2UVJD+S2xpEUYRfXmEa0OHR+TXYUMjHNS:jC12OpKLtdH+S2xpktX2FETXnMjHNS
                                              MD5:F8CC300DB99E1F5A3920DB1503FCDDD4
                                              SHA1:E99A13540676C42945DF006E0239F2084EAE886F
                                              SHA-256:EC27A6B9D42F852D47FB57DACFCE6EDDBB117E45D2F3C447990426ACE0684277
                                              SHA-512:18A96ECBA81F8A67D05EB5EE62CFEA04D7FAD6820992A28992C472B2498675761AEF6B59AFD638C0FF6B5A04D60793D7FEC9A8BA3313CE210984A4AAC2935EC6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ jl.A.?.A.?.A.?.Im?.A.?.M.?.A.?bI[?.A.?.IY?.A.?bIY?.A.?.b.?.A.?.A.?.@.?.Md?.A.?.M[?.@.?.MX?.A.?.JZ?.A.?.M^?.A.?Rich.A.?................PE..L....b`K...........!.................q..............................................u...............................@................`.......................0...R......................................H............................................text.............................. ..`.rdata........... ..................@..@.data....g.......P..................@....rsrc........`.......@..............@..@.reloc...c...0...p..................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\AlternaTiff\installFiles\alttifflicense.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):38
                                              Entropy (8bit):4.326360407952694
                                              Encrypted:false
                                              SSDEEP:3:JLdVIdVsku92d5n:JLXIdmku9M
                                              MD5:63AED2F4474C4F0B29539E9C6EEAC780
                                              SHA1:70DBB44429221C3E1C116FE50E58626011C231AD
                                              SHA-256:576D3AEC935AA824A8525F9BE9DA6EDA32EEFCF3FC1C93529251DAFADD7A583F
                                              SHA-512:B3EA5CE327C9C870126D7CCB4BC0761CFC1FF93845EEDD76EE980AC82F579D4C9C3CB8A09FA2CD59D86AE09AFC359EECD18F3524FCDC702F1673A279A3DB2D22
                                              Malicious:false
                                              Preview:b76250f28014640e|1372|unlim|Carreker|.

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerInstallFilename_Config.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):50
                                              Entropy (8bit):4.455337750470313
                                              Encrypted:false
                                              SSDEEP:3:yCABiJ6yM2xMWiRRCn:yCABq6ci7XCn
                                              MD5:6FED6CF91A0491B1A637C0D7BA8CE273
                                              SHA1:9E20C7FB306F00A3B0360B6459E29E7F83BCAE24
                                              SHA-256:E333DC52C2A3EBBFA0B1F97BF6F4D1A488FCB8672EE563C3EF0A2108A8205AB9
                                              SHA-512:08FB8B9D1F97E1AB019C7B9C9D070BB420338EBF4611DACBF5FF5F1C0653F8065EC867CE079F42BA0FB5B039E562C4D221606EDEBAD6AAA98F1A38B699E1A627
                                              Malicious:false
                                              Preview:RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\RangerRemote_InstallFilename_Config.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):31
                                              Entropy (8bit):3.7040386490267627
                                              Encrypted:false
                                              SSDEEP:3:yCA4RTAGwygOXLNn:yCA42/OXLN
                                              MD5:77C5F2870ECAE72E0ABC51E75C99325C
                                              SHA1:43E19A69F938ECAA5AA28813A2651131C2004051
                                              SHA-256:4E53D239DD7DF8E3297B824FD9633DECB095C2A5E0DFE54BD6DD605553D4EC33
                                              SHA-512:B687E625AE81AF3441A6E4B24008E61C0E5D6A46D16B04A7A1D6CAEC9B49A153E267C8408BA753A84E881F8CD0A8718082B16E0830262B50B2413B8C48C45266
                                              Malicious:false
                                              Preview:RangerRemoteSecureInstaller.exe

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\ZipTrcFilename_Config.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):15
                                              Entropy (8bit):3.323231428797621
                                              Encrypted:false
                                              SSDEEP:3:2vLACn:A0Cn
                                              MD5:ED606C4745B2C510E129FAB76E42A08F
                                              SHA1:BB3455D613783D24CBC8F5CF50DF25271530EF15
                                              SHA-256:52FE6DADDDD73D49496C1B333C658309BEEC7801760BB9EC5ACAD709B77622CB
                                              SHA-512:73C08B31786EF6BEEF71FBADF9C047171A9AD140D45C915F7684CF1174A9018B8725FA096CDC79A3EF5612C2BC5C262E8E84D19AB37D92258A03E854A02DB373
                                              Malicious:false
                                              Preview:SetupZiptrc.exe

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\License.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):256
                                              Entropy (8bit):3.8721299860556053
                                              Encrypted:false
                                              SSDEEP:6:IlrjMBHC4VJUIOi0xn/tR5H2CUVRwUVRwUVRwUVRwUVRwUVRwUVRn:Ilrj46B5/tnJUgUgUgUgUgUgUX
                                              MD5:2A67713D0B0012D8748068F357C6D904
                                              SHA1:A225903006D14D2B0194071150DA6301345745E1
                                              SHA-256:50A67743BAF44BF3A0D60265545EC388705D1CCA6D3570BA11DC161D894DD442
                                              SHA-512:6B3989DD407DB833175E1FAAFBDD6129506472DEF2E7C6F1D851DF86426A87A5983F7E37128EA01333CF595225AD5A352ABEB94229DC211CD52FDA35F074BA83
                                              Malicious:false
                                              Preview:5826C7369515F67B9B4ACF05653D91AC120C9EA872404C6ADBC0FBDA8182D1E15138843DDC8EA908EBC8DF9287C74222B2730B38C112158024D207E9D57BBC4C0ACE73B68620D71E2E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF42E8602E231091DF4

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):12383880
                                              Entropy (8bit):7.999115124242722
                                              Encrypted:true
                                              SSDEEP:196608:1GwuuHh8hC0x5S6cTfLwy3FejYiabCgAuZbKnqzK4r4veJqGVTCFmVXYaM0jFOZ9:1FuGhs5GFoMiEC9ubKqmuJqGVeQVXYa6
                                              MD5:05B756A815EC4F1F2024A055B9B57128
                                              SHA1:1BCC7C7D7DB00517E721CE78D30602148D84C520
                                              SHA-256:009B9D14FD398C1004A26FB1F17CFF4AD463F356AE60E6A615A1F0D6D9727DAC
                                              SHA-512:6BA57EAAFFE017E67CBECF05F91C5012AB4D97D2E3FE71F2D7BAFCE0C9B54A5A95CF106BA4DA6995BF18B2754EB4F6CB011BC69B0A9D669709008372FE9C011E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L.....*J.................^...........0.......p....@..........................`.......w.......................................t..........x...........p...............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...x............z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):7314832
                                              Entropy (8bit):7.990650088318741
                                              Encrypted:true
                                              SSDEEP:196608:iEWGe0q1CJ/sYBbG6EzKwPeQVu2b3Fzulx5C5NXyM2G:ibG+C/2J2Q02DFGIYG
                                              MD5:3DAE48510B29272D4DEDB381647874FC
                                              SHA1:D7CD7C7639F7F692CB189C04F4F1CE722CBB961C
                                              SHA-256:97FC0DA2154647688A4DC36CAAA5587F78E4343902E12D9C4D05B76945BBC7A3
                                              SHA-512:0FA0F8C56CC6EBA255C08C748E419D26D703CE0F409DF95081AE61068498A832DD0359CF5874AFAE5932BBEE098DF27F82F018C793BFCC59259281B90CA2B2B8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L...<.MX.................b...|.......1............@..........................0.......3p...@.................................4...........@.............o..............................................................................................text...q`.......b.................. ..`.rdata..R............f..............@..@.data....T...........z..............@....ndata...................................rsrc...@...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\SetupZiptrc.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):1694768
                                              Entropy (8bit):7.906238867838181
                                              Encrypted:false
                                              SSDEEP:24576:En/LyQOhipkPOU9sSq5cUqn17kdY8IQKvTjOq3gSi+QaEyi91Clc4X:QzyQOcp2iSsGG9BKvTjbgt+lEyi91Cll
                                              MD5:78760682898539AB944FC5D24DDF02FF
                                              SHA1:0A53A2E88EC86FA83E3B4C3F4AAB9FAED3B254FF
                                              SHA-256:BCE73797648A306803B52B3CBE79AF6A8140F29A5BAF45661DD648CA85B337F0
                                              SHA-512:D54A08E75FA686F907A2011C484108E5E6868C4E565E9B2115C9339181914214C34DED3BB1503608C1CF18EFC2008D1011F74AB7B526D1D5E59A43F48828B320
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@................................./........................................t.......p.............P................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc.......p.......z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\VersionNotes.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):54
                                              Entropy (8bit):4.453690048339573
                                              Encrypted:false
                                              SSDEEP:3:SVWWBiJ6yM2xMWiRm:SBBq6ci74
                                              MD5:377108FA2D0E2190124B887B08E25555
                                              SHA1:D59CCF9FDC3B280A4A660C4AE90F857747F4B696
                                              SHA-256:F823D48B045013C08FB3B8FD5BA51B9E36099C93506C105980EE077F3DDBF6B3
                                              SHA-512:FEE8F1DD85F9F777C1AEF7954CCA22DE36494B6183ABEF067680D7578376D205A4265019414F95E4A64F9FC369E40424705E9E7435077B3B42642579FD552542
                                              Malicious:false
                                              Preview:1.0.0 - RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0

                                              C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd

                                              Download File
                                              Process:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1591
                                              Entropy (8bit):5.441669460886605
                                              Encrypted:false
                                              SSDEEP:48:VfdC3FEdojUFNlXld0sMJreRlGK3zntZG/HIqj:zMFEdojUFNdliRr6DznrU
                                              MD5:E7628FB98EB9817007D3AA9F8DCC166B
                                              SHA1:AC37AD211EB56D6B2C8952408F203A2961B73A14
                                              SHA-256:FAD38ABA1427C9C328FF7C0327B62DFC0897AE695A28472090A639A93FEE7AEE
                                              SHA-512:5564098ECED01D033C33BD0C658F7597E20D4D4960412C651D06BC600B6BAE7003422DE77CEF8696633C6E13409178F3359E6AE4E88C50645AD488DEDC6BEB2E
                                              Malicious:false
                                              Preview:@ECHO off..SETLOCAL..SET AlternaTIFF_INSTALLPATH=C:\Windows\Downloaded Program Files..SET RANGER_INSTALLPATH=C:\Program Files (x86)\Silver Bullet Technology\Ranger..SET /P RANGER_EXE_FILENAME=<RangerInstallFilename_Config.txt..SET /P RANGER_REMOTE_EXE_FILENAME=<RangerRemote_InstallFilename_Config.txt..SET /P ZIPTRC_EXE_FILENAME=<ZipTrcFilename_Config.txt....GOTO CHECK_PERMISSIONS....:CHECK_PERMISSIONS..NET SESSION >nul 2>&1..IF %ERRORLEVEL% == 0 (.. @ECHO Administrator privileges are detected - proceeding with install...GOTO INSTALL_RANGER_DRIVER..) ELSE (.. @ECHO Administrative Privileges are required to install this program. ...@ECHO Instructions: Right click on exe file, click "Run as administrator"...GOTO EOF..)....:INSTALL_RANGER_DRIVER..@ECHO ...Installing Ranger Driver..CALL "%~dp0installFiles\%RANGER_EXE_FILENAME%" /S..GOTO COPY_LICENSE_FILE....:COPY_LICENSE_FILE..@ECHO ...Installing License..COPY "%~dp0installFiles\License.dat" "%RANGER_INSTALLPATH%" > nul..GOTO INSTALL

                                              C:\Users\user\AppData\Local\Temp\HFI2BFB.tmp.html

                                              Download File
                                              Process:C:\2c943420539b5d851ede182b60\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):16118
                                              Entropy (8bit):3.6434775915277604
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                              MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                              SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                              SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                              SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\HFI367E.tmp.html

                                              Download File
                                              Process:C:\2c943420539b5d851ede182b60\Setup.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):7174
                                              Entropy (8bit):3.62640253912472
                                              Encrypted:false
                                              SSDEEP:48:35edfWK03KGeM85eMK45eW+5ezJeJPq5eXL45el+5eu8K03KGej0Ff85e9obZflj:qK6CtLhTvQU2Q3+UVUauunPl1zcR
                                              MD5:FDA45F6F40ECE4D24A0AACBDCEA4E9F7
                                              SHA1:548728814B8F208E0DB6ACB4B99D68708B29EBF4
                                              SHA-256:12EC95BE4AC3A70453617B28FF4D0213ED3B47BACA0BB193090D13EB23DC5AF1
                                              SHA-512:9D6F4EF2F9E7C6801B1CE9B2AC6A5311077A24AB79DE719E9CA534FDDB9F5739764D4D131F2E7CAC08732D4AD8F71D2B4E7D9F0DEBD8E093554B6B7E5AE1AF39
                                              Malicious:false
                                              Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.3.9.:.1.8.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.3.9.:.1.8.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.3.9.:.1.8.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.

                                              C:\Users\user\AppData\Local\Temp\HFID460.tmp.html

                                              Download File
                                              Process:C:\686fc0c283be14fef7\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):16118
                                              Entropy (8bit):3.6434775915277604
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                              MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                              SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                              SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                              SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\HFIE972.tmp.html

                                              Download File
                                              Process:C:\686fc0c283be14fef7\Setup.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):1598
                                              Entropy (8bit):3.510195436173303
                                              Encrypted:false
                                              SSDEEP:48:35eSM1+K03KGeS185eSfK45ej+JeHAHr4q:rMgwfKHOHUq
                                              MD5:89BDE9DAFAC763CE0112E3DA8D8B4619
                                              SHA1:17D9D98792593B42283C65B72A3D0F28ED5D3E27
                                              SHA-256:70F66B2357E2BFFB8EA984DDDA2AF0C941B107C5E36EF0D2818E6936F267FACB
                                              SHA-512:4C47BFC35B393B0E57FA132EBF04E1C98B9B681BC78D62E7459A6AAF7E4D3FE58B8A180F457F2F6C6C79DF18F25B6C38D948083587726699E4B57223ADFBF456
                                              Malicious:false
                                              Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.4.0.:.3.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a. .r.e.p.a.i.r.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.4.0.:.3.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.8./.3.0./.2.0.2.3.,. .2.3.:.4.0.:.3.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.r.e.d...c.

                                              C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230830_233917878-MSI_vc_red.msi.txt

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):283192
                                              Entropy (8bit):3.8177851746676343
                                              Encrypted:false
                                              SSDEEP:3072:kjjdQgOTVooooooooooojjjjjJk/9bQFhscTXvEGxFxshimQ:YjSs
                                              MD5:92BFC62D8394541350EAC83B518FFBB6
                                              SHA1:7ED3B3D9ABA8FD312A41868DEAFCD413088BE8DA
                                              SHA-256:3FB480D0CFBB0EA8EACC78FE8BB7ACA19826E5A03513460587A808CD79B4EB6E
                                              SHA-512:E9B28DE9EE418A9DC8808376B420B64AD710E289E4B54B5C5A593AD95A40C8E8479EBAD98FA6B0629E7C50B6C12BC1B94F252B5DB19828C52DC309DA36D4A07E
                                              Malicious:false
                                              Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .8./.3.0./.2.0.2.3. . .2.3.:.3.9.:.2.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.2.c.9.4.3.4.2.0.5.3.9.b.5.d.8.5.1.e.d.e.1.8.2.b.6.0.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.A.C.:.3.C.). .[.2.3.:.3.9.:.2.0.:.1.7.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.A.C.:.3.C.). .[.2.3.:.3.9.:.2.0.:.1.7.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.A.C.:.3.C.). .[.2.3.:.3.9.:.2.0.:.1.7.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .c.:.\.2.c.9.4.3.4.2.0.5.3.9.b.5.d.8.5.1.e.d.e.1.8.2.b.6.0.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.A.C.:.3.C.). .[.2.3.:.3.

                                              C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230830_233917878.html

                                              Download File
                                              Process:C:\2c943420539b5d851ede182b60\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (357), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):74484
                                              Entropy (8bit):3.686058344300841
                                              Encrypted:false
                                              SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHi70Ca8rxQEwXx6XLfVyC:fdsOTLyUFJFEWUxFzvCnQbB6XRyC
                                              MD5:CB7B0EFFD85538AD70EFC7A11166B630
                                              SHA1:BB01100AB643A57B09EBE97646BE1632FC820779
                                              SHA-256:1C6D9B3B811958C0D534322271820803FF0B92D71FAC4A9F58DCAADE35DC1D15
                                              SHA-512:666FDFDD3809C0E9E4CBD7721F8BE52E8D4F8385B206FB73A4C198862C586D48644034512D9D2E20EA6FA179AC901D7F1C675230837BC50E40EB1377E2B04A5D
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20230830_234003525.html

                                              Download File
                                              Process:C:\686fc0c283be14fef7\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (356), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):64580
                                              Entropy (8bit):3.677478826817355
                                              Encrypted:false
                                              SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHzDcCCd6xQE2x6lxD1:fdsOTLyUFJFEWUxFzvT7Qn6lP
                                              MD5:9DB48219FE085BC8EBAC736F468328B5
                                              SHA1:19349DA8AED4A102AEB807ADAC75DB686BA2B51D
                                              SHA-256:F4A32933805A5BA72425B8A27ECC2FAB1ECBA2BAEDD550C708E356E604BA0556
                                              SHA-512:CF353B947F266198B8F14C51E26ECBF23266DCBECEEC404C31C2BC48FE41D039944D5C28AB24D779D17F16144565AF75F26BE9305BC5A4A14968B3DFA18EC2BE
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\Setup_20230830_233915365.html

                                              Download File
                                              Process:C:\2c943420539b5d851ede182b60\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (323), with CRLF line terminators
                                              Category:modified
                                              Size (bytes):29244
                                              Entropy (8bit):3.7123479509676933
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjOhN0Ca8cBv:fdsOT01KcBUFJFEWUxFzvHi70Ca8+
                                              MD5:DB6E803E81D2419CBDEEF920D59AF590
                                              SHA1:38E304DAAE02E50A2115370B99A10EA0DA9F1ED8
                                              SHA-256:6C0228135B684532BD86B3522EE989A421C9DAAB32BE1ABD54558FE9B903FA5C
                                              SHA-512:6AAF33558DE6BCBFD5FB00310B4CC26F47100D3D08AE1A1B75523122DC6BF373BA5A3BBB617B9414B2A7BE18F49716007D273E8443AC2385081779FCE1C607BB
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\Setup_20230830_233958505.html

                                              Download File
                                              Process:C:\686fc0c283be14fef7\Setup.exe
                                              File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (322), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):29152
                                              Entropy (8bit):3.7069072117108766
                                              Encrypted:false
                                              SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjvh1cCd6deiA:fdsOT01KcBUFJFEWUxFzvHzDcCCd6
                                              MD5:C28BFD6C647BF1855F02F2A269DDB117
                                              SHA1:5D1BF6104932A92642AA1EACBEB61AB8B8782609
                                              SHA-256:DD0DAAB4011EF8DE4C1482687B73F98DF99548CF36692EE560E8E4C60699FDA8
                                              SHA-512:BDA628064AD9F13CA7CE552E7F0BAA4F16F3C189273D5E06B50C348CB59F010602D81EDA4DFC511B019532464C2DDCF98949B7A1EBBF6DFA3DBFE9E15AA35ECC
                                              Malicious:false
                                              Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                              C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp

                                              Download File
                                              Process:C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):717312
                                              Entropy (8bit):6.546164376292943
                                              Encrypted:false
                                              SSDEEP:12288:JRObekMtkfohrPUs37uzHnA6zgpKq35eERXprNrHIR3+j1vGgZOsMEDEx9Q/:TObekYkfohrP337uzHnA6cgqpeEFHR9l
                                              MD5:1789A04058130108337961A38192052C
                                              SHA1:4CB063549DF8B28C27D71575EA61613C391F31E6
                                              SHA-256:C15500F3C278F9AB0A12FFFA201FBF4E6CFEDC8934B99B4E6A07F9D0077ABF9C
                                              SHA-512:CB8E5B5DB9C90010C991A75C3D79B861C33AB272E05261446468146C2D158B931708798D211FDE9D0AB59EBE77FB53523012DB69631725A3D13BD7475E53E59F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f..........pr............@..............................................@...............................%......PM..........................................................................................................CODE.....d.......f.................. ..`DATA.................j..............@...BSS..................|...................idata...%.......&...|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...PM.......N..................@..P.....................J..............@..P........................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_RegDLL.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4096
                                              Entropy (8bit):4.026670007889822
                                              Encrypted:false
                                              SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                              MD5:0EE914C6F0BB93996C75941E1AD629C6
                                              SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                              SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                              SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_setup64.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):6144
                                              Entropy (8bit):4.215994423157539
                                              Encrypted:false
                                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                              MD5:4FF75F505FDDCC6A9AE62216446205D9
                                              SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                              SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                              SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-U6GNA.tmp\_isetup\_shfoldr.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):23312
                                              Entropy (8bit):4.596242908851566
                                              Encrypted:false
                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\System.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):10752
                                              Entropy (8bit):5.7425597599083344
                                              Encrypted:false
                                              SSDEEP:192:uv+cJZE61KRWJQO6tFiUdK7ckK4k7l1XRBm0w+NiHi1GSJ:uf6rtFRduQ1W+fG8
                                              MD5:56A321BD011112EC5D8A32B2F6FD3231
                                              SHA1:DF20E3A35A1636DE64DF5290AE5E4E7572447F78
                                              SHA-256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
                                              SHA-512:5354890CBC53CE51081A78C64BA9C4C8C4DC9E01141798C1E916E19C5776DAC7C82989FAD0F08C73E81AABA332DAD81205F90D0663119AF45550B97B338B9CC3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L...X:.V...........!.................).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text............................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsfB7D0.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.033979150040588
                                              Encrypted:false
                                              SSDEEP:96:L7GUeYNrwgcrEzyKwZxW4JxNABWweYkZleOe4I9d0qqyVgNr32E:XGgrwgcrEzylQBHkZwd0qJVgNy
                                              MD5:428C3A07FBA184367A5085E46E4A790B
                                              SHA1:F2DE6CD4EC99AB784D18914A21DE9D919A450089
                                              SHA-256:3B15C6E4CA42036D7424F93EA0806A2D35220D65FAAF2BD2479A54258F631B55
                                              SHA-512:B34E1266E949D7CC5CDB7A809C3CA42652A1BB1EC72D83218604CB01B3118BBB42BFCAEBC6134C4E6EB43FB566539414A49C1A0CD23A6C84DA7C1C4B56BA2AB6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L...V:.V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...H........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsn657A.tmp\AccessControl.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):10752
                                              Entropy (8bit):5.621387195459456
                                              Encrypted:false
                                              SSDEEP:192:8SEWBGgiJM4LN+xq56XdNcNz/NWdlJmlyOcROQ:8SEPgii9KTzyt
                                              MD5:055F4F9260E07FC83F71877CBB7F4FAD
                                              SHA1:A245131AF1A182DE99BD74AF9FF1FAB17977A72F
                                              SHA-256:4209588362785B690D08D15CD982B8D1C62C348767CA19114234B21D5DF74DDC
                                              SHA-512:A8E82DC4435ED938F090F43DF953DDAD9B0075F16218C09890C996299420162D64B1DBFBF613AF37769AE796717EEC78204DC786B757E8B1D13D423D4EE82E26
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ec..!...!...!...2..#......$...!...=...... ...... ...... ...Rich!...........PE..L....n.G...........!.........................0...............................`......................................p9......l6..P............................P.......................................................0..|............................text...z........................... ..`.rdata..$....0......................@..@.data...\....@.......$..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsn657A.tmp\System.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11264
                                              Entropy (8bit):5.567124464313517
                                              Encrypted:false
                                              SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
                                              MD5:00A0194C20EE912257DF53BFE258EE4A
                                              SHA1:D7B4E319BC5119024690DC8230B9CC919B1B86B2
                                              SHA-256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
                                              SHA-512:3B38A2C17996C3B77EBF7B858A6C37415615E756792132878D8EDDBD13CB06710B7DA0E8B58104768F8E475FC93E8B44B3B1AB6F70DDF52EDEE111AAF5EF5667
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L.....*J...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\AccessControl.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):10752
                                              Entropy (8bit):5.621387195459456
                                              Encrypted:false
                                              SSDEEP:192:8SEWBGgiJM4LN+xq56XdNcNz/NWdlJmlyOcROQ:8SEPgii9KTzyt
                                              MD5:055F4F9260E07FC83F71877CBB7F4FAD
                                              SHA1:A245131AF1A182DE99BD74AF9FF1FAB17977A72F
                                              SHA-256:4209588362785B690D08D15CD982B8D1C62C348767CA19114234B21D5DF74DDC
                                              SHA-512:A8E82DC4435ED938F090F43DF953DDAD9B0075F16218C09890C996299420162D64B1DBFBF613AF37769AE796717EEC78204DC786B757E8B1D13D423D4EE82E26
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ec..!...!...!...2..#......$...!...=...... ...... ...... ...Rich!...........PE..L....n.G...........!.........................0...............................`......................................p9......l6..P............................P.......................................................0..|............................text...z........................... ..`.rdata..$....0......................@..@.data...\....@.......$..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsp1FB6.tmp\System.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11264
                                              Entropy (8bit):5.567124464313517
                                              Encrypted:false
                                              SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
                                              MD5:00A0194C20EE912257DF53BFE258EE4A
                                              SHA1:D7B4E319BC5119024690DC8230B9CC919B1B86B2
                                              SHA-256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
                                              SHA-512:3B38A2C17996C3B77EBF7B858A6C37415615E756792132878D8EDDBD13CB06710B7DA0E8B58104768F8E475FC93E8B44B3B1AB6F70DDF52EDEE111AAF5EF5667
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L.....*J...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\GetVersion.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):5120
                                              Entropy (8bit):5.197939154884686
                                              Encrypted:false
                                              SSDEEP:96:E12kx1WhoMHF7ZmIpNkTif0geoBLERrqm1BdROBh6Hx2WsTDBi46AQuP:Xll7A6NkOMiBEReEBdRwiMTDBi46AQu
                                              MD5:2E2412281A205ED8D53AAFB3EF770A2D
                                              SHA1:3CAE4138E8226866236CF34F8FB00DAFB0954D97
                                              SHA-256:DB09ADB6E17B6A0B31823802431FF5209018EE8C77A193AC8077E42E5F15FB00
                                              SHA-512:6D57249B7E02E1DFED2E297EC35FB375ECF3ABC893D68694F4FA5F2E82EC68C129AF9CC5CE3DD4025147309C0832A2847B69334138F3D29C5572FF4E1B16F219
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.!.!.2..#....$.!.,.... .... .... .Rich!.........................PE..L......G...........!................@........ ...............................P.......................................$......."..P............................@....................................................... ..@............................text...o........................... ..`.rdata....... ......................@..@.data........0......................@....reloc.."....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nst1CC8.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11264
                                              Entropy (8bit):5.567124464313517
                                              Encrypted:false
                                              SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
                                              MD5:00A0194C20EE912257DF53BFE258EE4A
                                              SHA1:D7B4E319BC5119024690DC8230B9CC919B1B86B2
                                              SHA-256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
                                              SHA-512:3B38A2C17996C3B77EBF7B858A6C37415615E756792132878D8EDDBD13CB06710B7DA0E8B58104768F8E475FC93E8B44B3B1AB6F70DDF52EDEE111AAF5EF5667
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L.....*J...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\vcredist_x86.exe

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):5073240
                                              Entropy (8bit):7.998813387067771
                                              Encrypted:true
                                              SSDEEP:98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
                                              MD5:B88228D5FEF4B6DC019D69D4471F23EC
                                              SHA1:372D9C1670343D3FB252209BA210D4DC4D67D358
                                              SHA-256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
                                              SHA-512:CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7DB4.tmp

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7DD4.tmp

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\SET7E04.tmp

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\TsUsb2.sys (copy)

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\TsUsb2_x64.cat (copy)

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\tsusb2.inf (copy)

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):7680
                                              Entropy (8bit):4.470639335291818
                                              Encrypted:false
                                              SSDEEP:96:2Kg1sQa8rX8phfGlHuuDdRWgWHzv8Ffnbff:2X1sh8rMphf8HuuDd0d01
                                              MD5:04B9ED6CAF024BB7FE87F103D47B1126
                                              SHA1:33EE8D6A40E4F5705EDD989C228208BFDDF4DD15
                                              SHA-256:876ACBC0FB9956F32FDE58C3D1E53F536E6ABEEAA7BCD588A9C4D929BD7428CF
                                              SHA-512:013A43E62AE4D94A769D169ED720E4AB60919277A989EFA3B4F09EB6E802EF909E3710CC7FF9DD37DD62191FE103F6762EA737838A0EE52888514E24F91DB867
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\BUICSCAN.INI

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):29068
                                              Entropy (8bit):5.305447198506409
                                              Encrypted:false
                                              SSDEEP:384:66qGXf3gCc2cWTT2ytl9XouK6Flz7o5ICH0saNFsOoGcvrQAUAPKG5BBRiqP3R/8:9qGv3Fbhmytl9XouK6b3oes069ygDkf/
                                              MD5:B3AB3030A299F909A58F2EABF4CF5349
                                              SHA1:A6189AA3C13DFB456DDF42B30D8C10A0A8D6212B
                                              SHA-256:A54CFA8E993EF2E69D8EDD6F04742379EFFC02E0AF8981D3B6F510B977F1F49A
                                              SHA-512:D5E3DC7CE5DA392F2DB92E62D4A764D6E1DDFE7FCBA995D29CC4AA7EAB33D50C2C5F5828A1E32CA4D87E381EF64118A48C4D41B7265A618F3445B2673FA8AAF2
                                              Malicious:false
                                              Preview:#..# Digital Check Sample Configuration File for Teller Scan Check Scanners..# TS215, TS220, TS230, TS240, TS4120, CX30, SB500, SB600, SB650..# BX7200..#..# API History Summary - See Documentation or Call for Details..#..#******************* API Version 12.11 Improvements*************************..# Added parameters CFG_UV_OVER128 and CFG_UV_ONEPERCENT..# Added Silver Bullet Debug Routine ..# Added Low Ink Test 0x200000 to DCCScan Options ..# Added ERRORLOWINK -241 ..# Avoid second BX7200 Content by using PID/VID routine..# Added function DCCUVGain..# Updated BX7200 Firmware to avoid future firmware loading issues...# Get rid of more cfg.tmp files on non USB scanners...# Added Tests in DCCScan to keep Threads in sequence even on a double feed...# Fixed DCCScanSetSpecialDocumentEx stack problem. ..# Fixed a CMC7 OCR issue on dark images ..# Changes to support SB650M re

                                              C:\Windows\DPINST.LOG

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):6640
                                              Entropy (8bit):3.6363018374696656
                                              Encrypted:false
                                              SSDEEP:96:eh4dxbru45+o3WJB79BfhMdxbb9b1KK3Q1YQ63Qt9fJcVHb:bC+bgub
                                              MD5:F55E237E2B3DE9542681C45E9A627C0E
                                              SHA1:49B5F31632B05A0E8756E3C32757E0D0E593E6C4
                                              SHA-256:71400AEEF4B9167D1D13674CDE910371A4CA0A1FCA4855F9CB7680416244733A
                                              SHA-512:F83610345CAAE7529B815D3FB226D99A74F5213C60FFBCF20402BBEDE59E75534D3F65E294C0233D28EBD31E9C99B9E925411F6D7E0592E47499BD211F405093
                                              Malicious:false
                                              Preview:..I.N.F.O.:. . . .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....I.N.F.O.:. . . .0.8./.3.0./.2.0.2.3. .2.3.:.3.9.:.3.4.....I.N.F.O.:. . . .P.r.o.d.u.c.t. .V.e.r.s.i.o.n. .2...1...1...0.......I.N.F.O.:. . . .V.e.r.s.i.o.n.:. .6...2...9.2.0.0. .....I.N.F.O.:. . . .P.l.a.t.f.o.r.m. .I.D.:. .2. .(.N.T.).....I.N.F.O.:. . . .S.e.r.v.i.c.e. .P.a.c.k.:. .0...0.....I.N.F.O.:. . . .S.u.i.t.e.:. .0.x.0.1.0.0.,. .P.r.o.d.u.c.t. .T.y.p.e.:. .1.....I.N.F.O.:. . . .A.r.c.h.i.t.e.c.t.u.r.e.:. .A.M.D.6.4.......I.N.F.O.:. . . .I.n.t.e.r.a.c.t.i.v.e. .W.i.n.d.o.w.s. .S.t.a.t.i.o.n.....I.N.F.O.:. . . .C.o.m.m.a.n.d. .L.i.n.e.:. .'.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.T.e.l.l.e.r.S.c.a.n.\.D.r.i.v.e.r.s.\.6.4.-.b.i.t.\.D.P.I.n.s.t...e.x.e.". ./.u. .t.s.u.s.b.2...i.n.f. ./.d. ./.q.'.....I.N.F.O.:. . . .D.P.I.n.s.t. .i.s. .a. .m.u.l.t.i.-.l.i.n.g.u.a.l. .b.i.n.a.r.y.......I.N.F.O.:. . . .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....I.

                                              C:\Windows\Downloaded Program Files\alttiff.inf

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):398
                                              Entropy (8bit):5.168890198215141
                                              Encrypted:false
                                              SSDEEP:6:hGkAv+BIHfXh7Nbocq2Gd1GdCNP30zlFGdl3ec13XkIL5gOSYrIhHhUWmXEGyN0W:BBIppM48T/0rYLlxaVhHeHX1ympNXy
                                              MD5:312199BCC4B0A2A1D906B1D0CBA05E8E
                                              SHA1:930158C5BD49DCA752754479D8F37EF82B951F6B
                                              SHA-256:CE098D25F4F139AB0A963AF82E1F882D330E0F00A79C7B7548B61D04E0D1D190
                                              SHA-512:713752B492830D78960641E8845BFEF468C7323077E284D1310576C2BC0323BD6C68811B2BF2D00B4903EAA287835A0FBCAC94340ECA2CE17B50552F2F3957E5
                                              Malicious:false
                                              Preview:[version]..signature="$CHICAGO$"..AdvancedINF=2.0....[Add.Code]..alttiff.ocx=alttiff.ocx..alttifflicense.dat=alttifflicense.dat....[alttiff.ocx]..file-win32-x86=thiscab..file-win32-alpha=ignore..file-win32-mips=ignore..file-win32-ppc=ignore..clsid={106E49CF-797A-11D2-81A2-00E02C015623}..FileVersion=1,9,2,1..RegisterServer=yes....[alttifflicense.dat]..file-win32-x86=thiscab..RegisterServer=no....

                                              C:\Windows\Downloaded Program Files\alttiff.ocx

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):889616
                                              Entropy (8bit):6.23829939927169
                                              Encrypted:false
                                              SSDEEP:12288:jn4WEC9uZ2NcpKA8Rt2UVJD+S2xpEUYRfXmEa0OHR+TXYUMjHNS:jC12OpKLtdH+S2xpktX2FETXnMjHNS
                                              MD5:F8CC300DB99E1F5A3920DB1503FCDDD4
                                              SHA1:E99A13540676C42945DF006E0239F2084EAE886F
                                              SHA-256:EC27A6B9D42F852D47FB57DACFCE6EDDBB117E45D2F3C447990426ACE0684277
                                              SHA-512:18A96ECBA81F8A67D05EB5EE62CFEA04D7FAD6820992A28992C472B2498675761AEF6B59AFD638C0FF6B5A04D60793D7FEC9A8BA3313CE210984A4AAC2935EC6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ jl.A.?.A.?.A.?.Im?.A.?.M.?.A.?bI[?.A.?.IY?.A.?bIY?.A.?.b.?.A.?.A.?.@.?.Md?.A.?.M[?.@.?.MX?.A.?.JZ?.A.?.M^?.A.?Rich.A.?................PE..L....b`K...........!.................q..............................................u...............................@................`.......................0...R......................................H............................................text.............................. ..`.rdata........... ..................@..@.data....g.......P..................@....rsrc........`.......@..............@..@.reloc...c...0...p..................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Downloaded Program Files\alttifflicense.dat

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text
                                              Category:modified
                                              Size (bytes):38
                                              Entropy (8bit):4.326360407952694
                                              Encrypted:false
                                              SSDEEP:3:JLdVIdVsku92d5n:JLXIdmku9M
                                              MD5:63AED2F4474C4F0B29539E9C6EEAC780
                                              SHA1:70DBB44429221C3E1C116FE50E58626011C231AD
                                              SHA-256:576D3AEC935AA824A8525F9BE9DA6EDA32EEFCF3FC1C93529251DAFADD7A583F
                                              SHA-512:B3EA5CE327C9C870126D7CCB4BC0761CFC1FF93845EEDD76EE980AC82F579D4C9C3CB8A09FA2CD59D86AE09AFC359EECD18F3524FCDC702F1673A279A3DB2D22
                                              Malicious:false
                                              Preview:b76250f28014640e|1372|unlim|Carreker|.

                                              C:\Windows\INF\oem6.inf

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Windows\INF\setupapi.dev.log

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              File Type:Generic INItialization configuration [BeginLog]
                                              Category:dropped
                                              Size (bytes):113079
                                              Entropy (8bit):5.212994547379741
                                              Encrypted:false
                                              SSDEEP:768:jCNrdVhum5SAARRZum3qmArOkPWyssIHt+iH3Ppks32RYDUd+/gZars1tOPwpqbg:ji3humwAAdgOkPWHAiH3w3QW
                                              MD5:1E6F40DE455280697D92E12FD04263B4
                                              SHA1:1D8875935B364C8B602BF2A9169704E521E97B1F
                                              SHA-256:48C5E6734FE93CCA7792DDECD0D8DBEA6D98F29943DA1D42FAB26B4C32871BE0
                                              SHA-512:BC480394AA908483AD1077BEFA6489EB7BF1C50A9045BEF960CF56FC55FE82666148EE220C82A30FA436B711ABE59FB7277AC1C3ADF7AD36AB6B9C5A1871DA62
                                              Malicious:false
                                              Preview:[Device Install Log].. OS Version = 10.0.18363.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2021/05/27 07:15:46.500]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2021/05/27 07:18:03.852.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.18362.1.. inf: Catalog File: prnms009.cat.. pol: {Driver package policy check} 07:18:03.883.. pol: {Driver package policy check - exit(0x00000000)} 07:18:03.883.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 07:18:03.915.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 07:18:03.915.. inf: Driver package 'prnms009.Inf' is

                                              C:\Windows\Installer\40406c.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                              Category:dropped
                                              Size (bytes):155136
                                              Entropy (8bit):6.337010677866242
                                              Encrypted:false
                                              SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                              MD5:CD2B99BB86BA6A499110C72B78B9324E
                                              SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                              SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                              SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                              Malicious:false
                                              Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\Windows\Installer\40406f.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                              Category:dropped
                                              Size (bytes):155136
                                              Entropy (8bit):6.337010677866242
                                              Encrypted:false
                                              SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                              MD5:CD2B99BB86BA6A499110C72B78B9324E
                                              SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                              SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                              SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                              Malicious:false
                                              Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                              C:\Windows\Installer\40af15.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Fiserv Ranger Remote Secure 1.4.2.1 Installer, Author: Fiserv, Keywords: Installer, Comments: Fiserv Packaging of Ranger Remote 1.4.2.1 Installer with Secure Certificates, Template: Intel;1033, Revision Number: {9C9EEB3F-182B-4DBC-94C7-8E9605B2A9A9}, Create Time/Date: Thu May 4 15:53:12 2017, Last Saved Time/Date: Thu May 4 15:53:12 2017, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                              Category:dropped
                                              Size (bytes):7069696
                                              Entropy (8bit):7.998225611323013
                                              Encrypted:true
                                              SSDEEP:196608:zcwSqQ2JmzD+c3Lq84/eEDyA7Wgd55VivrPQFRhQKk:zvSEqf4HGA6gD5MY0
                                              MD5:5374F4FBBD0E339B7E9911848A8392CA
                                              SHA1:8508B9AF64C3ECC4EF971E5FAFBBC368378E0512
                                              SHA-256:5F73A2DA4B82AB956C5248F41E935877DBBD57331C36ECAAB2DB7ADE9CBB8944
                                              SHA-512:92045162039E6D66E3F2A3FDCABEC5A6105F0364A50B387AFDD12B8FA2B03AD76D0B701615B1B92B9A1F12AF5822CAFE013D29F66CADA0396529B57D5F02F13A
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI4500.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16056
                                              Entropy (8bit):6.1453101868992075
                                              Encrypted:false
                                              SSDEEP:384:wipqWRW40Duy6kJ62TGomsbA+ciKPRSlci7WST:w5WRW40qy6kJ62TGorAxiKPRHiD
                                              MD5:5938AA90C10059869C10208690C5712C
                                              SHA1:55A028835960EAE1CF70D0EA2F7B29BBB4512C55
                                              SHA-256:4B2F8CB6505B1DBEC3CACF6BE59AA85A819EDE3BE4873BAC27A0A55F1013F0D6
                                              SHA-512:C3A321BE9D52539F421BF546EF072F074F625CB86A06AE29B9B1A970777A7A7DF9B8D609132D726D696BC07A3893319AC854B16091B2A01E690B9F099E90AEFC
                                              Malicious:false
                                              Preview:...@IXOS.@.....@..W.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@2....@.....@.]....&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x86\Version.@.......@.....@.....@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}D.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\x86\1033\Install.@.......@.....@.....@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}D.c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}..c:\Win

                                              C:\Windows\Installer\MSIB33B.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):3116
                                              Entropy (8bit):5.593157140537516
                                              Encrypted:false
                                              SSDEEP:96:Rpmf9/B/auF6nghObcTG/dxvoNOoe6JLm9c2jIREPramf0:RAf9/B/tF6nghDTG/dxvoQoe6MNMRWr6
                                              MD5:804057047B9970A4A1B4C203D083FCFD
                                              SHA1:87973B561CDBA217AB0B07ED72C29C2CE322D9B7
                                              SHA-256:41243C3CA7F05544E7D72646457E4462FA6BAC1ACCD7117B179B11203C292B03
                                              SHA-512:271C66F2E4BCADC7CC974D8E97A83AA444C3E14AB0234C78904EE607627A87B694E8E3B1D756C845D3FDBCC1F61E50F8A207DC84941548E06D2FEDD0A944896B
                                              Malicious:false
                                              Preview:...@IXOS.@.....@...W.@.....@.....@.....@.....@.....@......&.{B64ED1C1-67C0-47C8-91DE-E75B66145206}..Ranger Remote Secure 1.4.2.1..RangerRemoteSecureInstaller.msi.@.....@.....@.....@........&.{9C9EEB3F-182B-4DBC-94C7-8E9605B2A9A9}.....@.....@.....@.....@.......@.....@.....@.......@......Ranger Remote Secure 1.4.2.1......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3C1BBADB-FABF-43F8-A8BC-10707C4EF240}Z.C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe.@.......@.....@.....@......&.{272795E3-2968-4FB8-8E5B-696FEB809297}S.C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat.@.......@.....@.....@......&.{88E13337-6F6E-4550-8B38-42F971AFAFED}M.C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\startupRangerRemote.bat.@.......@.....@.....@........InstallFiles..Copying new files&.File

                                              C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.5337609470479663
                                              Encrypted:false
                                              SSDEEP:12:JSbX72FjcAZWhLIlHZRpQhd7777777777777777777777777Coy9DHFVa+7EpPe8:J6ptINToy5/poJegvZRdsH6DxDDZFNx
                                              MD5:FB5C35BC2270B128B4F9040F8F62EC30
                                              SHA1:F0FDAF8AAF96FA0DD9A66C6C0909E43DC48E3833
                                              SHA-256:17B6C4843FD9CD2DF96DCE0E965448A1F8D56A47C901C2CC7645D657CC6EB9FA
                                              SHA-512:9FB47579800B8BB5536748CC959F9D00AF25A59B1EA0DCC779708CB62E8647F03456E40F183C257A60B576C61F9F6770C3BF65857645BA3E7D498C80A1188771
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\SourceHash{B64ED1C1-67C0-47C8-91DE-E75B66145206}

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):49152
                                              Entropy (8bit):0.7732954541713846
                                              Encrypted:false
                                              SSDEEP:12:JSbX72FjWeJAGiLIlHVRpyh/7777777777777777777777777vDHFvqyBn6OXWhz:J8eJQI5iNt64dF
                                              MD5:F0322F240798836905C47C50A5A84776
                                              SHA1:6EF9B381DA0796C66FBFD53DD6A96EF8F067AC8B
                                              SHA-256:2085497895F34041CBD2CF4AFCF63D4B2B1546321157F0F272B69FD5E4F05595
                                              SHA-512:282CC8138DB8ACD1691A743565163ED617B3C1F6CF27BC3EA18073501758BD2E0FDE9E8D8CDEA2CAE87F6483BE5D493DED3308E6F0F9296C2CD84439B7068763
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2293356823339858
                                              Encrypted:false
                                              SSDEEP:48:6JmuSth8FXzxT5tmT7Z8fdjS5SmTWHrLdjSIN8l/:KmAPTc8Zd5
                                              MD5:474331D3B274340B2EE1D5B7E526822E
                                              SHA1:A6BA38412BD010788F59F004DFEFF0C0BF12335A
                                              SHA-256:F27BCE3E71900F3EEE69AC87B23E0FA801E5671802F557E09012658309D41AE2
                                              SHA-512:EE1D7F30A0840F088FCF5032BF446B1274B48F4BA04760FD0356B0B77E366DB4FFEEDFBC51A64EC604BF3B9EAD869A04F5AA890C402075C334BE0F1EAD2EAD28
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):323493
                                              Entropy (8bit):5.392679527662842
                                              Encrypted:false
                                              SSDEEP:3072:TZm8NfjtKEXD/98zObewGTR/qvvnrcm1G0xw5cyqq173c0t82xthfiqiTxZOQb7m:sEXD/98zObewGTR/qspTUza
                                              MD5:C670636ACBBAA0A4F372B4B1F6CBEABF
                                              SHA1:B6437ADB8FF6E3511969BCC78D59C0D6CA5200FE
                                              SHA-256:941C58127A7EBDC7252DE9644DB6842846D2838DCF31AA032F44AFBDD6E93162
                                              SHA-512:AB936755B3675CB785395D2E8412F4FAF13F9E3E51382C3ECCB2555E7A3AF8420EE5C939C46E755A9347669F0B252421E6C6DE68366478E012791BDE7B8F2451
                                              Malicious:false
                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..03/19/2019 06:29:48.034 [4768]: Command line: D:\wd\compilerTemp\BMT.thr2gc0c.r44\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion list entry found for System.IdentityModel.Selectors, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil; it will not be installed..03/19/2019 06:29:48.065 [4768]: Executing command from offline queue: install "System.AddIn.Contract, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies /queue:3..03/19/2019 06:29:48.065 [4768]: Exclusion

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text
                                              Category:dropped
                                              Size (bytes):2583
                                              Entropy (8bit):4.9697986369741445
                                              Encrypted:false
                                              SSDEEP:48:5nL4sTeegaiJpfd8ewgm63QmncUJ3t30rPzDA0GJBjUFtlTFeolVK1W7mTJf/7J0:xL4sTtgjDfiewgm63QmcUxl01G6tTeoN
                                              MD5:B85E9A4702D1EEE70CA0B91AB0BD8110
                                              SHA1:9BE136BF0625D12E69B5F440892C67DD76ED2363
                                              SHA-256:4C365648A2AF6EA1B81DF89BD9BA18082D9475218CF609C0E72EAB72157C4F9C
                                              SHA-512:66931D4BD97531B12609E11A78F81BEA25215C0CFC83DDC42290B27E6A808D7702DE6585D826788763BC9823C038BCB904109FCAD10731D28E58EC10BEFE3026
                                              Malicious:false
                                              Preview:.{. "AFSEnvironment" : 0,. "AFSUrl" : "https://activity.windows.com",. "AccountSettings" : [],. "AfcDefaultUser" : "",. "AfcPrivacySettings" : {. "ActivityFeed" : 0,. "CloudSync" : 0,. "PublishUserActivity" : 0,. "UploadUserActivity" : 1. },. "AfsConnectivityEnabled" : true,. "AfsPostInitializeSyncWaitMs" : 10000,. "AfsSyncFrequencyMs" : 86400000,. "Authentication.Environment" : 0,. "BluetoothTransportEnabled" : true,. "BluetoothTransportHostingAllowed" : true,. "CcsApiVersion" : "/api/v1",. "CcsDefaultServerName" : "romeccs.microsoft.com",. "CcsPollingEnabled" : false,. "CcsPollingInterval" : 0,. "CcsSeenRequestIds" : [],. "CcsSeenRequestIdsLastUpdatedTime" : "0000-00-00T00:00:00.000",. "Cloud.SessionIdleTimeoutIntervalSecs" : 3600,. "CloudDataGroupPolicyActivitiyPolicies" : [],. "CloudDataMDMActivitiyPolicies" : [],. "CloudTransportEnabled" : true,. "CloudTransportHostingAllowed" : true,. "CustomAuthClsid" : "",.

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.user.cdp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text
                                              Category:modified
                                              Size (bytes):945
                                              Entropy (8bit):4.857745190648316
                                              Encrypted:false
                                              SSDEEP:24:oScATnwlThXGpA781cL1/ydYmXG2mXG784zZGUQUXGoXp:NpMdB0AI1cx/yfGXGIIjQOzp
                                              MD5:FDDF81B50E41D34ADC1492AA7BEB6B59
                                              SHA1:9173162461B1E4C3ED05001CE3EF7B3E099BC1B0
                                              SHA-256:B38827436FA865F2DAE2A8D65D160911056D007CD1FC369B732816CEA1F4AFA8
                                              SHA-512:9C2A0D0B4C661147EC8418A986FAD919C74823F3BBAA4D6C23558A6315B675ADF502B73FF79B24058BF50AC8F45C15DFCBA32D6F0A7EA89E5B9A25758D2897F1
                                              Malicious:false
                                              Preview:.{. "AfcDatabaseSettings" : {. "DatabaseInstanceId" : 0,. "LastUpdated" : "2023-08-30T23:39:08.788". },. "AfsActivityTypes" : [],. "AfsChannelUri" : "",. "AfsEnvironment" : "",. "AfsSubscriptionId" : "",. "AfsSubscriptionUpdateTime" : "0000-00-00T00:00:00.000",. "BaseRegisteredInfoHash" : "",. "CNCNotificationUri" : "",. "CNCNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "CNCNotificationUriLastSynced" : "0000-00-00T00:00:00.000",. "DdsRegistrationExpiryTickCount" : 2375988259040,. "Devices" : [],. "FormatVersion" : 12,. "LastRegisteredNotificationUri" : "",. "LastRegisteredNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "LastSyncedTime" : "0000-00-00T00:00:00.000",. "LogicalDeviceId" : "",. "NextDataEncryptionKeyRolloverTime" : "0000-00-00T00:00:00.000",. "RegisteredInfoHash" : "",. "RegisteredWithStrongAuth" : false,. "StableUserId" : "L.user".}.

                                              C:\Windows\SysWOW64\MSFLXGRD.OCX

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):244024
                                              Entropy (8bit):6.0561230560378165
                                              Encrypted:false
                                              SSDEEP:6144:9M1ZTPilVt2PF617WvHtRqKxuod6F50Sw9pktCfh1vYx:9MDyVt29WWvHtRdfEipkQJYx
                                              MD5:898F06BBE5317236571360E544D1A0E0
                                              SHA1:A05B720D0071EC2885AE9F27564F271808F404E4
                                              SHA-256:A9CBF98DC48A5DE272A5E995E3160864994163DE592EF453BF935ED574509501
                                              SHA-512:C1D7A78AA2611795DA6938864B017D8CB0ACCB3D079353BD2BE338898869090D837A65089D90E81828389A834780E7DEB29AEB62DB575F7E2369F18B85A6DA99
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.5....i......#............................... ........................................................................@........`...@..............(.......@...@................................................................................text............................... ..`.data...85... ...6..................@....rsrc...P@...`...B...B..............@....reloc..@........ ..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\Ts2Dll.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1222656
                                              Entropy (8bit):6.723827725920805
                                              Encrypted:false
                                              SSDEEP:24576:kMdsp92DANJpHTRoZX9ZVD1AWnqSZmVLraaxj9:0p9pNJhTRoZXrVqWnZiraaxj
                                              MD5:557E2596276A5E15C5771F94FC418E13
                                              SHA1:968792B68A3D28606E1D442EC1DC4D254C55F349
                                              SHA-256:A9CFE9AF7FEA64E1FC55804FB966FC2874BDFA26FC89B114EEE35158D2CAB70B
                                              SHA-512:FC0A4214744161B7C1670C20EF4C8ACB2B0B7FF9F052F4DC3BD8E7ED15246AAA1B7ED40DCEFFF918F9A36339151EA5CA06756D8060C23334AC0EA11C67FDF3F0
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..+i..xi..xi..xN].xn..xw.LxL..xw.Zx..xN].xp..xi..xr..xw.]x...xw.Kxh..xw.Mxh..xw.Hxh..xRichi..x........PE..L......S...........!.........................................................P.......................................6..b...............\P...................p......@...............................p...@.......................@....................text...z........................... ..`.rdata...^.......`..................@..@.data.......@...H..................@....diagnos.............v..............@....rsrc...\P.......R...x..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\atl100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):138056
                                              Entropy (8bit):6.453257536048564
                                              Encrypted:false
                                              SSDEEP:3072:XGAbjYAiKWDEvB+55/Ho4y6P5sxQ2euRA9ot:z+KWovoP/Ho4BP5wdUS
                                              MD5:36D7D05505951F542922DF4C725CC57D
                                              SHA1:074902FF54D30EF6EE2FD6EBE475526CAC84670C
                                              SHA-256:74B7C86B75CFAF5121554BD8CC4DD8E496458311070FA43B9B4FB13B4D8C8EAB
                                              SHA-512:4C7F9445703FC79F595739CFC0D4E24DADE4C9959F6CB24840B020E98943F4DBED9C2937187165452215AB0A683D1159C4D629E22BFFA625BF08286FCE657889
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..ni..=i..=i..=`.z=k..=..g=f..=..S=...=`.j=j..=i..=...=..R=D..=..b=h..=..c=h..=..d=h..=Richi..=........PE..L.....K.........."!.........x.....................x.........................`......*.....@.........................P...........(........"..............H....0.. ....................................@..@...............|............................text...!........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\buicap32.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1245184
                                              Entropy (8bit):6.348918753784508
                                              Encrypted:false
                                              SSDEEP:24576:6QCW5SZCpp3CD5YqGHzC0e32J6HHHPgP597HAHyIVp5jOM65CK/n524:TWCzStYqGHO0e32J6HHHPgP597HAHyIQ
                                              MD5:BF26EA5BC93CCC19F19CF79EA7B52D6D
                                              SHA1:CC9F107AA1D6305D70BDE7ACA60AFC3F2300A164
                                              SHA-256:6E7847852033CF7A7B210AC1E075693544BD28AD1A3E28F01B29E76B83A16853
                                              SHA-512:175DA58DCFBE61F515FE7544AE168452A328D0CABF4B36A0DA2A19974A951D4716224F9E429E07B2B6D8BC7F10A7E56203998E2CCA8E42FBF445B13C29E71DEE
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\..8.u.k.u.k.u.kci.k.u.k.j.k.u.k.i.k.u.k.y.k.u.k..%k.u.k.U.k.u.kzj.k.u.k.u.k.u.k.j.k.u.k.s.k.u.k.j.k.u.kRich.u.k........................PE..L......S...........!................2~............................................................... .............. .......p...d....................................................................................................................text...~........................... ..`.rdata..............................@..@.data............`..................@....rsrc................ ..............@..@.reloc..j............0..............@..B................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\cximage.dll

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1198592
                                              Entropy (8bit):6.274443496611462
                                              Encrypted:false
                                              SSDEEP:24576:e6w5bk7kdf5WpsFQZjxx+XQISpEUYXEpZWnw/p8dFNKa6bWvj1FPkTFZK:eHI7eo0EpAdzKa6bWb1FPkTu
                                              MD5:FC21F2672ED41B4171F0BC7CBE82CCE6
                                              SHA1:E9B9EBF6A26878A1E99DC7C53512DF75B181D27E
                                              SHA-256:2925D0086B958CCAB16AE13D62CBB322BB158C33DD771657A33314D6BF24E551
                                              SHA-512:10CE5B63BC6DB58A98CFFC007F1996E8076509FDE3C7A43FBAB07629B34AC47731BA6A3FEA916E4856BAC1470E65895BEE8CA08151FA910A418488A802A6C73B
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..._[.._[.._[...[.._[...[.._[.V.[.._[.V.[.._[.V.[.._[..^[.._[..[.._[.V.[.._[.V.[.._[.V.[.._[.V.[.._[Rich.._[........................PE..L......M...........!................8...............................................e_....@..............................M..,v..x................................Q..................................X]..@...............$............................text.............................. ..`.rdata...".......$..................@..@.data...........,..................@....rsrc...............................@..@.reloc...[.......\..................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\drivers\BX7200Firmware_05.v2012.05.22.0.bin (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):397034
                                              Entropy (8bit):3.4872813327188426
                                              Encrypted:false
                                              SSDEEP:3072:nrFzY5DmhhMc+FKDjpXPhuMx2jpXPhuMxy:BcwD9XJuA29XJuAy
                                              MD5:029BAAE7FD6DEAF75BBF770E3583A85C
                                              SHA1:07CDF0D477371F55F1A7572810F9EC0F7E0B049B
                                              SHA-256:66AE79AEB1C0DCE73DB34A58EE4D34359221CB7BEB5CD56AF3C33F6EF4484386
                                              SHA-512:9FEDFBA21336ACB3649B200A8ACFC859AE6EF2EA82429784D94F4C4C6A5A3988F9BA838CC1760C6B52D80FFB9BA6DB10F79269506CBF84D0CDF7DECC24F6DE50
                                              Malicious:false
                                              Preview:$...$...B...f................y.................@.....................@....... ...................0...................@........D.C.C...L..P..1.1.0.5.1.3...U..`..S.B. .2...0...U..p..S.B. .1...1..........Boot Loader.USB.... Loader.No load ....from flash......................................................{.z.y....{.z.....y....u..u..u..u......u..u..u..u..u......u.@..C. ..h.D........\.D=....~.`.{.....z.y.......d.p6......$....5...t........$....5.......$...+....5...t....$.....;..5....... ......K...5...T..S....0..[.......P0.........P.....p...).p....$.`...p...L$.p.....p..p......p.....p....$.....`.......$.`".`....3$.`..`"$.pY.............H........>............4............*...............{..!.".#.IK`...d.....".#......................@..............................@........... ............$.`.0....`C$.`......3%.@.......3O..@......P...........t..h..`....@.............f.............t...v..P...T~.~....|.....@.}...}..N..O$.......t.>....3....$.......4....T...@......

                                              C:\Windows\SysWOW64\drivers\BX7200Firmware_05.v2012.12.12.0.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):398068
                                              Entropy (8bit):3.4970381307504
                                              Encrypted:false
                                              SSDEEP:1536:MYEi4egSN2GolUqENG3VC3ImlZjpXPhL+mGXU9DTAWinqo7lZjpXPhL+mGXU9DTY:VE4Q6yC3IOjpXPhuMx2jpXPhuMxy
                                              MD5:696B07ADF2E69DB863D0F2DC0009F729
                                              SHA1:21775FAAD4491036BBB07F9657DFE2E17E232ECD
                                              SHA-256:3679FF02CA1C45BC9BA1CE50E33C6B111D94945770201003AD4DA9822B42D136
                                              SHA-512:235290482105A389C5CA7B2D358A7BD2FE97A955002C692AF13F49961B3E5EE7A19D91D6A839BEDEDBC44A6328A47B796DA44D4E14CEE79F6A8F1BA95029AB48
                                              Malicious:false
                                              Preview:$...$........................}.................@.....................@....... ...................0...................@........D.C.C...L..P..1.1.0.5.1.3...U..`..S.B. .2...0...U..p..S.B. .1...1........................................u..u......u..u..u..u..u......u..u..u.@..C. ......h.D...\.D=...............$.#.".!........$....#...."........!..{........P...(....... .........8....T..S....0......H...P0......;.......P.....p.....p....$.`...p...5$.p.....p..p......`k.`o$.`...........$.`".`3$.`......`"$.pH........7............-............#.........................{..IK`.......................@..........................@.............................$.`..`C$.`. .........3%.....3O.0....@............@.....t..h..@....P............t....^...P...T~.~....|.n...@.}...}..N..O$..~....t.>....3....$.......4....T...@......................t..................$.`.$.`........................pU.......T~.~....|.@.....}...}..N..O$.......t.>....3....$.......4....T....T....

                                              C:\Windows\SysWOW64\drivers\CX30Firmware.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):192190
                                              Entropy (8bit):3.492200040244344
                                              Encrypted:false
                                              SSDEEP:1536:uk82Lc9/rk82Lc9/jWdYiIlI5WdYiIlI2:l82whg82whW2l2D
                                              MD5:B62899CB135BA7CDBBFECCE45886F0FC
                                              SHA1:21CC611C61454940CD759D05638D875DDDCB4BB0
                                              SHA-256:EA1DF34D4F910524E771FE6EE73A8B06F31E96F600B9621982FA70D1AD899FDE
                                              SHA-512:7F6CC11970A5948F33C08C57F5EFD353360E8A1E4905836DCA4AE1E6A40668B44566E75CC06B02C3A2D59FDAB2CAE5E553D4077811511A7E2A6DEB2412FFC591
                                              Malicious:false
                                              Preview:$...$...p[...[..p[.............................@.....................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........8...................1.K.13:08:48......+1..N..O$...t8>....;1..3....$...4....K1."...T~.~....|..[1.".........".....+..............t...+..t....C. ..h.D...+...\t9...........+.{.z.y.}..-<.......+.... .....4e.....,.T..S.........0..,.....d..0.....,..&,..................d............l.....t...........................$.`".`/$.....`..` $.pDt....t......3t....t..).......1\.!...1\...........4.....{..IK`.......................................................@.........................$.`..`.$...$.p@...3%.....3.4..O....@....1L@.}.D.....}..1+.T...@...T...............t.d.............$.`..t..$.`........................p,.1L@.....}...}..1+.T.........T....T...T./.........D ..?.6...$.....

                                              C:\Windows\SysWOW64\drivers\CX30Firmware_v1.1.2.11.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):192190
                                              Entropy (8bit):3.492200040244344
                                              Encrypted:false
                                              SSDEEP:1536:uk82Lc9/rk82Lc9/jWdYiIlI5WdYiIlI2:l82whg82whW2l2D
                                              MD5:B62899CB135BA7CDBBFECCE45886F0FC
                                              SHA1:21CC611C61454940CD759D05638D875DDDCB4BB0
                                              SHA-256:EA1DF34D4F910524E771FE6EE73A8B06F31E96F600B9621982FA70D1AD899FDE
                                              SHA-512:7F6CC11970A5948F33C08C57F5EFD353360E8A1E4905836DCA4AE1E6A40668B44566E75CC06B02C3A2D59FDAB2CAE5E553D4077811511A7E2A6DEB2412FFC591
                                              Malicious:false
                                              Preview:$...$...p[...[..p[.............................@.....................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........8...................1.K.13:08:48......+1..N..O$...t8>....;1..3....$...4....K1."...T~.~....|..[1.".........".....+..............t...+..t....C. ..h.D...+...\t9...........+.{.z.y.}..-<.......+.... .....4e.....,.T..S.........0..,.....d..0.....,..&,..................d............l.....t...........................$.`".`/$.....`..` $.pDt....t......3t....t..).......1\.!...1\...........4.....{..IK`.......................................................@.........................$.`..`.$...$.p@...3%.....3.4..O....@....1L@.}.D.....}..1+.T...@...T...............t.d.............$.`..t..$.`........................p,.1L@.....}...}..1+.T.........T....T...T./.........D ..?.6...$.....

                                              C:\Windows\SysWOW64\drivers\CX30KfFirmware_v1.1.2.11.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):194038
                                              Entropy (8bit):3.5218272482050432
                                              Encrypted:false
                                              SSDEEP:1536:B5RlcAXaM+2tHR5RlcAXaM+2tH/WdYiIlI5WdYiIlI2:jBtzBtC2l2D
                                              MD5:8D74E2CC353A05E8CB03A57476C8B49F
                                              SHA1:7A73915DAE6866C6640DD3C0BE6B0B4D3AC16428
                                              SHA-256:48516DC57A43BEBE38CBAD973336136FF7222960310AE99D293B9D97FD1E391A
                                              SHA-512:B066511E180D2066327B5E4B5EB5AF76AB6D90F17C1D3742E387FD2FF5AEF7859F0E49E78D5765237B7712247B9A5887F77A9A5BC4B703F580C9B679DB17DA64
                                              Malicious:false
                                              Preview:$...$...._..0_..._..<..........................@.. ..................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........:...................-.K.13:09:51......t3..N..O$...t:>.....3..3....$...4.....3."...T~.~....|...3."........."................0..t......t....C. ..h.D..+....\t9..........4..{.z.y.}../.......?..... .....6u....O..T..S.........0._.........0...../-..o...................................L...............r..w........}...$.`".`/$.."..`..` $.pDt....t.2....3t....t..)...B...3..!...3......R.....6.....{..IK`..b...............r....................................@.........................$.`..`.....$.p@...3%.....3....O....@....3.@.}.......}..3t.T...@...................t...............$.`.....$.`........................p,.3.@."...}...}..3t.T....2....T....T...T./...B.....D ..?.6...$..R..

                                              C:\Windows\SysWOW64\drivers\TS220Firmware.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):95145
                                              Entropy (8bit):5.893059156773491
                                              Encrypted:false
                                              SSDEEP:1536:ZOzNlFvpXoArmV4ia6g8eKOsFYjZP+oprdnELx6ekXgT+o+jJTP1PE:kp/rmIj8eKOs6jUclJVP1P
                                              MD5:E1729359F94D9BE8BA44AE4FDDD18863
                                              SHA1:E832FA4B20B1B567AB22BC2397EE37A925E9E243
                                              SHA-256:FA1D59BEEEE0B40D4F1FB4F3AA91779D50E9CF89BDC7A8F46048D3B05F97E35C
                                              SHA-512:EF15959B32966F58AD15290460ABDB8C81DDB411D69A98E5B6BE8179EA0A31B6F8775F381E289012E42B7BA8B49962F43DE07CAD123162D3B6BDDA1D480BA781
                                              Malicious:false
                                              Preview:................x...8...q..............@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.2.0...U.S.B..... .2...0...U.S.B..... .1...1..............................|......-.,.+...............u..u..u..u......u..u..u..u.Ju..u.....x~..9}.|...(......9p.t........%.......&.&..%$...<..9.........9...P...9....t....u/.u0.~........1.2.t...t...$......4...*.).(.'.$.#.....".!.*.).(.'.$.#.,...".!....P&.0%$...<.../5#..t...$$..$..L..5#.#.5".".5!.!...\....$.#.".!.*.).(..l..'.$.#.".!....P1..|..#.$.2/...1>.........0/.../>.....$..$.....>.#.5".".5!.!........9...0$....5/.........0$....5/.........:...0$....5/.........0$....5/...../......0.t.$..&t.4..%........&.....%..........&.....%......&.........%......&.....,...%......&.....%..<.......&.....%.....L..C. ..h.D...\.D=.\....... ........l....T..S....0.....|..P..0.....P.....0......#..............P.....p.....p....$.`...p....$.

                                              C:\Windows\SysWOW64\drivers\TS230Firmware.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):315864
                                              Entropy (8bit):3.213201883320518
                                              Encrypted:false
                                              SSDEEP:1536:qQCvei2bNWJLOC3utR2EZeHHAKi8KTlESP64wRqbtM+Nijain:rOzctC3utR2EWURE+9eoiL
                                              MD5:3DD77599486D2FC6C20801B324279937
                                              SHA1:B09F42C2C6B21B4EC34A26B97AD34BBD2CCD7E6C
                                              SHA-256:5960451A56B28513D0B80C0D6918895CF031920E5D3C8B8ACA23B514439CBAA3
                                              SHA-512:92ED9BDF63011E8F81FA87A79D336EC578762EB50B27652A04A255A38DD899C44FA06B7F3EE59B322F650A100241E6CBB3338C4169EAF3A9FB0B36B744C3B49D
                                              Malicious:false
                                              Preview:$...$.......................O..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\TS230Firmware_v1.0.3.2.bin (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):315864
                                              Entropy (8bit):3.213201883320518
                                              Encrypted:false
                                              SSDEEP:1536:qQCvei2bNWJLOC3utR2EZeHHAKi8KTlESP64wRqbtM+Nijain:rOzctC3utR2EWURE+9eoiL
                                              MD5:3DD77599486D2FC6C20801B324279937
                                              SHA1:B09F42C2C6B21B4EC34A26B97AD34BBD2CCD7E6C
                                              SHA-256:5960451A56B28513D0B80C0D6918895CF031920E5D3C8B8ACA23B514439CBAA3
                                              SHA-512:92ED9BDF63011E8F81FA87A79D336EC578762EB50B27652A04A255A38DD899C44FA06B7F3EE59B322F650A100241E6CBB3338C4169EAF3A9FB0B36B744C3B49D
                                              Malicious:false
                                              Preview:$...$.......................O..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\TS440Firmware.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):319560
                                              Entropy (8bit):3.3318803770679204
                                              Encrypted:false
                                              SSDEEP:1536:KQCyZTjijXMznA9KbyVaHHAKi8KTlESP64Ys8YNNohToyOsVo9v0ol7e5a:LrZTj8XQA95VsURE+UsjDgzo9tma
                                              MD5:7FDC86497A4C4D771AD54C762895FDBA
                                              SHA1:D7E165AAE809CA99831BEC0D15193A9457CB8C2C
                                              SHA-256:D12C8717186F51946F35A46F349719777671FF99F10E413C5BA9C8F45C107747
                                              SHA-512:C71244EBFCC7D84FB6B00D2229ECDA943804FC131AEC7A065F05F97B4450E1A072FE8FC988635D914CBBE56A08B4690E2F2C3DB84F91A843F3FCFBDEAF17D0F0
                                              Malicious:false
                                              Preview:$...$...........n...6..........................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\TS440Firmware_04.v2012.05.22.0.bin (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):415184
                                              Entropy (8bit):3.6384935734038066
                                              Encrypted:false
                                              SSDEEP:3072:jOU2MFxkmV5VvGKgF3jpXPhuMx2jpXPhuMxy:jOU2WLzEX39XJuA29XJuAy
                                              MD5:3E1AB77590C0984FBD19E58BD708CBD9
                                              SHA1:D861BCDBFADA0B6BD79AC960F5A08FB7E493180D
                                              SHA-256:45A7BA66F0C9BBC0298714B5834FFCB6B35E31D9AE4152CA0B303D20E9378CC4
                                              SHA-512:CE6A4F271C359B83EA40E531A6929926913C189031CB5C9C59432F1F76DC9517F391D2248EBE44F87ABC4C930D21B615DE1DC62118DA8156CBE5BAD9A4FEA201
                                              Malicious:false
                                              Preview:$...$...B...f...h....+.........................@.....................@....... ...................0...................@........D.C.C...L..P..1.1.0.5.1.3...U..`..S.B. .2...0...U..p..S.B. .1...1..........Boot Loader.USB.... Loader.No load ....from flash......................................................{.z.y....{.z.....y....u..u..u..u......u..u..u..u..u......u.@..C. ..h.D........\.D=....~.`.{.....z.y.......d.p6......$....5...t........$....5.......$...+....5...t....$.....;..5....... ......K...5...T..S....0..[.......P0.........P.....p...).p....$.`...p...L$.p.....p..p......p.....p....$.....`.......$.`".`....3$.`..`"$.pY.............H........>............4............*...............{..!.".#.IK`...d.....".#......................@..............................@........... ............$.`.0....`C$.`......3%.@.......3O..@......P...........t..h..`....@.............f.............t...v..P...T~.~....|.....@.}...}..N..O$.......t.>....3....$.......4....T...@......

                                              C:\Windows\SysWOW64\drivers\TS440Firmware_v1.0.3.0.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):319560
                                              Entropy (8bit):3.3318803770679204
                                              Encrypted:false
                                              SSDEEP:1536:KQCyZTjijXMznA9KbyVaHHAKi8KTlESP64Ys8YNNohToyOsVo9v0ol7e5a:LrZTj8XQA95VsURE+UsjDgzo9tma
                                              MD5:7FDC86497A4C4D771AD54C762895FDBA
                                              SHA1:D7E165AAE809CA99831BEC0D15193A9457CB8C2C
                                              SHA-256:D12C8717186F51946F35A46F349719777671FF99F10E413C5BA9C8F45C107747
                                              SHA-512:C71244EBFCC7D84FB6B00D2229ECDA943804FC131AEC7A065F05F97B4450E1A072FE8FC988635D914CBBE56A08B4690E2F2C3DB84F91A843F3FCFBDEAF17D0F0
                                              Malicious:false
                                              Preview:$...$...........n...6..........................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\Ts240Firmware_03.V2.0.2.2.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):423376
                                              Entropy (8bit):3.831111894584417
                                              Encrypted:false
                                              SSDEEP:3072:yZ+q6S1440CqgX0tH6qRicp8hyC7qtH6qRicp8hyC7W:yb0mX0tDRDtDRX
                                              MD5:8D370EB74AD8A58A13E52054D64C758E
                                              SHA1:5421586547C2D101A3795A4DE860355D4F94094B
                                              SHA-256:98AF37DB398749A203D77CA1E0E9C4FC74760298405CE518EB32E69E46057628
                                              SHA-512:3E4D5FB1C05FCF9CD073DBAB797289E7BACCBDFDFA088523404D4B628A1E6B1A5AAE6F6479F41678133723968CEC334137D5E2E42F3E99DE4B2A6B0E74FE2F93
                                              Malicious:false
                                              Preview:,...,... ...L........................D...1.............@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................}..........................0..u..u..................~..................DP...$........5....5....5.........S..C..C..S..u$.....u%.u,.u-.u".u#.....u*.u+Ju..u/x.......0..."&.#'.*(.+).......*&.+'."(.#)u......u..~........t....-..t...$..4........=...................M................DP.]..&..%.....5...t...m....$....5....5....}...5.........................................D................P3..%.....5...........%.....5...........$....5....5....5...........$..%t.$......t.4....-..-.,..,......'..'.&..&..)......).(..(..#..#."......"..+..+.*..*../..!.../.......C. ..h..1..D...\.D=......A.. ......B...T..S.Q......0....P..0....a....P.............P.....p.....p....$.`...p....$.p.....p..p......`s.`v$.`

                                              C:\Windows\SysWOW64\drivers\Ts240Firmware_v1.2.0.8.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):325808
                                              Entropy (8bit):3.530307261982979
                                              Encrypted:false
                                              SSDEEP:1536:T4T4dpINtbysARxYJ6trFuCvqBXh5zwV41ChOSjIZArPR3Fx5svvFo2z2Rgf1x7Q:TnpYbypI+FutTVA/F3x6RoiARoin
                                              MD5:001BA72686208686DF0A6EC729D3C450
                                              SHA1:3DFAF95049391EFBAF7E49FF39FA3D4666AF9E09
                                              SHA-256:C646CC8A22D09B0A1B908A1A9A84F7701EB8027055D82BC03F1E89459290BE2F
                                              SHA-512:2940D41C16F334A4E4AF1FE4D87CDD875042DC823309BB0845FE0B8A637A85DE35946632FF51C6A69418B2E2FD814D104758A397F6E2E0B437C7AF764850DBA4
                                              Malicious:false
                                              Preview:$...$.......................'..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................}..........................~....$.%u,.u....-.u".u#.u*.u+Ju......u/xu..u.......t.......t...$..4..................................................P&..%.....5.......t....$....5....5........5................................-.........P3..%.....=...5.......%.....5.M.........$....5....]...5....5.......)t.m.......).........}...$....5.......$.........................5.......$....5...........$....5...........$..%t.$..t.4........-..-.,..,..'......'.&..&..)..).(......(..#..#.".."..+......+.*..*../../...........C. ..h.D.......\.D=..... ..... ........T..S....0.0......P..0.....P...@...................P.....p.....p....$.`...p....$.p.....p..p......`s.`v$.`...i.......@...u...$.`".....`3$.`..`"$.pH.$....

                                              C:\Windows\SysWOW64\drivers\dccfirmware.bin

                                              Download File
                                              Process:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2563116
                                              Entropy (8bit):3.5644532412199723
                                              Encrypted:false
                                              SSDEEP:12288:bZT4xqAjH+JgbpKprBJBFa0WfWWz/WfWV6zqJFB9tHFSJ/f/XFjppQick:bFU7pKp/a0a/a1YK31jp2zk
                                              MD5:2C78FD39372EF69D122B6A96BEF99EEF
                                              SHA1:B424F0AD17FB4D1C7E536EF190659C792BCC612E
                                              SHA-256:7C95EA23A91308CCD8E7CC7B6880D17966AE814345724DD241A57381FE314811
                                              SHA-512:DA0B9F0B252ACBF14A613DFE9BE95467CC556A1176A608CA43BECD26FFBA2900EE0CC7B1E0AA2C4B2F2222AE8E6E3BCD9192979AAEBD670BE0514CEFC505F977
                                              Malicious:false
                                              Preview:.....TS440Firmware_v1.0.3.0.bin......................................H...............BX7200Firmware_05.v2014.08.13.0.bin.............................p(..............CX30Firmware_v1.1.2.11.bin......................................................CX30KfFirmware_v1.1.2.11.bin............................................K.......CX30KfUFirmware_v1.1.2.14.bin...................................2.......A.......CX30UFirmware_v1.1.2.14.bin.............................................s.......Ts230Firmware_v1.0.3.2.bin..............................................A.......Ts240Firmware_03.V2.0.2.14.bin..................................Nx..............Ts240Firmware_v1.2.0.8.bin..............................................g#".....$...$...........n...6..........................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1........

                                              C:\Windows\SysWOW64\drivers\is-14BID.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):397034
                                              Entropy (8bit):3.4872813327188426
                                              Encrypted:false
                                              SSDEEP:3072:nrFzY5DmhhMc+FKDjpXPhuMx2jpXPhuMxy:BcwD9XJuA29XJuAy
                                              MD5:029BAAE7FD6DEAF75BBF770E3583A85C
                                              SHA1:07CDF0D477371F55F1A7572810F9EC0F7E0B049B
                                              SHA-256:66AE79AEB1C0DCE73DB34A58EE4D34359221CB7BEB5CD56AF3C33F6EF4484386
                                              SHA-512:9FEDFBA21336ACB3649B200A8ACFC859AE6EF2EA82429784D94F4C4C6A5A3988F9BA838CC1760C6B52D80FFB9BA6DB10F79269506CBF84D0CDF7DECC24F6DE50
                                              Malicious:false
                                              Preview:$...$...B...f................y.................@.....................@....... ...................0...................@........D.C.C...L..P..1.1.0.5.1.3...U..`..S.B. .2...0...U..p..S.B. .1...1..........Boot Loader.USB.... Loader.No load ....from flash......................................................{.z.y....{.z.....y....u..u..u..u......u..u..u..u..u......u.@..C. ..h.D........\.D=....~.`.{.....z.y.......d.p6......$....5...t........$....5.......$...+....5...t....$.....;..5....... ......K...5...T..S....0..[.......P0.........P.....p...).p....$.`...p...L$.p.....p..p......p.....p....$.....`.......$.`".`....3$.`..`"$.pY.............H........>............4............*...............{..!.".#.IK`...d.....".#......................@..............................@........... ............$.`.0....`C$.`......3%.@.......3O..@......P...........t..h..`....@.............f.............t...v..P...T~.~....|.....@.}...}..N..O$.......t.>....3....$.......4....T...@......

                                              C:\Windows\SysWOW64\drivers\is-8SI3N.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):192190
                                              Entropy (8bit):3.492200040244344
                                              Encrypted:false
                                              SSDEEP:1536:uk82Lc9/rk82Lc9/jWdYiIlI5WdYiIlI2:l82whg82whW2l2D
                                              MD5:B62899CB135BA7CDBBFECCE45886F0FC
                                              SHA1:21CC611C61454940CD759D05638D875DDDCB4BB0
                                              SHA-256:EA1DF34D4F910524E771FE6EE73A8B06F31E96F600B9621982FA70D1AD899FDE
                                              SHA-512:7F6CC11970A5948F33C08C57F5EFD353360E8A1E4905836DCA4AE1E6A40668B44566E75CC06B02C3A2D59FDAB2CAE5E553D4077811511A7E2A6DEB2412FFC591
                                              Malicious:false
                                              Preview:$...$...p[...[..p[.............................@.....................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........8...................1.K.13:08:48......+1..N..O$...t8>....;1..3....$...4....K1."...T~.~....|..[1.".........".....+..............t...+..t....C. ..h.D...+...\t9...........+.{.z.y.}..-<.......+.... .....4e.....,.T..S.........0..,.....d..0.....,..&,..................d............l.....t...........................$.`".`/$.....`..` $.pDt....t......3t....t..).......1\.!...1\...........4.....{..IK`.......................................................@.........................$.`..`.$...$.p@...3%.....3.4..O....@....1L@.}.D.....}..1+.T...@...T...............t.d.............$.`..t..$.`........................p,.1L@.....}...}..1+.T.........T....T...T./.........D ..?.6...$.....

                                              C:\Windows\SysWOW64\drivers\is-9BLGP.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):423376
                                              Entropy (8bit):3.831111894584417
                                              Encrypted:false
                                              SSDEEP:3072:yZ+q6S1440CqgX0tH6qRicp8hyC7qtH6qRicp8hyC7W:yb0mX0tDRDtDRX
                                              MD5:8D370EB74AD8A58A13E52054D64C758E
                                              SHA1:5421586547C2D101A3795A4DE860355D4F94094B
                                              SHA-256:98AF37DB398749A203D77CA1E0E9C4FC74760298405CE518EB32E69E46057628
                                              SHA-512:3E4D5FB1C05FCF9CD073DBAB797289E7BACCBDFDFA088523404D4B628A1E6B1A5AAE6F6479F41678133723968CEC334137D5E2E42F3E99DE4B2A6B0E74FE2F93
                                              Malicious:false
                                              Preview:,...,... ...L........................D...1.............@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................}..........................0..u..u..................~..................DP...$........5....5....5.........S..C..C..S..u$.....u%.u,.u-.u".u#.....u*.u+Ju..u/x.......0..."&.#'.*(.+).......*&.+'."(.#)u......u..~........t....-..t...$..4........=...................M................DP.]..&..%.....5...t...m....$....5....5....}...5.........................................D................P3..%.....5...........%.....5...........$....5....5....5...........$..%t.$......t.4....-..-.,..,......'..'.&..&..)......).(..(..#..#."......"..+..+.*..*../..!.../.......C. ..h..1..D...\.D=......A.. ......B...T..S.Q......0....P..0....a....P.............P.....p.....p....$.`...p....$.p.....p..p......`s.`v$.`

                                              C:\Windows\SysWOW64\drivers\is-JVITT.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):415184
                                              Entropy (8bit):3.6384935734038066
                                              Encrypted:false
                                              SSDEEP:3072:jOU2MFxkmV5VvGKgF3jpXPhuMx2jpXPhuMxy:jOU2WLzEX39XJuA29XJuAy
                                              MD5:3E1AB77590C0984FBD19E58BD708CBD9
                                              SHA1:D861BCDBFADA0B6BD79AC960F5A08FB7E493180D
                                              SHA-256:45A7BA66F0C9BBC0298714B5834FFCB6B35E31D9AE4152CA0B303D20E9378CC4
                                              SHA-512:CE6A4F271C359B83EA40E531A6929926913C189031CB5C9C59432F1F76DC9517F391D2248EBE44F87ABC4C930D21B615DE1DC62118DA8156CBE5BAD9A4FEA201
                                              Malicious:false
                                              Preview:$...$...B...f...h....+.........................@.....................@....... ...................0...................@........D.C.C...L..P..1.1.0.5.1.3...U..`..S.B. .2...0...U..p..S.B. .1...1..........Boot Loader.USB.... Loader.No load ....from flash......................................................{.z.y....{.z.....y....u..u..u..u......u..u..u..u..u......u.@..C. ..h.D........\.D=....~.`.{.....z.y.......d.p6......$....5...t........$....5.......$...+....5...t....$.....;..5....... ......K...5...T..S....0..[.......P0.........P.....p...).p....$.`...p...L$.p.....p..p......p.....p....$.....`.......$.`".`....3$.`..`"$.pY.............H........>............4............*...............{..!.".#.IK`...d.....".#......................@..............................@........... ............$.`.0....`C$.`......3%.@.......3O..@......P...........t..h..`....@.............f.............t...v..P...T~.~....|.....@.}...}..N..O$.......t.>....3....$.......4....T...@......

                                              C:\Windows\SysWOW64\drivers\is-M9VQQ.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):194038
                                              Entropy (8bit):3.5218272482050432
                                              Encrypted:false
                                              SSDEEP:1536:B5RlcAXaM+2tHR5RlcAXaM+2tH/WdYiIlI5WdYiIlI2:jBtzBtC2l2D
                                              MD5:8D74E2CC353A05E8CB03A57476C8B49F
                                              SHA1:7A73915DAE6866C6640DD3C0BE6B0B4D3AC16428
                                              SHA-256:48516DC57A43BEBE38CBAD973336136FF7222960310AE99D293B9D97FD1E391A
                                              SHA-512:B066511E180D2066327B5E4B5EB5AF76AB6D90F17C1D3742E387FD2FF5AEF7859F0E49E78D5765237B7712247B9A5887F77A9A5BC4B703F580C9B679DB17DA64
                                              Malicious:false
                                              Preview:$...$...._..0_..._..<..........................@.. ..................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........:...................-.K.13:09:51......t3..N..O$...t:>.....3..3....$...4.....3."...T~.~....|...3."........."................0..t......t....C. ..h.D..+....\t9..........4..{.z.y.}../.......?..... .....6u....O..T..S.........0._.........0...../-..o...................................L...............r..w........}...$.`".`/$.."..`..` $.pDt....t.2....3t....t..)...B...3..!...3......R.....6.....{..IK`..b...............r....................................@.........................$.`..`.....$.p@...3%.....3....O....@....3.@.}.......}..3t.T...@...................t...............$.`.....$.`........................p,.3.@."...}...}..3t.T....2....T....T...T./...B.....D ..?.6...$..R..

                                              C:\Windows\SysWOW64\drivers\is-OQMRD.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):319428
                                              Entropy (8bit):3.255675310646228
                                              Encrypted:false
                                              SSDEEP:1536:AQCAoQ5Ve9+sl+heHsNMOgs4qeHHAKi8KTlESP64wRqbtM+Nijain:5/5a+sVHuEURE+9eoiL
                                              MD5:ADE95A3CE22B824979EA629FD3D9018F
                                              SHA1:9DE1FB49D9C0EC777973FFB4860DDAB663ABE789
                                              SHA-256:5B9F11000189CEBE353F84D2EDE42332A71DAF63888CA36DCF2AED4BEC0EDEE3
                                              SHA-512:C4F571C3A1F68ACB6F600D67ECC46021F3688CAC59DA7C62B90B257EC902A72A19F5108AF60E4B952E6E7516F8436119C87EBDB57D0A7E97D8763F0347C73EB3
                                              Malicious:false
                                              Preview:$...$.......................;..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\is-P2PEH.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):95145
                                              Entropy (8bit):5.893059156773491
                                              Encrypted:false
                                              SSDEEP:1536:ZOzNlFvpXoArmV4ia6g8eKOsFYjZP+oprdnELx6ekXgT+o+jJTP1PE:kp/rmIj8eKOs6jUclJVP1P
                                              MD5:E1729359F94D9BE8BA44AE4FDDD18863
                                              SHA1:E832FA4B20B1B567AB22BC2397EE37A925E9E243
                                              SHA-256:FA1D59BEEEE0B40D4F1FB4F3AA91779D50E9CF89BDC7A8F46048D3B05F97E35C
                                              SHA-512:EF15959B32966F58AD15290460ABDB8C81DDB411D69A98E5B6BE8179EA0A31B6F8775F381E289012E42B7BA8B49962F43DE07CAD123162D3B6BDDA1D480BA781
                                              Malicious:false
                                              Preview:................x...8...q..............@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.2.0...U.S.B..... .2...0...U.S.B..... .1...1..............................|......-.,.+...............u..u..u..u......u..u..u..u.Ju..u.....x~..9}.|...(......9p.t........%.......&.&..%$...<..9.........9...P...9....t....u/.u0.~........1.2.t...t...$......4...*.).(.'.$.#.....".!.*.).(.'.$.#.,...".!....P&.0%$...<.../5#..t...$$..$..L..5#.#.5".".5!.!...\....$.#.".!.*.).(..l..'.$.#.".!....P1..|..#.$.2/...1>.........0/.../>.....$..$.....>.#.5".".5!.!........9...0$....5/.........0$....5/.........:...0$....5/.........0$....5/...../......0.t.$..&t.4..%........&.....%..........&.....%......&.........%......&.....,...%......&.....%..<.......&.....%.....L..C. ..h.D...\.D=.\....... ........l....T..S....0.....|..P..0.....P.....0......#..............P.....p.....p....$.`...p....$.

                                              C:\Windows\SysWOW64\drivers\is-PG0MJ.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):319560
                                              Entropy (8bit):3.3318803770679204
                                              Encrypted:false
                                              SSDEEP:1536:KQCyZTjijXMznA9KbyVaHHAKi8KTlESP64Ys8YNNohToyOsVo9v0ol7e5a:LrZTj8XQA95VsURE+UsjDgzo9tma
                                              MD5:7FDC86497A4C4D771AD54C762895FDBA
                                              SHA1:D7E165AAE809CA99831BEC0D15193A9457CB8C2C
                                              SHA-256:D12C8717186F51946F35A46F349719777671FF99F10E413C5BA9C8F45C107747
                                              SHA-512:C71244EBFCC7D84FB6B00D2229ECDA943804FC131AEC7A065F05F97B4450E1A072FE8FC988635D914CBBE56A08B4690E2F2C3DB84F91A843F3FCFBDEAF17D0F0
                                              Malicious:false
                                              Preview:$...$...........n...6..........................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\is-PGG1H.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):192190
                                              Entropy (8bit):3.492200040244344
                                              Encrypted:false
                                              SSDEEP:1536:uk82Lc9/rk82Lc9/jWdYiIlI5WdYiIlI2:l82whg82whW2l2D
                                              MD5:B62899CB135BA7CDBBFECCE45886F0FC
                                              SHA1:21CC611C61454940CD759D05638D875DDDCB4BB0
                                              SHA-256:EA1DF34D4F910524E771FE6EE73A8B06F31E96F600B9621982FA70D1AD899FDE
                                              SHA-512:7F6CC11970A5948F33C08C57F5EFD353360E8A1E4905836DCA4AE1E6A40668B44566E75CC06B02C3A2D59FDAB2CAE5E553D4077811511A7E2A6DEB2412FFC591
                                              Malicious:false
                                              Preview:$...$...p[...[..p[.............................@.....................@..........................................................................................@......@......@..........@........D.....C.C. . . . ...C.....X. .3.0...U.S.B.. .. .2...0...U.S.B..0.. .1...1...........8...................1.K.13:08:48......+1..N..O$...t8>....;1..3....$...4....K1."...T~.~....|..[1.".........".....+..............t...+..t....C. ..h.D...+...\t9...........+.{.z.y.}..-<.......+.... .....4e.....,.T..S.........0..,.....d..0.....,..&,..................d............l.....t...........................$.`".`/$.....`..` $.pDt....t......3t....t..).......1\.!...1\...........4.....{..IK`.......................................................@.........................$.`..`.$...$.p@...3%.....3.4..O....@....1L@.}.D.....}..1+.T...@...T...............t.d.............$.`..t..$.`........................p,.1L@.....}...}..1+.T.........T....T...T./.........D ..?.6...$.....

                                              C:\Windows\SysWOW64\drivers\is-SG4ET.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):315864
                                              Entropy (8bit):3.213201883320518
                                              Encrypted:false
                                              SSDEEP:1536:qQCvei2bNWJLOC3utR2EZeHHAKi8KTlESP64wRqbtM+Nijain:rOzctC3utR2EWURE+9eoiL
                                              MD5:3DD77599486D2FC6C20801B324279937
                                              SHA1:B09F42C2C6B21B4EC34A26B97AD34BBD2CCD7E6C
                                              SHA-256:5960451A56B28513D0B80C0D6918895CF031920E5D3C8B8ACA23B514439CBAA3
                                              SHA-512:92ED9BDF63011E8F81FA87A79D336EC578762EB50B27652A04A255A38DD899C44FA06B7F3EE59B322F650A100241E6CBB3338C4169EAF3A9FB0B36B744C3B49D
                                              Malicious:false
                                              Preview:$...$.......................O..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................z......-.,.+...............~.......u..u......u..u..u..u.Ju......u.xu/.u0..1.2.t.......t...$..4...*.....).(.'.$.#.".!.*.....).(.'.$.#.".!........P&.0%$.../5#......t...$$..$.5#.#.5....".".5!.!....$.#.....".!.*.).(.'.$.#..*..".!....P1.#.$.2/.:.....1>.....0/.../.J..>.....$..$.>.#.5.Z..".".5!.!..~..9}..j..|......9p.t....z.......%...&.&..%$.......<..9....9........P...9t.....9.......0$....5/.........0$....5/.....:.......0$....5/.....0....$....5/...../..0.....t.$..&t.4..%........&.....%......&.........%......&.........%......&.....%..*.......&.....%.....:....&.....%....C. .J....h.D...\.D=...Z..... ..........j..T..S....0....P...z..0....$P.....&........................P.....p.....p....$.`..

                                              C:\Windows\SysWOW64\drivers\is-VFJRC.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):325808
                                              Entropy (8bit):3.530307261982979
                                              Encrypted:false
                                              SSDEEP:1536:T4T4dpINtbysARxYJ6trFuCvqBXh5zwV41ChOSjIZArPR3Fx5svvFo2z2Rgf1x7Q:TnpYbypI+FutTVA/F3x6RoiARoin
                                              MD5:001BA72686208686DF0A6EC729D3C450
                                              SHA1:3DFAF95049391EFBAF7E49FF39FA3D4666AF9E09
                                              SHA-256:C646CC8A22D09B0A1B908A1A9A84F7701EB8027055D82BC03F1E89459290BE2F
                                              SHA-512:2940D41C16F334A4E4AF1FE4D87CDD875042DC823309BB0845FE0B8A637A85DE35946632FF51C6A69418B2E2FD814D104758A397F6E2E0B437C7AF764850DBA4
                                              Malicious:false
                                              Preview:$...$.......................'..................@.....................@....... ...................0...................@...................P...................`..@......@......@..p.......@........H.....T.L. .s.r.l...T.....s.2.3.0...U.S.B..... .2...0...U.S.B..... .1...1..............................}..........................~....$.%u,.u....-.u".u#.u*.u+Ju......u/xu..u.......t.......t...$..4..................................................P&..%.....5.......t....$....5....5........5................................-.........P3..%.....=...5.......%.....5.M.........$....5....]...5....5.......)t.m.......).........}...$....5.......$.........................5.......$....5...........$....5...........$..%t.$..t.4........-..-.,..,..'......'.&..&..)..).(......(..#..#.".."..+......+.*..*../../...........C. ..h.D.......\.D=..... ..... ........T..S....0.0......P..0.....P...@...................P.....p.....p....$.`...p....$.p.....p..p......`s.`v$.`...i.......@...u...$.`".....`3$.`..`"$.pH.$....

                                              C:\Windows\SysWOW64\mfc100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4342088
                                              Entropy (8bit):7.051728105290309
                                              Encrypted:false
                                              SSDEEP:98304:BZP0PvxMJfTcXPSo0akd+BPSLC4IEy+XNy136jCfsqLhDIJJGN8mFLOAkGkzdnEe:BZP2iIE80qLrHFLOyomFHKnPAG
                                              MD5:07BCCDCC337D393D7DB0B2F8FE200B3F
                                              SHA1:5A02B227CB0A22A8E7884CD138C3E8568D083D94
                                              SHA-256:BF38DDA13B938B49A4DF72B6477342373EE6E151BE12C25CB0C17662FCB4BCD4
                                              SHA-512:E5637727A549CF7B88F13474097A71200F0DFA511ECD55C5A42E5F53E9F86CE8B7CE763448830FD073E232876F7537BAD96F2CED8D3159558778460264D07639
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........,.....T.L.....`.......a.......f.....Rich....................PE..L......K.........."!.....B*..:......oA%......`*....x..........................B.....{.B...@......................... x)......>)......P+.H............*B.H....`?.8..../..................................@...............0....#)......................text...#A*......B*................. ..`.data...l....`*......F*.............@....rsrc...H....P+.......*.............@..@.reloc...P...`?..R....>.............@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\mfc100chs.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):36176
                                              Entropy (8bit):5.5666055070859155
                                              Encrypted:false
                                              SSDEEP:768:I5divsXPqptLkrHyTby9XVLwMi2jXHUIv:wi0XPqptLUHCbyBVL39rHUIv
                                              MD5:8BF73FAA44C897C1812F2DACF0EAAF8A
                                              SHA1:C9D4E010FC9069F44028AA54CF4AC3329CA2AB2F
                                              SHA-256:8D1E7FB72BCEB10215108D48FE4FA6AEA1F03636F56FC3BE5E6D5552C4094C46
                                              SHA-512:61C0609E0BEEC2985FE8FC7839C17463DA685D39221D648FAA8C7F088627A6C514A8FCFE71948ADF2D3F28B2AF78F8653FE5E4771D7C1AB000FC2F7463D09E8C
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6]......................................@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100cht.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):36176
                                              Entropy (8bit):5.622324615571566
                                              Encrypted:false
                                              SSDEEP:768:SuufpTVI4pk7kn4TJVM3i/EhKTMi2jpvAx:+pTVI4pk4noVM3XhKg95Ax
                                              MD5:4AD997573259D5BBF211D9FB2BBA3DB0
                                              SHA1:C9A8BADE464A2AEDF823CE147529A74DA5416038
                                              SHA-256:90ADEFDCD57C9CE8C5E542FCBDA108860427E9334BD9BFE564AD5556683BC954
                                              SHA-512:4C630D8ED88DB6062561BCF379235E9CA113C1F9F5DD54A6A9088E5D31B38573B6C891376E76AF0BDEAE360F47D714F2DE8AD9632C7FECB1FC3FF0CA7FC6022B
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6].................................U....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100deu.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):64336
                                              Entropy (8bit):4.138154922872674
                                              Encrypted:false
                                              SSDEEP:1536:fVPidQr0OWqnn0BDhCPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9j95a:fVidQr0OWqnnShCPu6V4aGCWRZX0bhpv
                                              MD5:5F522204B79025F0D5870076111409F3
                                              SHA1:6A17C85B6C4B3F33F2B8D8755EA38D5B0C092168
                                              SHA-256:CE1FC625509D697A2CD174115A593158AD9EED5B97967E619421696FC01D381E
                                              SHA-512:405B8DEAB3E87618C0C1238585E0CA7C22E66984148568AF5915B2E908B6C07218774667839B67481661E14727FBF95061A78802E6154286C229170F42A0F1A0
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100enu.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):55120
                                              Entropy (8bit):4.197711698709668
                                              Encrypted:false
                                              SSDEEP:768:EgIdijcuEhCgySa6B1CLPLNq5f/nWHBNheOU2fd5WMi2jpvm:3I0ifySa6B8PLNYf/nWHNTdv95m
                                              MD5:D21165B7DBCC968CD829C00608F5694E
                                              SHA1:E6882666F88572624AB77074CEAD86448A6CF641
                                              SHA-256:14C4069CD931E9CD3F519D321CE50E4E531C385403C124FFEE7CA7831B0ADB63
                                              SHA-512:A3F00761110214C1FFEE78A008A1E17C9969B12B2B3D33C655E47D9E3E6ED13AFAC000402C24F3C20878348C8970856098EC89ABF426D9F990F4C71309E73B62
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................P.....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100esn.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):63824
                                              Entropy (8bit):4.069449731249543
                                              Encrypted:false
                                              SSDEEP:768:aYE0Kv+BU69x6rg/PKuCOCF3OKWRElJRZRIvpsMi2jXHU/kv2:LA+q69x68/PKuFm3OKWkRZRIp9rHUk2
                                              MD5:81C0790DBD237317E4BA2908F53E045A
                                              SHA1:70A077458CAD7E76B23F0FF77D6CFCB9F0FA4693
                                              SHA-256:DC5ABB34069E3E8E1451E36B44822DEF82B624F9811F825D417874202A4A242C
                                              SHA-512:47D4ABA0F7691FDA6E388646767C3D99C2781F21BF58A46399750DC780C160CBC1060B8923767CAE2546BDE58B6F631C6AC4583711E15F9460BCDE7637BD7D3A
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100fra.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):64336
                                              Entropy (8bit):4.118195590576372
                                              Encrypted:false
                                              SSDEEP:768:kqth26iN6NjZELIaYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2J:FNPqLIaQA2SCHj0jt95Q
                                              MD5:BDB98792CE6C2654F14E1BF47263527B
                                              SHA1:60E946BF95ABAE671E9F88CE5AE7ADA6D2CA0B5C
                                              SHA-256:6AB663A7C7A648DDDB428ACDBC8CBC91C66C93A52323DF1A519BFEAEA9A4F6EC
                                              SHA-512:3747B0CC87D20FA0D0F8FACB43AE917FDB174665B4363FAC2943787ABE4C645D36C73B40327FBA33F87F0C8C65CB33375F9E91A3A75D7EDD791AFB89F17E9FE1
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................;....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100ita.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):62288
                                              Entropy (8bit):4.093367290099013
                                              Encrypted:false
                                              SSDEEP:768:K6E6XaEYyqbK15MEBigDGxNIlW3gyCQQQjeqS1hDsiiUWTVqMi2jXHUd:naEOs5MEBigSxNIlW37oETb9rHUd
                                              MD5:3301A48EC56740776326760858936BCD
                                              SHA1:BDDC636C935A4C965FF6A4723EC754CFA09DA8C6
                                              SHA-256:7E36BA0E433F5478B1F405388870533EE2B631A4BEE992EB6C5708797A8E0B25
                                              SHA-512:E23604EB225435D941BB57D93AABCD9F4652CC6A1BEC4579064A0C9FD794D5A64B959A98ED8636EF127F37C7671C36BF27C13EBD1309968D43EBBA7117D49072
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................=.....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100jpn.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):43856
                                              Entropy (8bit):5.449702782814297
                                              Encrypted:false
                                              SSDEEP:768:dsTbayVn/IatJxtr10/euKRHIWIMi2jXHUh:GTeyp/Is/uMl9rHUh
                                              MD5:6A7F31C6FAFEA0EF7F17A9B17B247254
                                              SHA1:78C3614453D4FB5F96BD21B7CE66E9D5C8C22FCC
                                              SHA-256:93CCF853A22AD5C9A3BC9F0D87FAB3E356C728332E5968E38B3751C03179B06A
                                              SHA-512:CC6332E4406D5109CF1522BDA36C1C05B83542ADBF180D88286F08F3E5F260A84A20898B2539E9BAECC6D86EED503EB9ED05AEC2B26672C044EF9A0FB8F12E7D
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................m.....@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100kor.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):43344
                                              Entropy (8bit):5.551158148566457
                                              Encrypted:false
                                              SSDEEP:768:fVz754LQTN3kraHniJNB2I7CvquMi2jXHUPc:151TN3VniJv2I7CvqZ9rHUPc
                                              MD5:B5A093F44E7E5C618A7698839DF6583C
                                              SHA1:F4707CF3D4CBE81E9A680B74C201C386ECA8649E
                                              SHA-256:C3DC021011FE766D54927F6865936B3B9473E5BC38BB1BBACB94A0C739C4A16D
                                              SHA-512:937DA004BB71A4B764CEB284D2760E71247F47A6D4D2EAA594A4269C2F5E2A2701DCA91493248D3E6BD08A6AE0C9C3A0342C1B1B8DE180010159E129A2FB0004
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................s....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100rus.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):60752
                                              Entropy (8bit):4.6896553999495465
                                              Encrypted:false
                                              SSDEEP:768:yURq/lFXOv/iuqN9TMIVhtZ3FckD+SyMi2jpv2l:MDXOv/ahTVV952l
                                              MD5:6D163D436251978D14E4C80F33385D76
                                              SHA1:CC1957B2D9ADEBC1946CAF3E8DCA08623E43842F
                                              SHA-256:8597AFF5549E1F14805F288CE69C0DCE270ED0C1D6515A4C923004F0D753240C
                                              SHA-512:0CD9DEF6C62180CF7D90EED35D6FAB73DDFABA91C0642111EB592896FDB50EC4E1CEEA21F298F10AA6290AFEA208B961C979F075FCFAD169674965E0E01F5995
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................m....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                              C:\Windows\SysWOW64\mfc100u.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):4368720
                                              Entropy (8bit):7.026244983352001
                                              Encrypted:false
                                              SSDEEP:98304:zge9f+eJ5LbHVlaHqQ1NaXJw9QxCqk23i3ggGe9SfcoLDPiHkKos7FLOAkGkzdnR:zxf5cBudLps7FLOyomFHKnPAw
                                              MD5:F841F32AD816DBF130F10D86FAB99B1A
                                              SHA1:0F8B90814B33275CF39F95E769927497DA9460BF
                                              SHA-256:7A4CFBCE1EB48D4F8988212C2E338D7781B9894EF0F525E871C22BB730A74F3E
                                              SHA-512:6222F16722A61EE6950B6FBCBE46C2B08E2394CE3DD32D34656FAF2719E190E66B4E59617C83F117AD3793B1292A107F275087B037CF1B6E4D9819323748079A
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........?.....T.L.....`.......a.......f.....Rich............PE..L......K.........."!......*..>......=.%.......*..._x......................... C.......C...@.........................`.).`...t.).......+.H.............B.P.....?.0... /...............................>..@...................h.)......................text.....*.......*................. ..`.data.........*.......*.............@....rsrc...H.....+......<+.............@..@.reloc...R....?..T...>?.............@..B........................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\mfcm100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):80208
                                              Entropy (8bit):6.173505901056785
                                              Encrypted:false
                                              SSDEEP:1536:KKfLgly77rSxB8p/KGefmLQBY3pROBCrU95:KYg877rwB8p/KGefmLJ3pROBCrU95
                                              MD5:09FF12BAE0EB3E6E688609095390D34B
                                              SHA1:49511F73B54E8F702C7EA769331558B8705DFEC3
                                              SHA-256:0FEF52F0378B75600B828172377DEA92F8CE4F9CB2E0DCEE5D96300EA6D102DD
                                              SHA-512:D7EA7B78CE34E5DFC3EBFA2268C8349469854D02DC4C3423D517DD3B74FFD283409EEB275676F68F6DDC514D8D05EBD44125EA630064493D10AEFA4749974EBC
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...*......PN.......`.....x......................................@......................... +.......$..x...................."..P............b.............................. n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....P...0......................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\mfcm100u.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):80720
                                              Entropy (8bit):6.164375554936668
                                              Encrypted:false
                                              SSDEEP:1536:+iH8I62fuAyjBi28NaHmOKGefmLQBw93OBOQky9rHUWe:+jI62fxKT8NaHhKGefmLH93OBOQky9o1
                                              MD5:9BF0CB63876BA82B8178EC733F6510C7
                                              SHA1:BBC2580DA25AE39655D6A042761F8A753A9F127F
                                              SHA-256:D9A7C9ECF9C022B2FBFE1EFEEA5215A7CAA2BF95674FA88DD5E35AFDB310E80A
                                              SHA-512:D61D38530D40201AB6934CF256728D24E597065FAE12A77B36103B5CE3BD19B342B436BF54C56949F11B957C4F93795E059EE4784EFD213C22E9E6FB072E24A5
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...D......PN.......`.....x................................h"....@..........................+......T%..x....................$..P............b..............................0n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data...<h...0......................@....rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\msvcp100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):421200
                                              Entropy (8bit):6.59808962341698
                                              Encrypted:false
                                              SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                              MD5:03E9314004F504A14A61C3D364B62F66
                                              SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                              SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                              SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\msvcr100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):770384
                                              Entropy (8bit):6.908020029901359
                                              Encrypted:false
                                              SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                              MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                              SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                              SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                              SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\vcomp100.dll

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):51024
                                              Entropy (8bit):6.5875642480554895
                                              Encrypted:false
                                              SSDEEP:1536:NEYT1tiIlhnRlp+nbBjzzLSXI/Je9rHU6k:BYIl7lp+nbdz4I/U9oH
                                              MD5:631945C6518533A9FADAAA8E98F4AB5B
                                              SHA1:34B856EBDDA19B5AB96ED77FB5FB82A00CFE023A
                                              SHA-256:2011268947625670A758382E811C71B597B615F1763F8D30A5195B80DA4644FC
                                              SHA-512:1CBBC26787AEADE276B30582124B7C457F352754BDDF72A709E90EA884F09CC1327EBBA3087ECB3224762438F669F860C640B18B1863995955E429B3ED894372
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\}...........wjQ....wje.....d\.......'..wj`....wjT....wjU....wjR....Rich...........PE..L......K.........."!................#X.............r................................".....@.................................t...<.......................P.......\.......................................@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET813E.tmp

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET816E.tmp

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\SET81CD.tmp

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2.sys (copy)

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\TsUsb2_x64.cat (copy)

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):18208
                                              Entropy (8bit):5.811418287870366
                                              Encrypted:false
                                              SSDEEP:384:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHjXHUX4yQ0nTds:MWZXksEk08ETDrDNLBLFOL/7nDfDnrHR
                                              MD5:239F070ACDE2550A3F001B7146A5A5FA
                                              SHA1:EFC1A6BB213DA4CA3341D906DF80B50B962265AB
                                              SHA-256:34177A54958D7B6083C3668928C58ED968076E245EFAB4E90011EA08F1294166
                                              SHA-512:2ED00E2D74F929EC46D6289535730889853FD91D75FA0BC01CB1C741B53A2F1F2B6E41C5AF5E1B654C104973BC348DA0686E0AC0B64AD1791AEED4EDFAF757A7
                                              Malicious:false
                                              Preview:0.G...*.H........G.0.G....1.0...+......0.....+.....7......0...0...+.....7.........O..A.W...n...100408005841Z0...+.....7.....0..r0....R1.B.C.F.C.B.5.8.C.A.D.0.C.6.2.2.A.5.0.4.1.9.4.B.7.6.1.5.6.A.8.3.3.D.E.9.2.C.3.1...1..Y08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........X..."...Kv.j.=.,10b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.C.0.1.1.0.5.A.9.F.B.7.2.0.9.8.9.E.A.0.8.D.C.6.0.1.7.8.C.4.7.6.4.F.3.1.1.0.8.3...1..a08..+.....7...1*0(...F.i.l.e........t.s.u.s.b.2...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|..Z.. ..

                                              C:\Windows\System32\DriverStore\Temp\{d6d0f7dc-9306-6a4e-a067-6656e3feaa58}\tsusb2.inf (copy)

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:Windows setup INFormation
                                              Category:dropped
                                              Size (bytes):26572
                                              Entropy (8bit):5.052674341978774
                                              Encrypted:false
                                              SSDEEP:768:XmFU4ImNXYZi7ZrMmFU4ImNXYZi7ZrAmFU4ImNXYZi7ZrO9:4xlZHxlZbxlZQ
                                              MD5:9BCA4F18DBF056BB928AACA8507198E8
                                              SHA1:1BCFCB58CAD0C622A504194B76156A833DE92C31
                                              SHA-256:619077F0035460737B47205E3F5DAE04EA4402B9EEEBD5BF5BEF47B067271398
                                              SHA-512:8656ABCBC6E638BBEFB0AC9A2D8C3B38EC697782E77F26F97196975D9D72CDFE6C12F883E1180160E0922CE7D36718193820EE581CE2695810B10324FF002A9A
                                              Malicious:false
                                              Preview:; Installation inf for DCC Teller Scanners..;..; (c) Copyright 2007 Digital Check Corporation..;..; 64-bit driver..; 2010-03-09, J.Fred, added CopyFiles for TSUSB2_TS.Dev. Added expansion PIDs.....[Version]..Signature="$Windows NT$"..Class=USB..ClassGUID={36FC9E60-C465-11CF-8056-444553540000}..provider=%DCC%..DriverVer=04/01/2010,2.0.0.0..CatalogFile=TsUsb2_x64.cat....[SourceDisksNames]..1=%Disk_Description%,,,....[SourceDisksFiles]..TsUsb2.sys = 1....[Manufacturer]..%MfgName%=TellerScan, NTx86, NTia64, NTamd64....; Keep these three in-sync: TellerScan.NTx86, TellerScan.NTia64 and TellerScan.NTamd64..[TellerScan.NTx86]..;------------------..; PCB/loader IDs.....;------------------..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0008 ; TS220..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0016 ; TS230 EDO..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0017 ; ES230 SD..%TSUSB2_DeviceDesc%=TSUSB2.Dev, USB\VID_08b1&PID_0018 ; CX30..; reserved for HTL Device 00

                                              C:\Windows\System32\catroot2\dberr.txt

                                              Download File
                                              Process:C:\Windows\System32\drvinst.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):184156
                                              Entropy (8bit):5.362249722894818
                                              Encrypted:false
                                              SSDEEP:1536:sYtgOmpyFfzS0w6iAknSdR3TZifGSmQPypV4M+xEfatrdf8atwLWJrDBrCn2S/+1:B6zKjK
                                              MD5:642741B74D9BFB4695BF66C4201591DC
                                              SHA1:B56FA7B8740899C7E017E944BE4E3A484FE28BB6
                                              SHA-256:38A00E61D2E6A3D3051D36A56BB557776333E604ECBAA08A9F6CAC5CAC2B050E
                                              SHA-512:E61E8410985F42596361E216620B4EA99D66680CE512B084E2C0A63C9F0F97610F7BA1FB24B21F49A72902CA3B89C564A93984CACDF755FC852FD355DCCCAE40
                                              Malicious:false
                                              Preview:CatalogDB: 7:15:57 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-windows-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-Client-Manager-onecore-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1470 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2046 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2359 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encountered JET error -1601..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encounter

                                              C:\Windows\System32\is-R5HGV.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF07B3E0C1E83E000E.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF142F03A23C27777D.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.6116634759911168
                                              Encrypted:false
                                              SSDEEP:48:c8PhP7uRc06WXJSjT52kFG1SyedCVEijkHgSbedCcb6QcZfQBj:zhP71JjTV01/nVLAgWnLQcZoB
                                              MD5:88D688E993E7B8C45176DDE6FDE594AC
                                              SHA1:C1BA567DD499FD207D78204A26B0E9931D8F49D1
                                              SHA-256:7A3453E6DAE54CA45EE06FAC24B5F57EE2832D8B622C14F7FB0336885DE8CD3C
                                              SHA-512:F6E40D7810258C06D8EBFB6AD7223F56DD76B4059B300092C6E28016F65CFAF32702CF26DC132C992CC5C3460DFA50BA1C2083E9DF1BCF52CD2F7085D58E6745
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF1AEA18913664FC56.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):81920
                                              Entropy (8bit):0.11344916874423858
                                              Encrypted:false
                                              SSDEEP:24:7TuHdN8lG+dvVpipVs+dvVpipV7VomTpwGgBlrkgJM+zZmT7+1:3aN8lpdjSFdjS5SmTWHrS8ZmT7
                                              MD5:F050C7216DF154EF0FC2DDBF3059463E
                                              SHA1:B7145FE132EFCF9602D0C314B2B987A7A679E2C6
                                              SHA-256:4EC70EC5123802B0FB9ECE0D2872F02681F1263AB8065528FCC8E28E00DD0195
                                              SHA-512:8879123FD6FE4948BF418A8CBDBE81042D7985CF6859E3FBA1DD0A201F83CAB8AF6DD6964ACFEB59AC8EA33B58BF26416A6A9748FC5C805C153D067039008A9B
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF2186FB8D0BAC05DD.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2865785450217353
                                              Encrypted:false
                                              SSDEEP:48:hMX7u2I+CFXJFT5dkFG1SyedCVEijkHgSbedCcb6QcZfQBj:WX7udT401/nVLAgWnLQcZoB
                                              MD5:5ED09019BFBB981D12EE1E2EAD2C5CCF
                                              SHA1:BEA4609D808551343835B94209CF4E49881F63BC
                                              SHA-256:C6EF4BD6F91DD56CF0D23052F29FA4292872579BFD39711B660916358A408BE4
                                              SHA-512:259B4E7548F95D367E150B3E42DFC5F95E1F5D59A342F37FB2A347D680E50D9DBECE1C3EA3C5EFF3EA6D1A019DA3451D6292A5D1A95C1470AF244553BE0FBDFE
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF234FB0E376C5BA4A.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF3AE433D987F04DFE.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF48345D2AD51060EC.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF51EEFF34D52E5D52.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF68567FEE41D2C1AD.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2865785450217353
                                              Encrypted:false
                                              SSDEEP:48:hMX7u2I+CFXJFT5dkFG1SyedCVEijkHgSbedCcb6QcZfQBj:WX7udT401/nVLAgWnLQcZoB
                                              MD5:5ED09019BFBB981D12EE1E2EAD2C5CCF
                                              SHA1:BEA4609D808551343835B94209CF4E49881F63BC
                                              SHA-256:C6EF4BD6F91DD56CF0D23052F29FA4292872579BFD39711B660916358A408BE4
                                              SHA-512:259B4E7548F95D367E150B3E42DFC5F95E1F5D59A342F37FB2A347D680E50D9DBECE1C3EA3C5EFF3EA6D1A019DA3451D6292A5D1A95C1470AF244553BE0FBDFE
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF84FCC0910DF19938.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2865785450217353
                                              Encrypted:false
                                              SSDEEP:48:hMX7u2I+CFXJFT5dkFG1SyedCVEijkHgSbedCcb6QcZfQBj:WX7udT401/nVLAgWnLQcZoB
                                              MD5:5ED09019BFBB981D12EE1E2EAD2C5CCF
                                              SHA1:BEA4609D808551343835B94209CF4E49881F63BC
                                              SHA-256:C6EF4BD6F91DD56CF0D23052F29FA4292872579BFD39711B660916358A408BE4
                                              SHA-512:259B4E7548F95D367E150B3E42DFC5F95E1F5D59A342F37FB2A347D680E50D9DBECE1C3EA3C5EFF3EA6D1A019DA3451D6292A5D1A95C1470AF244553BE0FBDFE
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF959532F9515B7C86.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.3364159434289711
                                              Encrypted:false
                                              SSDEEP:12:oBWxx0i8n0itFzDHFVa+7EpPeJMVvh/J09RSdIpHMsULzkQDTrWQDTrWB9CrclWS:vxOF0ml/poJegvZRdsH6DxDD
                                              MD5:597116FD1A30D7512E5BBBE0FB943CBA
                                              SHA1:C595A0C8390069463DF1E05AF16B4676E245CAFA
                                              SHA-256:9579E3B1C16ADCCBE22F7E80F96245FB00939C15BAE5E32390580E588DC8DD28
                                              SHA-512:1992613B1DBB8867F19CA5F2E9380CB8A6D554B417A4E3874A2D9C981B3932992A51140891C53E6ED10F5737346A467A11DB8992DB3D7935E48F2ADEC5340AB5
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFA5B553A73B64BA89.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.07790800677429963
                                              Encrypted:false
                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOvqPqrcUd442/OXLIaVky6lh:2F0i8n0itFzDHFvqyBn6OXWh
                                              MD5:CC39645AC1C3A4C4831A82F98A7CE4B4
                                              SHA1:19A6AE7D720C9367044C8D6A4543395A5AEEF99C
                                              SHA-256:FC18E839AD834AD6967A84A09F93E2AC67B0B54B08EFE15698F043BA4C7E2718
                                              SHA-512:FF5B1AF64B4D270F357EF095FCE65C5EB3C28A08A8D1FC19B4132104FF71939B16C154045068B7FF390DC1A6A02FB29CFF19EF3BFAE04AF61D8F9555E2BD4604
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFC2A3EC68A8F05D04.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFCDDBD807B179E351.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.6116634759911168
                                              Encrypted:false
                                              SSDEEP:48:c8PhP7uRc06WXJSjT52kFG1SyedCVEijkHgSbedCcb6QcZfQBj:zhP71JjTV01/nVLAgWnLQcZoB
                                              MD5:88D688E993E7B8C45176DDE6FDE594AC
                                              SHA1:C1BA567DD499FD207D78204A26B0E9931D8F49D1
                                              SHA-256:7A3453E6DAE54CA45EE06FAC24B5F57EE2832D8B622C14F7FB0336885DE8CD3C
                                              SHA-512:F6E40D7810258C06D8EBFB6AD7223F56DD76B4059B300092C6E28016F65CFAF32702CF26DC132C992CC5C3460DFA50BA1C2083E9DF1BCF52CD2F7085D58E6745
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFF8304FC17911402E.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.2293356823339858
                                              Encrypted:false
                                              SSDEEP:48:6JmuSth8FXzxT5tmT7Z8fdjS5SmTWHrLdjSIN8l/:KmAPTc8Zd5
                                              MD5:474331D3B274340B2EE1D5B7E526822E
                                              SHA1:A6BA38412BD010788F59F004DFEFF0C0BF12335A
                                              SHA-256:F27BCE3E71900F3EEE69AC87B23E0FA801E5671802F557E09012658309D41AE2
                                              SHA-512:EE1D7F30A0840F088FCF5032BF446B1274B48F4BA04760FD0356B0B77E366DB4FFEEDFBC51A64EC604BF3B9EAD869A04F5AA890C402075C334BE0F1EAD2EAD28
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFFC4FE146FCBB42B9.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):73728
                                              Entropy (8bit):0.15235188140464453
                                              Encrypted:false
                                              SSDEEP:48:PBj5Zfnb6QoSbedCaSyedCVEijkH9XFl:PBFZmQoWna/nVLA9X
                                              MD5:BBD96C97C1C47903CAA1948D6D09C5A4
                                              SHA1:311856D489571CE9DECE5651EED87BABA682938E
                                              SHA-256:C19B018AD7C170A0F83C17D11C63B974D39E20E54732A8C0E9396D966D4433B9
                                              SHA-512:BFAF1CB07B60DC9F209D533D6413CAC43F66BCB6657A167671BEB6AAFEC23159D88A1B1F610E9171E83C36860730E2BADABE4FB2995BF8410A27EBEE97281274
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\system32\TsUsb2.sys (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              File Type:PE32+ executable (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):53760
                                              Entropy (8bit):6.239294014916115
                                              Encrypted:false
                                              SSDEEP:768:WJMRr2/jozwW9CPkj//3gYGNZGyIbkHxumE5SjxIVEk3li1fCQhNjRhs/yVuicvz:WWRrkQt2O7mj0yQ3IaTJ
                                              MD5:D346647292F014BB769B018685177FDC
                                              SHA1:09371366C65EA5502108C397483BA4BE3AB20C83
                                              SHA-256:E08A39970ABE15F011D20AA903F98B8F9F51392987B51FECF1544900FD9FA36F
                                              SHA-512:53C61E91064AB7C7D130018EF02DCCA16B3CEF1882E5238E7AB0FB2C64C49CF8D2C6601631053F70DED2C9D2BFCBAB28690732489950B447D02EF85584075C5F
                                              Malicious:false
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#..B...B...B....6..B.......B...B...B.......B.......B.......B.......B.......B.......B..Rich.B..........PE..d...3.VF.........."..........h...............................................@......@.......................................................d...<.... .......................0.......................................................................................text...8~.......................... ..h.rdata..............................@..H.data...$V.......6..................@....pdata..............................@..HINIT....B........................... ....rsrc........ ......................@..B.reloc..<....0......................@..B................................................................................................................................................................................................................................

                                              \Device\ConDrv

                                              Download File
                                              Process:C:\Program Files\TellerScan\Drivers\DevCon.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):49
                                              Entropy (8bit):4.1624392429166335
                                              Encrypted:false
                                              SSDEEP:3:STQF0/Q1Lv32en:DF0iPhn
                                              MD5:8790A7F8AC7B366CC94E1D6462EA154E
                                              SHA1:6315B9E45F20EE2E09DA953055F99C85CDEE03C5
                                              SHA-256:A0D8674F9E53F7EF4514BC163E5AEE13ABAC5293A7285F56783FA26CAB455BB2
                                              SHA-512:4C2DB80C4BB53B685E5FC3739A640DBE97245577120A0DA6E0E15B11E462269FE7D1DA6DAD6052EB703F9541BE83605766FD86331BA70DEBE4F0A326ABD666D1
                                              Malicious:false
                                              Preview:Scanning for new hardware...Scanning completed...

                                              \Device\Null

                                              Download File
                                              Process:C:\Windows\SysWOW64\net1.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):37
                                              Entropy (8bit):3.6408290408368487
                                              Encrypted:false
                                              SSDEEP:3:gAxKEUTaa:gAMEe
                                              MD5:768165E0ABF16BF3056836D5431A7296
                                              SHA1:9FB3196BE60E49BFC319EBD9E0B103954D711E34
                                              SHA-256:B44C505B721E93E2A596577018CC65B993CD632B9FE7620A4B3DB54031AFFF5D
                                              SHA-512:1250EC40BA20F39A5B9A3AAFD45C63CB6F1BF48B89ACCE1F885470C936FB48A803081943C68458BA1ADCE92D5FE79D3E45682285F56ECB29884D41974269992D
                                              Malicious:false
                                              Preview:There are no entries in the list.....

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.973926470481774
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 98.81%
                                              • Windows ActiveX control (116523/4) 1.15%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              File size:22'396'720 bytes
                                              MD5:0b56217621818cb94a6c0d4c46166f52
                                              SHA1:79a1b1e0f100ed8d2711fbd32b6b50fe047c8d8d
                                              SHA256:8f5d5ae2cd2b40c022144cfa0aeced9287b565fa881bd0b867d74f7fa67a02c6
                                              SHA512:98074b1280466600bd609ff999ec3482d9a129da152b81dce9fc30c5bbd5f526a2f72a029a052409f2fcbe16133076749dbadb5e4cc0e8ae8c090df14fec0829
                                              SSDEEP:393216:HOEFuGhs5GFoMiEC9ubKqmuJqGVeQVXYanFOXFUbG+C/2J2Q02DFGIY7Log:hYX2muJX55uGCmO7Lh
                                              TLSH:01373341FBD188B6D839143540AB6725A935AE4D3B25C7C3AB187C773D323C366362EA
                                              File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P.................T...Z......oY.......p....@.......................... .......V.....................................................................

                                              File Icon

                                              Icon Hash:0536331b729a9a4a

                                              Static PE Info

                                              General

                                              Entrypoint:0x41596f
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:
                                              Time Stamp:0x50E0DE88 [Mon Dec 31 00:38:32 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f6baa5eaa8231d4fe8e922a2e6d240ea

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              push FFFFFFFFh
                                              push 00419258h
                                              push 00415B00h
                                              mov eax, dword ptr fs:[00000000h]
                                              push eax
                                              mov dword ptr fs:[00000000h], esp
                                              sub esp, 68h
                                              push ebx
                                              push esi
                                              push edi
                                              mov dword ptr [ebp-18h], esp
                                              xor ebx, ebx
                                              mov dword ptr [ebp-04h], ebx
                                              push 00000002h
                                              call dword ptr [004171E0h]
                                              pop ecx
                                              or dword ptr [0041FC64h], FFFFFFFFh
                                              or dword ptr [0041FC68h], FFFFFFFFh
                                              call dword ptr [004171E4h]
                                              mov ecx, dword ptr [0041DC44h]
                                              mov dword ptr [eax], ecx
                                              call dword ptr [004171E8h]
                                              mov ecx, dword ptr [0041DC40h]
                                              mov dword ptr [eax], ecx
                                              mov eax, dword ptr [004171ECh]
                                              mov eax, dword ptr [eax]
                                              mov dword ptr [0041FC60h], eax
                                              call 00007F9100D2A542h
                                              cmp dword ptr [0041B8D0h], ebx
                                              jne 00007F9100D2A42Eh
                                              push 00415AF8h
                                              call dword ptr [004171F0h]
                                              pop ecx
                                              call 00007F9100D2A514h
                                              push 0041B060h
                                              push 0041B05Ch
                                              call 00007F9100D2A4FFh
                                              mov eax, dword ptr [0041DC3Ch]
                                              mov dword ptr [ebp-6Ch], eax
                                              lea eax, dword ptr [ebp-6Ch]
                                              push eax
                                              push dword ptr [0041DC38h]
                                              lea eax, dword ptr [ebp-64h]
                                              push eax
                                              lea eax, dword ptr [ebp-70h]
                                              push eax
                                              lea eax, dword ptr [ebp-60h]
                                              push eax
                                              call dword ptr [004171F8h]
                                              push 0041B058h
                                              push 0041B000h
                                              call 00007F9100D2A4CCh

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x196e40xc8.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x1500.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x170000x36c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x152ce0x15400False0.6056295955882353data6.643218462130764IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x170000x393a0x3a00False0.45103717672413796DOS executable (COM, 0x8C-variant)5.689626264669994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x1b0000x4c6c0xa00False0.491796875data4.314562375025698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x200000x15000x1600False0.34765625data3.980788534313441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x201c00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536RussianRussia0.2579268292682927
                                              RT_ICON0x208280x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsRussianRussia0.3803763440860215
                                              RT_ICON0x20b100x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 384RussianRussia0.4344262295081967
                                              RT_ICON0x20cf80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192RussianRussia0.46621621621621623
                                              RT_GROUP_ICON0x20e200x3edataRussianRussia0.8064516129032258
                                              RT_VERSION0x20e600x358dataEnglishUnited States0.47897196261682246
                                              RT_MANIFEST0x211b80x346ASCII text, with CRLF line terminatorsEnglishUnited States0.5071599045346062

                                              Imports

                                              DLLImport
                                              COMCTL32.dll
                                              SHELL32.dllSHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
                                              GDI32.dllCreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
                                              ADVAPI32.dllFreeSid, AllocateAndInitializeSid, CheckTokenMembership
                                              USER32.dllGetWindowLongW, GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, GetDlgItem, GetParent, GetWindowRect, GetClassNameA, CreateWindowExW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, SendMessageW, EndDialog, wsprintfW, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, MessageBoxA, ScreenToClient, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, CharUpperW, GetKeyState, CopyImage
                                              ole32.dllCreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                                              OLEAUT32.dllVariantClear, SysFreeString, OleLoadPicture, SysAllocString
                                              KERNEL32.dllGetFileSize, SetFilePointer, ReadFile, WaitForMultipleObjects, GetModuleHandleA, SetFileTime, SetEndOfFile, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, GetProcAddress, GetModuleHandleW, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetStartupInfoA
                                              MSVCRT.dll??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _wtol, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _purecall

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              RussianRussia
                                              EnglishUnited States

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:23:39:07
                                              Start date:30/08/2023
                                              Path:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe
                                              Imagebase:0x400000
                                              File size:22'396'720 bytes
                                              MD5 hash:0B56217621818CB94A6C0D4C46166F52
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:1
                                              Start time:23:39:08
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                              Imagebase:0x7ff61d4c0000
                                              File size:53'744 bytes
                                              MD5 hash:9520A99E77D6196D0D09833146424113
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:2
                                              Start time:23:39:10
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7ZipSfx.000\setup.cmd" "
                                              Imagebase:0xbf0000
                                              File size:236'032 bytes
                                              MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:3
                                              Start time:23:39:10
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:23:39:10
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\net.exe
                                              Wow64 process (32bit):true
                                              Commandline:NET SESSION
                                              Imagebase:0x8f0000
                                              File size:47'104 bytes
                                              MD5 hash:2D09708A2B7FD7391E50A1A8E4915BD7
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:23:39:10
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\net1.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\net1 SESSION
                                              Imagebase:0x790000
                                              File size:140'288 bytes
                                              MD5 hash:DACD2D80B3942C3064B29BC0D0382EF3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:23:39:10
                                              Start date:30/08/2023
                                              Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerForDigitalCheck-TSSeries4.2.18.0-1.3.1.0.exe" /S
                                              Imagebase:0x400000
                                              File size:12'383'880 bytes
                                              MD5 hash:05B756A815EC4F1F2024A055B9B57128
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 2%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:23:39:11
                                              Start date:30/08/2023
                                              Path:C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\Silver Bullet Technology\Ranger\RangerCore_4.2.18.0.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger
                                              Imagebase:0x400000
                                              File size:8'100'616 bytes
                                              MD5 hash:4C81F04895E9C07D3F1E6DF691368C36
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:23:39:12
                                              Start date:30/08/2023
                                              Path:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart
                                              Imagebase:0x1000000
                                              File size:5'073'240 bytes
                                              MD5 hash:B88228D5FEF4B6DC019D69D4471F23EC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:23:39:14
                                              Start date:30/08/2023
                                              Path:C:\2c943420539b5d851ede182b60\Setup.exe
                                              Wow64 process (32bit):true
                                              Commandline:c:\2c943420539b5d851ede182b60\Setup.exe /q /norestart
                                              Imagebase:0x7f0000
                                              File size:78'152 bytes
                                              MD5 hash:006F8A615020A4A17F5E63801485DF46
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:23:39:20
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                              Imagebase:0x7ff738010000
                                              File size:67'072 bytes
                                              MD5 hash:2D9F692E71D9985F1C6237F063F6FE76
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:23:39:27
                                              Start date:30/08/2023
                                              Path:C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Program Files (x86)\Silver Bullet Technology\Ranger\Logging\SBTLogServiceWindows.exe
                                              Imagebase:0x870000
                                              File size:42'496 bytes
                                              MD5 hash:80FAD3429D5F9AD94441BBF01580F701
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:false

                                              General

                                              Target ID:13
                                              Start time:23:39:29
                                              Start date:30/08/2023
                                              Path:C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\Silver Bullet Technology\Ranger\DigitalCheck-TSSeries_Installer.exe" /S /D=C:\Program Files (x86)\Silver Bullet Technology\Ranger
                                              Imagebase:0x400000
                                              File size:4'173'748 bytes
                                              MD5 hash:6E410C4D1E5DDB837EF6CAD248EA5652
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 2%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:23:39:31
                                              Start date:30/08/2023
                                              Path:C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
                                              Imagebase:0x400000
                                              File size:1'202'023 bytes
                                              MD5 hash:8C66A75D40D8C12F3AF108AA2E0DA538
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 2%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:23:39:32
                                              Start date:30/08/2023
                                              Path:C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-NTJDL.tmp\TellerScanDriverV1107.tmp" /SL5="$50338,947705,67072,C:\Program Files (x86)\Silver Bullet Technology\Ranger\Scanner Plug-ins\DigitalCheck-TSSeries\Ranger\DigitalCheck-TSSeries\API Files\driver\TellerScanDriverV1107.exe" /verysilent
                                              Imagebase:0x400000
                                              File size:717'312 bytes
                                              MD5 hash:1789A04058130108337961A38192052C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:23:39:33
                                              Start date:30/08/2023
                                              Path:C:\Program Files\TellerScan\Drivers\DevCon.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\TellerScan\Drivers\DevCon.exe" disable *VID_08B1*
                                              Imagebase:0x1000000
                                              File size:55'808 bytes
                                              MD5 hash:C4B470269324517EE838789C7CF5E606
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:23:39:33
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:23:39:34
                                              Start date:30/08/2023
                                              Path:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /u tsusb2.inf /d /q
                                              Imagebase:0x7ff7fea50000
                                              File size:935'480 bytes
                                              MD5 hash:E90140FF5F5FF7521EA52F94BEC29F8C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:23:39:35
                                              Start date:30/08/2023
                                              Path:C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\TellerScan\Drivers\64-bit\DPInst.exe" /sa
                                              Imagebase:0x7ff7fea50000
                                              File size:935'480 bytes
                                              MD5 hash:E90140FF5F5FF7521EA52F94BEC29F8C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:23:39:36
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                              Imagebase:0x7ff61d4c0000
                                              File size:53'744 bytes
                                              MD5 hash:9520A99E77D6196D0D09833146424113
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:21
                                              Start time:23:39:36
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\drvinst.exe
                                              Wow64 process (32bit):false
                                              Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{02e22527-048b-c641-9e9d-82d7d1e7f993}\tsusb2.inf" "9" "47095fa47" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "c:\program files\tellerscan\drivers\64-bit"
                                              Imagebase:0x7ff787440000
                                              File size:173'568 bytes
                                              MD5 hash:100997A8B475B1D1B173BE8941DFE1A6
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:23:39:41
                                              Start date:30/08/2023
                                              Path:C:\Program Files\TellerScan\Drivers\DevCon.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\TellerScan\Drivers\DevCon.exe" enable *VID_08B1*
                                              Imagebase:0x1000000
                                              File size:55'808 bytes
                                              MD5 hash:C4B470269324517EE838789C7CF5E606
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:23:39:41
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:23:39:41
                                              Start date:30/08/2023
                                              Path:C:\Program Files\TellerScan\Drivers\DevCon.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\TellerScan\Drivers\DevCon.exe" rescan
                                              Imagebase:0x1000000
                                              File size:55'808 bytes
                                              MD5 hash:C4B470269324517EE838789C7CF5E606
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:23:39:41
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:23:39:46
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\regsvr32.exe
                                              Wow64 process (32bit):true
                                              Commandline:regsvr32 "C:\Windows\Downloaded Program Files\alttiff.ocx" /s
                                              Imagebase:0x7ff7d58a0000
                                              File size:20'992 bytes
                                              MD5 hash:EB3B90B6989227F590BB36356DF96A30
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:23:39:47
                                              Start date:30/08/2023
                                              Path:C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installFiles\RangerRemoteSecureInstaller.exe" /S
                                              Imagebase:0x400000
                                              File size:7'314'832 bytes
                                              MD5 hash:3DAE48510B29272D4DEDB381647874FC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:false

                                              General

                                              Target ID:28
                                              Start time:23:39:48
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\msiExec" /i "RangerRemoteSecureInstaller.msi
                                              Imagebase:0x880000
                                              File size:59'904 bytes
                                              MD5 hash:F9A3EEE1C3A4067702BC9A59BC894285
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:29
                                              Start time:23:39:48
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                              Imagebase:0x7ff738010000
                                              File size:67'072 bytes
                                              MD5 hash:2D9F692E71D9985F1C6237F063F6FE76
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:30
                                              Start time:23:39:50
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\installRangerRemoteSecure.bat""
                                              Imagebase:0x7ff6630b0000
                                              File size:280'064 bytes
                                              MD5 hash:9D59442313565C2E0860B88BF32B2277
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:31
                                              Start time:23:39:50
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:32
                                              Start time:23:39:50
                                              Start date:30/08/2023
                                              Path:C:\Program Files (x86)\Carreker\Ranger Remote 1.4.2.1\Ranger Remote_v1.4.2.1_Installer.exe
                                              Wow64 process (32bit):true
                                              Commandline:"Ranger Remote_v1.4.2.1_Installer.exe" /wss /S
                                              Imagebase:0x400000
                                              File size:7'078'224 bytes
                                              MD5 hash:57C3754A9113DFAFE11AD022B9BE5C33
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 5%, ReversingLabs
                                              Has exited:false

                                              General

                                              Target ID:33
                                              Start time:23:39:51
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\CheckNetIsolation.exe
                                              Wow64 process (32bit):true
                                              Commandline:CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
                                              Imagebase:0xfa0000
                                              File size:26'624 bytes
                                              MD5 hash:2FBEB635ADD6F73B226EE4BE660201BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:34
                                              Start time:23:39:52
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:35
                                              Start time:23:39:52
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\remove_ms_certs.cmd""
                                              Imagebase:0xbf0000
                                              File size:236'032 bytes
                                              MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:36
                                              Start time:23:39:52
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:37
                                              Start time:23:39:52
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\certutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\certutil.exe" -delstore "Root" "www.sbullet.com"
                                              Imagebase:0xc0000
                                              File size:1'276'416 bytes
                                              MD5 hash:46B60DBFFA3D5E1D6647E47B29EF7F69
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:38
                                              Start time:23:39:53
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\remove-FF-certs.cmd""
                                              Imagebase:0xbf0000
                                              File size:236'032 bytes
                                              MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:39
                                              Start time:23:39:53
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:40
                                              Start time:23:39:53
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\add_ms_certs.cmd""
                                              Imagebase:0xbf0000
                                              File size:236'032 bytes
                                              MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:41
                                              Start time:23:39:53
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:42
                                              Start time:23:39:54
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\certutil.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\certutil.exe" -addstore -f "Root" "C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\rootCA.pem"
                                              Imagebase:0xc0000
                                              File size:1'276'416 bytes
                                              MD5 hash:46B60DBFFA3D5E1D6647E47B29EF7F69
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:43
                                              Start time:23:39:54
                                              Start date:30/08/2023
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Silver Bullet Technology\Ranger\Ranger Remote\Certificates\firefox_add-certs\add-certs.cmd""
                                              Imagebase:0xbf0000
                                              File size:236'032 bytes
                                              MD5 hash:4943BA1A9B41D69643F69685E35B2943
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:44
                                              Start time:23:39:54
                                              Start date:30/08/2023
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7603a0000
                                              File size:885'760 bytes
                                              MD5 hash:C5E9B1D1103EDCEA2E408E9497A5A88F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:46
                                              Start time:23:39:55
                                              Start date:30/08/2023
                                              Path:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\vcredist_x86.exe /q /norestart
                                              Imagebase:0x1000000
                                              File size:5'073'240 bytes
                                              MD5 hash:B88228D5FEF4B6DC019D69D4471F23EC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:50
                                              Start time:23:39:57
                                              Start date:30/08/2023
                                              Path:C:\686fc0c283be14fef7\Setup.exe
                                              Wow64 process (32bit):true
                                              Commandline:c:\686fc0c283be14fef7\Setup.exe /q /norestart
                                              Imagebase:0xae0000
                                              File size:78'152 bytes
                                              MD5 hash:006F8A615020A4A17F5E63801485DF46
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:43.1%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:22.5%
                                                Total number of Nodes:71
                                                Total number of Limit Nodes:9
                                                execution_graph 171 1002821 172 10028b4 171->172 173 1002835 SetFilePointer ReadFile 171->173 173->172 174 1002863 173->174 174->172 175 100287d _snprintf 174->175 175->172 176 10029c2 GetSystemDirectoryA 177 1002a0a LoadLibraryA 176->177 178 1002afc 176->178 177->178 180 1002a3b GetProcAddress 177->180 181 1002af5 FreeLibrary 180->181 182 1002a57 GetProcAddress 180->182 181->178 182->181 183 1002a6d GetProcAddress 182->183 184 1002a7c GetProcAddress 183->184 185 1002a8e 183->185 184->185 185->181 186 1002b13 GetDriveTypeA 187 1002b60 CreateFileA 186->187 189 1002b4f 186->189 188 1002b82 DeviceIoControl 187->188 187->189 190 1002b9f CloseHandle 188->190 190->189 192 1002e53 193 1002e65 192->193 194 1002f1b EndDialog 192->194 195 1002eb0 193->195 196 1002e6b 193->196 198 1002f17 194->198 197 1002eb7 SetEvent CreateEventW 195->197 195->198 196->198 199 1002ea2 SetEvent 196->199 200 1002e89 SetParent Sleep 196->200 201 1002ee2 197->201 202 1002efe 197->202 199->198 200->199 201->202 203 1002ee6 WaitForMultipleObjects CloseHandle 201->203 207 1002d78 RtlEnterCriticalSection 202->207 203->202 205 1002f03 205->198 206 1002f0c TerminateProcess 205->206 206->198 208 1002da1 207->208 209 1002d97 CloseHandle 207->209 210 1002dab CloseHandle 208->210 213 1002db5 208->213 209->208 210->213 211 1002dcf DeleteFileA 211->213 214 1002dda GetLastError 211->214 212 1002e3f RtlLeaveCriticalSection 212->205 213->211 216 1002dfd 213->216 218 1002dea MoveFileExA 213->218 214->213 215 1002e11 RemoveDirectoryA 215->216 217 1002e1c GetLastError 215->217 216->212 216->215 219 1002e2c MoveFileExA 216->219 217->216 218->213 219->216 220 10028d9 SetErrorMode SetErrorMode GetTickCount 221 100291e sprintf CreateDirectoryA 220->221 222 1002954 GetLastError 221->222 223 1002975 RemoveDirectoryA 221->223 224 10029a0 SetErrorMode 222->224 225 1002961 222->225 226 1002973 223->226 227 1002986 MoveFileExA 223->227 228 10029b9 224->228 225->221 225->226 226->224 227->226 232 1002d09 233 1002d34 FormatMessageA 232->233 234 1002d1d LoadStringA 232->234 235 1002d65 233->235 234->233 234->235 236 1002779 237 1002788 236->237 238 100278f _vsnprintf 236->238 238->237 239 10027cb GetVersionExA 240 10027f9 239->240 241 1002c4b 242 1002c6b 241->242 243 1002c5c CloseHandle 241->243 243->242 229 1002c7c 230 1002c92 SetFilePointer 229->230 231 1002c8a 229->231 231->230 244 1002c2e HeapFree

                                                Callgraph

                                                Executed Functions

                                                Function 010029C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000208), ref: 010029FC
                                                • LoadLibraryA.KERNELBASE(?), ref: 01002A2B
                                                • GetProcAddress.KERNEL32(00000000,OpenCluster), ref: 01002A47
                                                • GetProcAddress.KERNEL32(00000000,CloseCluster), ref: 01002A5D
                                                • GetProcAddress.KERNEL32(00000000,GetNodeClusterState), ref: 01002A74
                                                • GetProcAddress.KERNEL32(00000000,GetClusterQuorumResource), ref: 01002A82
                                                • FreeLibrary.KERNELBASE(00000000), ref: 01002AF6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: AddressProc$Library$DirectoryFreeLoadSystem
                                                • String ID: CloseCluster$GetClusterQuorumResource$GetNodeClusterState$OpenCluster$\clusapi.dll
                                                • API String ID: 1303522615-3927317670
                                                • Opcode ID: 06a340b1da89dfb9c75108ed7bbb07d91fd9a92a21b0f34615cc9a053167089c
                                                • Instruction ID: 58cc90120aaaae1193b9abb678c188ec05ae692f01dcb1cc6c6543d780e01115
                                                • Opcode Fuzzy Hash: 06a340b1da89dfb9c75108ed7bbb07d91fd9a92a21b0f34615cc9a053167089c
                                                • Instruction Fuzzy Hash: F13147719002299BFB72DBA88D48FDA7BFC5F4A640F0442E5E544E2141DF748AC5DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01002B13 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 73 1002b13-1002b4d GetDriveTypeA 74 1002b60-1002b80 CreateFileA 73->74 75 1002b4f-1002b50 73->75 78 1002b82-1002b9d DeviceIoControl 74->78 79 1002b57-1002b59 74->79 76 1002b52-1002b55 75->76 77 1002bae-1002bbc 75->77 76->79 80 1002b5b-1002b5e 76->80 81 1002ba5 78->81 82 1002b9f-1002ba3 78->82 79->77 80->77 83 1002ba7-1002ba8 CloseHandle 81->83 82->81 82->83 83->77
                                                APIs
                                                • GetDriveTypeA.KERNELBASE(?), ref: 01002B43
                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 01002B75
                                                • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 01002B95
                                                • CloseHandle.KERNEL32(00000000), ref: 01002BA8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: CloseControlCreateDeviceDriveFileHandleType
                                                • String ID: ?:\$\\.\?:
                                                • API String ID: 3103408351-3307214488
                                                • Opcode ID: 3117dc69225e51b8d6cbe70244c3c8ef1f3cc074aeab50d1f39909cfd467f65a
                                                • Instruction ID: 96b825b74241d8912b1bf084e53a85c8b322490675edc855e8f29042fc933e05
                                                • Opcode Fuzzy Hash: 3117dc69225e51b8d6cbe70244c3c8ef1f3cc074aeab50d1f39909cfd467f65a
                                                • Instruction Fuzzy Hash: DE119332901618BAE722DBA99C4CEEFBFADEB49360F144161F695F3180DA748645C7B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01002E53 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • SetParent.USER32(?,000000FD), ref: 01002E8C
                                                • Sleep.KERNELBASE(000001F4), ref: 01002E9C
                                                • SetEvent.KERNEL32 ref: 01002EA8
                                                • SetEvent.KERNEL32 ref: 01002EBD
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,Global\HotfixNoShutDown), ref: 01002ECC
                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01002EEF
                                                • CloseHandle.KERNEL32(?), ref: 01002EF8
                                                • TerminateProcess.KERNEL32(0100D04C,00000001), ref: 01002F0F
                                                • EndDialog.USER32(?,00000000), ref: 01002F27
                                                Strings
                                                • Global\HotfixNoShutDown, xrefs: 01002EC3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: Event$CloseCreateDialogHandleMultipleObjectsParentProcessSleepTerminateWait
                                                • String ID: Global\HotfixNoShutDown
                                                • API String ID: 2160021069-3107748146
                                                • Opcode ID: 7632d5ed8fddc22fbb024bd0995521ffe2418c25645053fa64f1a8f64bf53859
                                                • Instruction ID: 565771bbe1ded297f6e1eeab05adb2a6758b43a142e37d2f74b43153d2bd27e5
                                                • Opcode Fuzzy Hash: 7632d5ed8fddc22fbb024bd0995521ffe2418c25645053fa64f1a8f64bf53859
                                                • Instruction Fuzzy Hash: D2219271405214EFFB339FA4DD0C9AE7FB5EB09751F00816AF695920C9D7BA8980CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010028D9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • SetErrorMode.KERNELBASE(00000000), ref: 01002901
                                                • SetErrorMode.KERNELBASE(00000000), ref: 0100290D
                                                • GetTickCount.KERNEL32 ref: 0100290F
                                                • sprintf.MSVCRT ref: 01002937
                                                • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0100294A
                                                • GetLastError.KERNEL32 ref: 01002954
                                                • RemoveDirectoryA.KERNELBASE(?), ref: 0100297C
                                                • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002990
                                                • SetErrorMode.KERNELBASE(?), ref: 010029A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: Error$Mode$Directory$CountCreateFileLastMoveRemoveTicksprintf
                                                • String ID: %s_%06u_
                                                • API String ID: 2138407651-2224866286
                                                • Opcode ID: ab0a3dc32ae3dd9d368f5023e268b07d4940d3b8d422d683fbebfc929d0ab5d6
                                                • Instruction ID: 2b5bf619bf93649879f906ab2fef4dd1de3e953bea1c10fa8e68832a185b186a
                                                • Opcode Fuzzy Hash: ab0a3dc32ae3dd9d368f5023e268b07d4940d3b8d422d683fbebfc929d0ab5d6
                                                • Instruction Fuzzy Hash: AC2162719002189BEB22DB64CC4DBDA77BEEB54341F0040A6E685E2181D7B99A84CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01002D78 Relevance: 15.1, APIs: 10, Instructions: 72fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • RtlEnterCriticalSection.NTDLL(0100D060), ref: 01002D82
                                                • CloseHandle.KERNEL32(0100C4A4,?,00000000,?,01002F03), ref: 01002D98
                                                • CloseHandle.KERNEL32(0100C020,?,00000000,?,01002F03), ref: 01002DAC
                                                • DeleteFileA.KERNELBASE(00000000,?,00000000,?,01002F03), ref: 01002DD0
                                                • GetLastError.KERNEL32(?,00000000,?,01002F03), ref: 01002DDA
                                                • MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002DF1
                                                • RemoveDirectoryA.KERNELBASE(00000000,?,00000000,?,01002F03), ref: 01002E12
                                                • GetLastError.KERNEL32(?,00000000,?,01002F03), ref: 01002E1C
                                                • MoveFileExA.KERNEL32(00000000,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002E33
                                                • RtlLeaveCriticalSection.NTDLL(0100D060), ref: 01002E44
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: File$CloseCriticalErrorHandleLastMoveSection$DeleteDirectoryEnterLeaveRemove
                                                • String ID:
                                                • API String ID: 3032557604-0
                                                • Opcode ID: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
                                                • Instruction ID: eaeb66f063d6c446da59646d057841921a657097434ac8a43aedc69f3ce3f5a1
                                                • Opcode Fuzzy Hash: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
                                                • Instruction Fuzzy Hash: 9E219F316403409BF6B3DB58DA4DB1A7BAAEB04721F164595F6D6E31C5C739EC00CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01002821 Relevance: 4.6, APIs: 3, Instructions: 50fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 85 1002821-100282f 86 10028d2-10028d3 85->86 87 1002835-1002861 SetFilePointer ReadFile 85->87 88 1002863-1002866 87->88 89 10028c9 87->89 88->89 90 1002868-1002872 88->90 91 10028d0-10028d1 89->91 90->89 92 1002874-100287b 90->92 91->86 92->91 93 100287d-10028b2 _snprintf 92->93 93->91 94 10028b4-10028be 93->94 94->91 95 10028c0-10028c7 94->95 95->91
                                                APIs
                                                • SetFilePointer.KERNELBASE(0100C020,00000000,00000000,00000000), ref: 0100283D
                                                • ReadFile.KERNELBASE(0100C8C0,00000314,?,00000000), ref: 01002859
                                                • _snprintf.MSVCRT ref: 0100289F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: File$PointerRead_snprintf
                                                • String ID:
                                                • API String ID: 1063975976-0
                                                • Opcode ID: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
                                                • Instruction ID: 9dcb7796340e3617a47c656186b8592bb183c83f9254e4a58000cb69e97ca3b5
                                                • Opcode Fuzzy Hash: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
                                                • Instruction Fuzzy Hash: F311A176501344ABF7338768AA8DB623BD8A706374F1403D9F5D1A20DAC37A4B84C379
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01002C7C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 96 1002c7c-1002c88 97 1002c92-1002ca8 SetFilePointer 96->97 98 1002c8a-1002c90 96->98 98->97
                                                APIs
                                                • SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 01002C9B
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
                                                • Instruction ID: 4670c305a0b7d71b77fc1b6fc64dcd010d39b6e931a86f05cad5b7c8d19ffb63
                                                • Opcode Fuzzy Hash: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
                                                • Instruction Fuzzy Hash: 8CD01731100208AFEB22CF48DD09FAA7BA9FB40314F058254F99C86195C776A9A4DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 010027CB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 105 10027cb-10027f7 GetVersionExA 106 10027f9-1002800 105->106 107 100280b-100280e 105->107 108 1002810 106->108 109 1002802-1002809 106->109 110 1002812-100281b 107->110 108->110 109->107 109->108
                                                APIs
                                                • GetVersionExA.KERNEL32(?), ref: 010027EF
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2887109010.0000000001002000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01002000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1002000_vcredist_x86.jbxd
                                                Similarity
                                                • API ID: Version
                                                • String ID:
                                                • API String ID: 1889659487-0
                                                • Opcode ID: 0b77bcda45160af96775c89c99d7a5d1d2c7b8bcf4d27124b39cac3888ca3143
                                                • Instruction ID: c6536e718c8713315a9d56b800156f7705b53d0c11cabf3dab7a94e563be92ee
                                                • Opcode Fuzzy Hash: 0b77bcda45160af96775c89c99d7a5d1d2c7b8bcf4d27124b39cac3888ca3143
                                                • Instruction Fuzzy Hash: AEE06D349012189BEBB2DB34C94DB9976F9AB05204F1084F5A58EE22C1DA308B8ACB11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:15%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:2.6%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:34
                                                execution_graph 53245 6c77c9a5 53250 6c7a9540 53245->53250 53265 6c7d6e1a 53250->53265 53252 6c7a954c GetCommandLineW 53266 6c773e77 53252->53266 53254 6c7a955e 53378 6c77420c 53254->53378 53265->53252 53267 6c773e83 __EH_prolog3 53266->53267 53386 6c7a833e 53267->53386 53269 6c773e9f 53270 6c77419a ctype 53269->53270 53271 6c7a833e ctype 110 API calls 53269->53271 53270->53254 53272 6c773eca 53271->53272 53394 6c7a9067 53272->53394 53274 6c773ed6 53402 6c7c8f0e 53274->53402 53277 6c7a833e ctype 110 API calls 53278 6c773ef3 53277->53278 53279 6c7a9067 ctype 71 API calls 53278->53279 53280 6c773eff 53279->53280 53281 6c7c8f0e ctype RtlFreeHeap 53280->53281 53282 6c773f0e 53281->53282 53283 6c7a833e ctype 110 API calls 53282->53283 53284 6c773f1c 53283->53284 53285 6c7a9067 ctype 71 API calls 53284->53285 53286 6c773f28 53285->53286 53287 6c7c8f0e ctype RtlFreeHeap 53286->53287 53288 6c773f37 53287->53288 53289 6c7a833e ctype 110 API calls 53288->53289 53290 6c773f45 53289->53290 53291 6c7a9067 ctype 71 API calls 53290->53291 53292 6c773f51 53291->53292 53293 6c7c8f0e ctype RtlFreeHeap 53292->53293 53294 6c773f60 53293->53294 53295 6c7a833e ctype 110 API calls 53294->53295 53296 6c773f6e 53295->53296 53297 6c7a9067 ctype 71 API calls 53296->53297 53298 6c773f7a 53297->53298 53299 6c7c8f0e ctype RtlFreeHeap 53298->53299 53300 6c773f89 53299->53300 53301 6c7a833e ctype 110 API calls 53300->53301 53302 6c773f97 53301->53302 53303 6c7a9067 ctype 71 API calls 53302->53303 53304 6c773fa3 53303->53304 53305 6c7c8f0e ctype RtlFreeHeap 53304->53305 53306 6c773fb2 53305->53306 53307 6c7a833e ctype 110 API calls 53306->53307 53308 6c773fc0 53307->53308 53309 6c7a9067 ctype 71 API calls 53308->53309 53310 6c773fcc 53309->53310 53311 6c7c8f0e ctype RtlFreeHeap 53310->53311 53312 6c773fdb 53311->53312 53313 6c7a833e ctype 110 API calls 53312->53313 53314 6c773fe9 53313->53314 53315 6c7a9067 ctype 71 API calls 53314->53315 53316 6c773ff5 53315->53316 53317 6c7c8f0e ctype RtlFreeHeap 53316->53317 53318 6c774004 53317->53318 53319 6c7a833e ctype 110 API calls 53318->53319 53320 6c774012 53319->53320 53321 6c7a9067 ctype 71 API calls 53320->53321 53322 6c77401e 53321->53322 53323 6c7c8f0e ctype RtlFreeHeap 53322->53323 53324 6c77402d 53323->53324 53325 6c7a833e ctype 110 API calls 53324->53325 53326 6c77403b 53325->53326 53327 6c7a9067 ctype 71 API calls 53326->53327 53328 6c774047 53327->53328 53329 6c7c8f0e ctype RtlFreeHeap 53328->53329 53330 6c774056 53329->53330 53331 6c7a833e ctype 110 API calls 53330->53331 53332 6c774064 53331->53332 53333 6c7a9067 ctype 71 API calls 53332->53333 53334 6c774070 53333->53334 53335 6c7c8f0e ctype RtlFreeHeap 53334->53335 53336 6c77407f 53335->53336 53337 6c7a833e ctype 110 API calls 53336->53337 53338 6c77408d 53337->53338 53339 6c7a9067 ctype 71 API calls 53338->53339 53340 6c774099 53339->53340 53341 6c7c8f0e ctype RtlFreeHeap 53340->53341 53342 6c7740a8 53341->53342 53343 6c7a833e ctype 110 API calls 53342->53343 53344 6c7740b6 53343->53344 53345 6c7a9067 ctype 71 API calls 53344->53345 53346 6c7740c2 53345->53346 53347 6c7c8f0e ctype RtlFreeHeap 53346->53347 53348 6c7740d1 53347->53348 53349 6c7a833e ctype 110 API calls 53348->53349 53350 6c7740df 53349->53350 53351 6c7a9067 ctype 71 API calls 53350->53351 53352 6c7740eb 53351->53352 53353 6c7c8f0e ctype RtlFreeHeap 53352->53353 53354 6c7740fa 53353->53354 53355 6c7a833e ctype 110 API calls 53354->53355 53356 6c774108 53355->53356 53357 6c7a9067 ctype 71 API calls 53356->53357 53358 6c774114 53357->53358 53359 6c7c8f0e ctype RtlFreeHeap 53358->53359 53360 6c774123 53359->53360 53361 6c7a833e ctype 110 API calls 53360->53361 53362 6c774131 53361->53362 53363 6c7a9067 ctype 71 API calls 53362->53363 53364 6c77413d 53363->53364 53365 6c7c8f0e ctype RtlFreeHeap 53364->53365 53366 6c77414c 53365->53366 53367 6c7a833e ctype 110 API calls 53366->53367 53368 6c77415a 53367->53368 53369 6c7a9067 ctype 71 API calls 53368->53369 53370 6c774166 53369->53370 53371 6c7c8f0e ctype RtlFreeHeap 53370->53371 53372 6c774175 53371->53372 53373 6c7a833e ctype 110 API calls 53372->53373 53374 6c774183 53373->53374 53375 6c7a9067 ctype 71 API calls 53374->53375 53376 6c77418f 53375->53376 53377 6c7c8f0e ctype RtlFreeHeap 53376->53377 53377->53270 53593 6c7741d6 53378->53593 53381 6c77422a 53383 6c7741a9 53381->53383 53771 6c7b657a 53383->53771 53387 6c7a834a __EH_prolog3 53386->53387 53406 6c7c8e54 53387->53406 53392 6c7a8371 ctype 53392->53269 53395 6c7a9073 __EH_prolog3 53394->53395 53396 6c7a90b5 53395->53396 53397 6c7a9094 53395->53397 53399 6c7c8e8c ctype KiUserExceptionDispatcher 53395->53399 53400 6c7a90db ctype 53396->53400 53523 6c7c8eab 53396->53523 53397->53400 53514 6c7cbe92 53397->53514 53399->53397 53400->53274 53403 6c7c8f1d 53402->53403 53404 6c773ee5 53402->53404 53590 6c7d54f2 53403->53590 53404->53277 53407 6c7c8e58 53406->53407 53408 6c7a8357 53406->53408 53418 6c7c8e8c 53407->53418 53410 6c7afe8a 53408->53410 53411 6c7a8364 53410->53411 53412 6c7afe96 53410->53412 53411->53392 53414 6c7c8c76 53411->53414 53412->53411 53424 6c7a8b33 110 API calls ctype 53412->53424 53415 6c7c8c84 ctype 53414->53415 53425 6c7c8bdc 53415->53425 53421 6c7d14aa 53418->53421 53420 6c7c8ea5 53422 6c7d14df KiUserExceptionDispatcher 53421->53422 53423 6c7d14d3 53421->53423 53422->53420 53423->53422 53424->53411 53426 6c7c8be9 53425->53426 53427 6c7c8bf0 53425->53427 53446 6c7c8b95 KiUserExceptionDispatcher RtlFreeHeap ctype 53426->53446 53429 6c7c8c02 53427->53429 53430 6c7c8e8c ctype KiUserExceptionDispatcher 53427->53430 53440 6c7c8d91 53429->53440 53430->53429 53433 6c7c8c1d 53447 6c7cb6ef 66 API calls 2 library calls 53433->53447 53434 6c7c8c31 53448 6c7cb1f3 53434->53448 53437 6c7c8c2f 53457 6c7c8dcd 53437->53457 53439 6c7c8bee 53439->53392 53441 6c7c8d9c 53440->53441 53443 6c7c8da6 53440->53443 53442 6c7c8e8c ctype KiUserExceptionDispatcher 53441->53442 53442->53443 53444 6c7c8c14 53443->53444 53471 6c7c8d3a 53443->53471 53444->53433 53444->53434 53446->53439 53447->53437 53451 6c7cb204 _memset 53448->53451 53454 6c7cb200 _memmove 53448->53454 53449 6c7cb20a 53509 6c7cbd29 66 API calls __getptd_noexit 53449->53509 53451->53449 53453 6c7cb24f 53451->53453 53451->53454 53453->53454 53511 6c7cbd29 66 API calls __getptd_noexit 53453->53511 53454->53437 53456 6c7cb20f 53510 6c7cecf4 11 API calls _memcpy_s 53456->53510 53458 6c7c8dd1 53457->53458 53459 6c7c8dd8 53458->53459 53460 6c7c8e8c ctype KiUserExceptionDispatcher 53458->53460 53459->53439 53461 6c7c8dee 53460->53461 53463 6c7c8e8c ctype KiUserExceptionDispatcher 53461->53463 53464 6c7c8e27 53461->53464 53512 6c7cb4c9 66 API calls _vwprintf 53461->53512 53463->53461 53465 6c7c8d91 ctype 70 API calls 53464->53465 53466 6c7c8e2d 53465->53466 53513 6c7cb446 97 API calls _vswprintf_s 53466->53513 53468 6c7c8e3d 53469 6c7c8dcd ctype 101 API calls 53468->53469 53470 6c7c8e49 53469->53470 53470->53439 53472 6c7c8d4b 53471->53472 53473 6c7c8d53 53472->53473 53476 6c7c8d5c 53472->53476 53478 6c7c8c9e 53473->53478 53475 6c7c8d5a 53475->53444 53476->53475 53488 6c7c8d0b 53476->53488 53479 6c7c8cba 53478->53479 53494 6c7d563e 53479->53494 53481 6c7c8cd0 53483 6c7cb1f3 _memcpy_s 66 API calls 53481->53483 53484 6c7c8ce9 53483->53484 53485 6c7c8f0e ctype RtlFreeHeap 53484->53485 53486 6c7c8cfa 53485->53486 53486->53475 53489 6c7c8d25 53488->53489 53490 6c7c8d17 53488->53490 53492 6c7c8d2f 53489->53492 53504 6c7c77cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 53489->53504 53490->53489 53500 6c7d56a7 53490->53500 53492->53475 53495 6c7d565d 53494->53495 53496 6c7c8cc5 53495->53496 53499 6c7d54d6 RtlAllocateHeap 53495->53499 53496->53481 53498 6c7c77cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 53496->53498 53498->53481 53499->53496 53501 6c7d56c6 53500->53501 53502 6c7d56f0 53501->53502 53505 6c7d5514 53501->53505 53502->53489 53504->53492 53506 6c7d5529 53505->53506 53508 6c7d5520 53505->53508 53507 6c7d553a RtlReAllocateHeap 53506->53507 53506->53508 53507->53508 53508->53502 53509->53456 53510->53454 53511->53456 53512->53461 53513->53468 53515 6c7cbebc 53514->53515 53516 6c7cbea1 53514->53516 53521 6c7cbed1 53515->53521 53551 6c7ce733 67 API calls _memcpy_s 53515->53551 53516->53515 53517 6c7cbead 53516->53517 53550 6c7cbd29 66 API calls __getptd_noexit 53517->53550 53529 6c7d0f64 53521->53529 53522 6c7cbeb2 _memset 53522->53396 53525 6c7c8eb8 53523->53525 53524 6c7c8ec4 53524->53400 53525->53524 53526 6c7c8ee5 53525->53526 53589 6c7c77cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 53525->53589 53528 6c7cb1f3 _memcpy_s 66 API calls 53526->53528 53528->53524 53530 6c7d0f6f 53529->53530 53531 6c7d0f7a 53529->53531 53552 6c7cbfb3 53530->53552 53533 6c7d0f82 53531->53533 53542 6c7d0f8f 53531->53542 53569 6c7cbe0e 53533->53569 53536 6c7d0fc7 53576 6c7d1247 _DecodePointerInternal 53536->53576 53538 6c7d0f97 HeapReAlloc 53538->53542 53549 6c7d0f8a __dosmaperr 53538->53549 53539 6c7d0fcd 53577 6c7cbd29 66 API calls __getptd_noexit 53539->53577 53541 6c7d0ff7 53579 6c7cbd29 66 API calls __getptd_noexit 53541->53579 53542->53536 53542->53538 53542->53541 53546 6c7d0fdf 53542->53546 53575 6c7d1247 _DecodePointerInternal 53542->53575 53545 6c7d0ffc GetLastError 53545->53549 53578 6c7cbd29 66 API calls __getptd_noexit 53546->53578 53548 6c7d0fe4 GetLastError 53548->53549 53549->53522 53550->53522 53551->53521 53553 6c7cc030 53552->53553 53558 6c7cbfc1 53552->53558 53586 6c7d1247 _DecodePointerInternal 53553->53586 53555 6c7cbfcc 53555->53558 53580 6c7d11f5 66 API calls __NMSG_WRITE 53555->53580 53581 6c7d1041 66 API calls 5 library calls 53555->53581 53582 6c7cd835 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 53555->53582 53556 6c7cc036 53587 6c7cbd29 66 API calls __getptd_noexit 53556->53587 53558->53555 53560 6c7cbfef RtlAllocateHeap 53558->53560 53563 6c7cc01c 53558->53563 53567 6c7cc01a 53558->53567 53583 6c7d1247 _DecodePointerInternal 53558->53583 53560->53558 53561 6c7cc028 53560->53561 53561->53522 53584 6c7cbd29 66 API calls __getptd_noexit 53563->53584 53585 6c7cbd29 66 API calls __getptd_noexit 53567->53585 53570 6c7cbe19 HeapFree 53569->53570 53571 6c7cbe42 __dosmaperr 53569->53571 53570->53571 53572 6c7cbe2e 53570->53572 53571->53549 53588 6c7cbd29 66 API calls __getptd_noexit 53572->53588 53574 6c7cbe34 GetLastError 53574->53571 53575->53542 53576->53539 53577->53549 53578->53548 53579->53545 53580->53555 53581->53555 53583->53558 53584->53567 53585->53561 53586->53556 53587->53561 53588->53574 53589->53526 53591 6c7d54fd RtlFreeHeap 53590->53591 53592 6c7d550b 53590->53592 53591->53592 53592->53404 53594 6c773a16 ctype 111 API calls 53593->53594 53595 6c7741e9 53594->53595 53596 6c7741fa 53595->53596 53597 6c773a16 ctype 111 API calls 53595->53597 53596->53381 53598 6c773a16 53596->53598 53597->53596 53599 6c773a22 __EH_prolog3 53598->53599 53600 6c7a833e ctype 110 API calls 53599->53600 53601 6c773a36 53600->53601 53648 6c7a88d1 53601->53648 53604 6c7c8eab std::bad_exception::bad_exception 67 API calls 53605 6c773a50 53604->53605 53606 6c7a88d1 ctype 102 API calls 53605->53606 53607 6c773a62 53606->53607 53655 6c7a8cd5 53607->53655 53609 6c773a73 53661 6c7a8c7a 53609->53661 53611 6c773a8f ctype 53612 6c7a8cd5 ctype 101 API calls 53611->53612 53618 6c773ad6 ctype 53611->53618 53613 6c773abc 53612->53613 53615 6c7a8c7a ctype 101 API calls 53613->53615 53614 6c773b0c 53617 6c773b1f 53614->53617 53619 6c7c8f0e ctype RtlFreeHeap 53614->53619 53615->53618 53616 6c7c8f0e ctype RtlFreeHeap 53616->53614 53620 6c773b32 53617->53620 53621 6c7c8f0e ctype RtlFreeHeap 53617->53621 53618->53614 53618->53616 53619->53617 53622 6c773b4c 53620->53622 53623 6c7c8f0e ctype RtlFreeHeap 53620->53623 53621->53620 53624 6c7a8cd5 ctype 101 API calls 53622->53624 53626 6c773b52 53622->53626 53623->53622 53625 6c773b6b 53624->53625 53667 6c7a8a98 53625->53667 53628 6c7c8f0e ctype RtlFreeHeap 53626->53628 53630 6c773c74 53628->53630 53632 6c7c8f0e ctype RtlFreeHeap 53630->53632 53634 6c773c7f ctype 53632->53634 53634->53381 53635 6c773bf2 53637 6c773c13 53635->53637 53639 6c7c8f0e ctype RtlFreeHeap 53635->53639 53636 6c7a8cd5 ctype 101 API calls 53638 6c773bb6 53636->53638 53640 6c773c26 53637->53640 53642 6c7c8f0e ctype RtlFreeHeap 53637->53642 53641 6c7a8a98 ctype 67 API calls 53638->53641 53639->53637 53643 6c773c39 53640->53643 53645 6c7c8f0e ctype RtlFreeHeap 53640->53645 53644 6c773bda 53641->53644 53642->53640 53643->53626 53647 6c7c8f0e ctype RtlFreeHeap 53643->53647 53646 6c7a85bc ctype KiUserExceptionDispatcher 53644->53646 53645->53643 53646->53635 53647->53626 53649 6c7c8d91 ctype 70 API calls 53648->53649 53650 6c7a88e2 53649->53650 53678 6c7ccb99 53650->53678 53653 6c7c8dcd ctype 101 API calls 53654 6c773a42 53653->53654 53654->53604 53656 6c7a8ce1 __EH_prolog3 ctype 53655->53656 53657 6c7c8e54 ctype KiUserExceptionDispatcher 53656->53657 53658 6c7a8cfa ctype 53657->53658 53761 6c7affa8 53658->53761 53660 6c7a8d21 ctype 53660->53609 53662 6c7a8c86 __EH_prolog3 ctype 53661->53662 53663 6c7c8e54 ctype KiUserExceptionDispatcher 53662->53663 53664 6c7a8c9f ctype 53663->53664 53665 6c7affa8 ctype 101 API calls 53664->53665 53666 6c7a8cc2 ctype 53665->53666 53666->53611 53668 6c7a8aab 53667->53668 53669 6c7a8ab6 53668->53669 53670 6c7a8ac8 ctype 53668->53670 53671 6c7c8eab std::bad_exception::bad_exception 67 API calls 53669->53671 53770 6c7afeb7 67 API calls 3 library calls 53670->53770 53672 6c773b8c 53671->53672 53674 6c7a85bc 53672->53674 53675 6c7a85c5 53674->53675 53677 6c773ba1 53674->53677 53676 6c7c8e8c ctype KiUserExceptionDispatcher 53675->53676 53676->53677 53677->53635 53677->53636 53681 6c7ccb61 53678->53681 53686 6c7cc12f 53681->53686 53687 6c7cc142 53686->53687 53693 6c7cc18f 53686->53693 53727 6c7cd3d1 66 API calls 2 library calls 53687->53727 53689 6c7cc147 53690 6c7cc16f 53689->53690 53728 6c7d1edb 74 API calls 6 library calls 53689->53728 53690->53693 53729 6c7d172d 68 API calls 6 library calls 53690->53729 53694 6c7cc9ec 53693->53694 53695 6c7cca1c _wcsnlen 53694->53695 53696 6c7cca08 53694->53696 53695->53696 53699 6c7cca33 53695->53699 53738 6c7cbd29 66 API calls __getptd_noexit 53696->53738 53698 6c7cca0d 53739 6c7cecf4 11 API calls _memcpy_s 53698->53739 53706 6c7cca17 53699->53706 53740 6c7d2016 LCMapStringW _wcsnlen 53699->53740 53702 6c7cca79 53703 6c7cca9c 53702->53703 53704 6c7cca85 53702->53704 53708 6c7ccaa1 53703->53708 53717 6c7ccab2 53703->53717 53741 6c7cbd29 66 API calls __getptd_noexit 53704->53741 53730 6c7cb091 53706->53730 53743 6c7cbd29 66 API calls __getptd_noexit 53708->53743 53709 6c7a88ec 53709->53653 53710 6c7cca8a 53742 6c7cbd29 66 API calls __getptd_noexit 53710->53742 53712 6c7ccafd 53744 6c7cbd29 66 API calls __getptd_noexit 53712->53744 53713 6c7ccb0a 53745 6c7d2016 LCMapStringW _wcsnlen 53713->53745 53718 6c7cbfb3 _malloc 66 API calls 53717->53718 53720 6c7ccacd __crtGetStringTypeA_stat 53717->53720 53718->53720 53719 6c7ccb1d 53721 6c7ccb24 53719->53721 53722 6c7ccb35 53719->53722 53720->53712 53720->53713 53746 6c7cb927 53721->53746 53755 6c7cbd29 66 API calls __getptd_noexit 53722->53755 53725 6c7ccb2e 53756 6c7cc244 66 API calls _free 53725->53756 53727->53689 53728->53690 53729->53693 53731 6c7cb099 53730->53731 53732 6c7cb09b IsDebuggerPresent 53730->53732 53731->53709 53757 6c7d2cf7 53732->53757 53735 6c7ce6f5 SetUnhandledExceptionFilter UnhandledExceptionFilter 53736 6c7ce71a GetCurrentProcess TerminateProcess 53735->53736 53737 6c7ce712 __call_reportfault 53735->53737 53736->53709 53737->53736 53738->53698 53739->53706 53740->53702 53741->53710 53742->53706 53743->53698 53744->53710 53745->53719 53747 6c7cb93c 53746->53747 53748 6c7cb935 53746->53748 53758 6c7cbd29 66 API calls __getptd_noexit 53747->53758 53748->53747 53752 6c7cb95d 53748->53752 53751 6c7cb94b 53751->53725 53752->53751 53760 6c7cbd29 66 API calls __getptd_noexit 53752->53760 53754 6c7cb941 53759 6c7cecf4 11 API calls _memcpy_s 53754->53759 53755->53725 53756->53706 53757->53735 53758->53754 53759->53751 53760->53754 53762 6c7c8d91 ctype 70 API calls 53761->53762 53763 6c7affc2 53762->53763 53764 6c7cb1f3 _memcpy_s 66 API calls 53763->53764 53765 6c7affd3 53764->53765 53766 6c7cb1f3 _memcpy_s 66 API calls 53765->53766 53767 6c7affe3 53766->53767 53768 6c7c8dcd ctype 101 API calls 53767->53768 53769 6c7afff1 53768->53769 53769->53660 53770->53672 53772 6c7741bd 53771->53772 53773 6c7b6583 53771->53773 53774 6c7b65a0 53773->53774 53775 6c7c8f0e ctype RtlFreeHeap 53773->53775 53776 6c7cbe0e _free 66 API calls 53774->53776 53775->53773 53776->53772 53796 6c7cb059 53797 6c7cb069 53796->53797 53798 6c7cb064 53796->53798 53802 6c7caf5e 53797->53802 53810 6c7ce588 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 53798->53810 53801 6c7cb077 53804 6c7caf6a __write 53802->53804 53803 6c7cafb7 ___DllMainCRTStartup 53805 6c7cb007 __write 53803->53805 53808 6c7cadf5 __CRT_INIT@12 149 API calls 53803->53808 53809 6c7cafe7 53803->53809 53804->53803 53804->53805 53811 6c7cadf5 53804->53811 53805->53801 53807 6c7cadf5 __CRT_INIT@12 149 API calls 53807->53805 53808->53809 53809->53805 53809->53807 53810->53797 53812 6c7cae01 __write 53811->53812 53813 6c7cae09 53812->53813 53814 6c7cae83 53812->53814 53863 6c7ce1d6 HeapCreate 53813->53863 53816 6c7cae89 53814->53816 53817 6c7caee4 53814->53817 53821 6c7caea7 53816->53821 53830 6c7cae12 __write 53816->53830 53933 6c7cdacb 66 API calls _doexit 53816->53933 53818 6c7caee9 53817->53818 53819 6c7caf42 53817->53819 53919 6c7cd21f TlsGetValue 53818->53919 53819->53830 53939 6c7cd524 79 API calls __freefls@4 53819->53939 53820 6c7cae0e 53820->53830 53864 6c7cd597 GetModuleHandleW 53820->53864 53826 6c7caebb 53821->53826 53934 6c7cdd4c 67 API calls _free 53821->53934 53937 6c7caece 70 API calls __mtterm 53826->53937 53829 6c7cae1e __RTC_Initialize 53834 6c7cae22 53829->53834 53840 6c7cae2e GetCommandLineA 53829->53840 53830->53803 53928 6c7ce1f9 HeapDestroy 53834->53928 53835 6c7caeb1 53935 6c7cd258 70 API calls _free 53835->53935 53836 6c7caf06 _DecodePointerInternal 53841 6c7caf1b 53836->53841 53839 6c7caeb6 53936 6c7ce1f9 HeapDestroy 53839->53936 53889 6c7ce0e4 GetEnvironmentStringsW 53840->53889 53844 6c7caf1f 53841->53844 53845 6c7caf36 53841->53845 53938 6c7cd29a 66 API calls 4 library calls 53844->53938 53848 6c7cbe0e _free 66 API calls 53845->53848 53848->53830 53850 6c7caf26 GetCurrentThreadId 53850->53830 53851 6c7cae48 53852 6c7cae4c 53851->53852 53930 6c7ce024 95 API calls 3 library calls 53851->53930 53929 6c7cd258 70 API calls _free 53852->53929 53855 6c7cae58 53856 6c7cae6c 53855->53856 53903 6c7cdda4 53855->53903 53862 6c7cae71 53856->53862 53932 6c7cdd4c 67 API calls _free 53856->53932 53860 6c7cae81 53860->53852 53862->53830 53863->53820 53865 6c7cd5ab 53864->53865 53866 6c7cd5b4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 53864->53866 53940 6c7cd258 70 API calls _free 53865->53940 53868 6c7cd5fe TlsAlloc 53866->53868 53871 6c7cd64c TlsSetValue 53868->53871 53872 6c7cd70d 53868->53872 53869 6c7cd5b0 53869->53829 53871->53872 53873 6c7cd65d 53871->53873 53872->53829 53941 6c7cd86e _EncodePointerInternal _EncodePointerInternal __init_pointers _raise __initp_misc_winsig 53873->53941 53875 6c7cd662 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 53942 6c7d24bd InitializeCriticalSectionAndSpinCount 53875->53942 53877 6c7cd6a1 53878 6c7cd708 53877->53878 53879 6c7cd6a5 _DecodePointerInternal 53877->53879 53944 6c7cd258 70 API calls _free 53878->53944 53881 6c7cd6ba 53879->53881 53881->53878 53882 6c7cd761 __calloc_crt 66 API calls 53881->53882 53883 6c7cd6d0 53882->53883 53883->53878 53884 6c7cd6d8 _DecodePointerInternal 53883->53884 53885 6c7cd6e9 53884->53885 53885->53878 53886 6c7cd6ed 53885->53886 53943 6c7cd29a 66 API calls 4 library calls 53886->53943 53888 6c7cd6f5 GetCurrentThreadId 53888->53872 53890 6c7ce100 WideCharToMultiByte 53889->53890 53895 6c7cae3e 53889->53895 53892 6c7ce16d FreeEnvironmentStringsW 53890->53892 53893 6c7ce135 53890->53893 53892->53895 53945 6c7cd717 53893->53945 53902 6c7cdb02 73 API calls __calloc_crt 53895->53902 53897 6c7ce143 WideCharToMultiByte 53898 6c7ce155 53897->53898 53899 6c7ce161 FreeEnvironmentStringsW 53897->53899 53900 6c7cbe0e _free 66 API calls 53898->53900 53899->53895 53901 6c7ce15d 53900->53901 53901->53899 53902->53851 53904 6c7cddad 53903->53904 53907 6c7cddb2 _strlen 53903->53907 53951 6c7d1be4 94 API calls __setmbcp 53904->53951 53906 6c7cd761 __calloc_crt 66 API calls 53913 6c7cdde7 _strlen 53906->53913 53907->53906 53910 6c7cae61 53907->53910 53908 6c7cde36 53909 6c7cbe0e _free 66 API calls 53908->53909 53909->53910 53910->53856 53931 6c7cd8cf 77 API calls 4 library calls 53910->53931 53911 6c7cd761 __calloc_crt 66 API calls 53911->53913 53912 6c7cde5c 53914 6c7cbe0e _free 66 API calls 53912->53914 53913->53908 53913->53910 53913->53911 53913->53912 53916 6c7cde73 53913->53916 53952 6c7d2a21 66 API calls _memcpy_s 53913->53952 53914->53910 53953 6c7cec98 10 API calls __call_reportfault 53916->53953 53918 6c7cde7f 53920 6c7caeee 53919->53920 53921 6c7cd234 _DecodePointerInternal TlsSetValue 53919->53921 53922 6c7cd761 53920->53922 53921->53920 53925 6c7cd76a 53922->53925 53924 6c7caefa 53924->53830 53924->53836 53925->53924 53926 6c7cd788 Sleep 53925->53926 53954 6c7d0eda 53925->53954 53927 6c7cd79d 53926->53927 53927->53924 53927->53925 53928->53830 53929->53834 53930->53855 53931->53856 53932->53860 53933->53821 53934->53835 53935->53839 53936->53826 53937->53830 53938->53850 53939->53830 53940->53869 53941->53875 53942->53877 53943->53888 53944->53872 53947 6c7cd720 53945->53947 53946 6c7cbfb3 _malloc 65 API calls 53946->53947 53947->53946 53948 6c7cd756 53947->53948 53949 6c7cd737 Sleep 53947->53949 53948->53892 53948->53897 53950 6c7cd74c 53949->53950 53950->53947 53950->53948 53951->53907 53952->53913 53953->53918 53955 6c7d0ee6 53954->53955 53956 6c7d0f01 53954->53956 53955->53956 53957 6c7d0ef2 53955->53957 53958 6c7d0f14 RtlAllocateHeap 53956->53958 53962 6c7d0f3b 53956->53962 53964 6c7d1247 _DecodePointerInternal 53956->53964 53963 6c7cbd29 66 API calls __getptd_noexit 53957->53963 53958->53956 53958->53962 53960 6c7d0ef7 53960->53925 53962->53925 53963->53960 53964->53956 53965 6c7a830c 53972 6c7af821 53965->53972 54028 6c7a76a7 53972->54028 53974 6c7af845 _memset 53975 6c7af860 GetEnvironmentVariableW 53974->53975 53976 6c7af8be 53975->53976 53978 6c7af87e 53975->53978 53977 6c7cb091 __NMSG_WRITE 5 API calls 53976->53977 53979 6c7a831d 53977->53979 53978->53976 53980 6c7af8b8 DebugBreak 53978->53980 53981 6c7af8d1 53979->53981 53980->53976 53982 6c7af8dd __EH_prolog3_catch 53981->53982 54393 6c773834 53982->54393 53985 6c773e77 ctype 114 API calls 53986 6c7af8fa 53985->53986 54397 6c774272 53986->54397 53989 6c7afa03 54487 6c7a7f6a 53989->54487 53995 6c7af92b 54461 6c7743c4 53995->54461 53998 6c7af96d 54000 6c7c8f0e ctype RtlFreeHeap 53998->54000 53999 6c7afa48 54002 6c7c8f0e ctype RtlFreeHeap 53999->54002 54001 6c7af980 54000->54001 54001->53989 54004 6c7a833e ctype 110 API calls 54001->54004 54003 6c7afa53 54002->54003 54543 6c7bb390 54003->54543 54006 6c7af992 54004->54006 54009 6c7a833e ctype 110 API calls 54006->54009 54011 6c7af9a4 54009->54011 54469 6c7a75b5 54011->54469 54016 6c7c8f0e ctype RtlFreeHeap 54017 6c7af9c0 54016->54017 54018 6c7c8f0e ctype RtlFreeHeap 54017->54018 54019 6c7af9cf 54018->54019 54021 6c7a833e ctype 110 API calls 54019->54021 54029 6c7a76b3 __EH_prolog3 54028->54029 54054 6c7cc0aa 54029->54054 54032 6c7a7716 54074 6c7777af RegOpenKeyExW 54032->54074 54036 6c7cc0aa ctype 77 API calls 54037 6c7a772f GetModuleHandleW 54036->54037 54039 6c7a776f SetUnhandledExceptionFilter GetCommandLineW 54037->54039 54040 6c7a7752 GetProcAddress 54037->54040 54042 6c773e77 ctype 114 API calls 54039->54042 54040->54039 54041 6c7a7769 SetThreadStackGuarantee 54040->54041 54041->54039 54043 6c7a778a 54042->54043 54082 6c7b9293 GetCommandLineW 54043->54082 54046 6c77420c 111 API calls 54047 6c7a779d 54046->54047 54048 6c773a16 ctype 111 API calls 54047->54048 54049 6c7a77c5 54048->54049 54050 6c7741d6 111 API calls 54049->54050 54051 6c7a77d0 54050->54051 54052 6c7741a9 ctype 67 API calls 54051->54052 54053 6c7a7805 ctype 54052->54053 54053->53974 54057 6c7cc0b4 54054->54057 54055 6c7cbfb3 _malloc 66 API calls 54055->54057 54056 6c7a7704 54056->54032 54066 6c777c6e 54056->54066 54057->54055 54057->54056 54059 6c7cc0d0 std::exception::exception 54057->54059 54095 6c7d1247 _DecodePointerInternal 54057->54095 54064 6c7cc10e 54059->54064 54096 6c7cb1d7 76 API calls __cinit 54059->54096 54061 6c7cc118 54062 6c7d14aa __CxxThrowException@8 KiUserExceptionDispatcher 54061->54062 54065 6c7cc129 54062->54065 54097 6c7d13ee 66 API calls std::exception::operator= 54064->54097 54067 6c777c7a __EH_prolog3 54066->54067 54068 6c7c8e54 ctype KiUserExceptionDispatcher 54067->54068 54069 6c777cad 54068->54069 54070 6c7c8e54 ctype KiUserExceptionDispatcher 54069->54070 54071 6c777cba 54070->54071 54098 6c777ce8 54071->54098 54073 6c777cd9 ctype 54073->54032 54075 6c7777f2 RegCreateKeyExW 54074->54075 54076 6c77785b RegCloseKey 54074->54076 54075->54076 54077 6c77780f 54075->54077 54078 6c7cb091 __NMSG_WRITE 5 API calls 54076->54078 54231 6c77787b 54077->54231 54080 6c777874 54078->54080 54080->54036 54081 6c77781a RegSetValueExW RegSetValueExW 54081->54076 54083 6c773e77 ctype 114 API calls 54082->54083 54084 6c7b92d0 54083->54084 54295 6c774486 54084->54295 54087 6c7c8f0e ctype RtlFreeHeap 54088 6c7b92f4 54087->54088 54094 6c7b92f8 54088->54094 54298 6c77423c 111 API calls ctype 54088->54298 54090 6c7b9320 54092 6c773a16 ctype 111 API calls 54090->54092 54090->54094 54091 6c7741a9 ctype 67 API calls 54093 6c7a7793 54091->54093 54092->54094 54093->54046 54094->54091 54095->54057 54096->54064 54097->54061 54099 6c777cf4 __EH_prolog3 54098->54099 54100 6c7a833e ctype 110 API calls 54099->54100 54101 6c777d16 54100->54101 54122 6c777ee4 54101->54122 54103 6c777d25 54104 6c7c8f0e ctype RtlFreeHeap 54103->54104 54105 6c777d34 54104->54105 54130 6c775dd0 54105->54130 54107 6c777d3d ctype 54108 6c7c8f0e ctype RtlFreeHeap 54107->54108 54109 6c777d5c 54108->54109 54110 6c775dd0 113 API calls 54109->54110 54111 6c777d65 ctype 54110->54111 54112 6c7c8f0e ctype RtlFreeHeap 54111->54112 54113 6c777d8a ctype 54112->54113 54144 6c775485 54113->54144 54115 6c777daf ctype 54116 6c7c8f0e ctype RtlFreeHeap 54115->54116 54117 6c777dd4 54116->54117 54154 6c77575e 54117->54154 54119 6c777ddd ctype 54120 6c7c8f0e ctype RtlFreeHeap 54119->54120 54121 6c777e02 ctype 54120->54121 54121->54073 54123 6c777ef0 __EH_prolog3 54122->54123 54124 6c7c8eab std::bad_exception::bad_exception 67 API calls 54123->54124 54125 6c777f06 54124->54125 54159 6c7a84b9 54125->54159 54128 6c7c8f0e ctype RtlFreeHeap 54129 6c777f26 ctype 54128->54129 54129->54103 54131 6c775ddc __EH_prolog3 54130->54131 54168 6c775c6f 54131->54168 54133 6c775df0 54134 6c7c8eab std::bad_exception::bad_exception 67 API calls 54133->54134 54135 6c775e01 54134->54135 54178 6c775e41 54135->54178 54137 6c775e13 54138 6c7a84b9 ctype 101 API calls 54137->54138 54139 6c775e1c 54138->54139 54140 6c7c8f0e ctype RtlFreeHeap 54139->54140 54141 6c775e27 54140->54141 54142 6c7c8f0e ctype RtlFreeHeap 54141->54142 54143 6c775e32 ctype 54142->54143 54143->54107 54213 6c7d6e1a 54144->54213 54146 6c775491 GetModuleHandleW 54147 6c7754a6 54146->54147 54148 6c7754b3 GetProcAddress 54146->54148 54149 6c7a833e ctype 110 API calls 54147->54149 54150 6c7754c5 54148->54150 54151 6c7754cb GetNativeSystemInfo 54148->54151 54153 6c7754b1 ctype 54149->54153 54150->54151 54214 6c774ea3 54151->54214 54153->54115 54225 6c775727 GetModuleHandleW 54154->54225 54158 6c77578e 54158->54119 54160 6c7a84c8 54159->54160 54161 6c777f1e 54159->54161 54162 6c7a84ea 54160->54162 54163 6c7a84d5 54160->54163 54161->54128 54164 6c7c8bdc ctype 101 API calls 54162->54164 54165 6c7c8eab std::bad_exception::bad_exception 67 API calls 54163->54165 54164->54161 54166 6c7a84da 54165->54166 54167 6c7c8f0e ctype RtlFreeHeap 54166->54167 54167->54161 54169 6c775c7b __EH_prolog3 54168->54169 54171 6c7c8d3a ctype 70 API calls 54169->54171 54172 6c775cb4 54169->54172 54170 6c775cc6 GetModuleFileNameW 54174 6c7a833e ctype 110 API calls 54170->54174 54171->54172 54172->54170 54173 6c7c8e8c ctype KiUserExceptionDispatcher 54172->54173 54173->54170 54175 6c775ce8 54174->54175 54176 6c7c8f0e ctype RtlFreeHeap 54175->54176 54177 6c775cf0 ctype 54176->54177 54177->54133 54179 6c775e4d __EH_prolog3 54178->54179 54180 6c7a833e ctype 110 API calls 54179->54180 54181 6c775e66 54180->54181 54182 6c7c8eab std::bad_exception::bad_exception 67 API calls 54181->54182 54183 6c775e77 PathFindFileNameW 54182->54183 54184 6c775e8e PathFindExtensionW 54183->54184 54186 6c775eab 54184->54186 54199 6c7a89f0 54186->54199 54191 6c7a84b9 ctype 101 API calls 54192 6c775ee2 54191->54192 54193 6c7c8f0e ctype RtlFreeHeap 54192->54193 54194 6c775eed 54193->54194 54195 6c7c8f0e ctype RtlFreeHeap 54194->54195 54196 6c775ef8 54195->54196 54197 6c7c8f0e ctype RtlFreeHeap 54196->54197 54198 6c775f03 ctype 54197->54198 54198->54137 54200 6c7a8a15 ctype 67 API calls 54199->54200 54201 6c775ec4 54200->54201 54202 6c7a8a15 54201->54202 54203 6c7a8a2a 54202->54203 54204 6c7a8a6d 54203->54204 54207 6c7a8a3d 54203->54207 54205 6c7c8e8c ctype KiUserExceptionDispatcher 54204->54205 54206 6c7a8a77 ctype 54205->54206 54212 6c7afeb7 67 API calls 3 library calls 54206->54212 54207->54206 54208 6c7a8a5b 54207->54208 54209 6c7c8eab std::bad_exception::bad_exception 67 API calls 54208->54209 54211 6c775ed9 54209->54211 54211->54191 54212->54211 54213->54146 54219 6c774fd5 54214->54219 54217 6c7a833e ctype 110 API calls 54218 6c774f56 54217->54218 54218->54153 54223 6c774ffd 54219->54223 54220 6c775001 54221 6c7cb091 __NMSG_WRITE 5 API calls 54220->54221 54222 6c774eb2 54221->54222 54222->54217 54223->54220 54224 6c775085 GetSystemMetrics 54223->54224 54224->54220 54226 6c775755 54225->54226 54227 6c77573b GetProcAddress 54225->54227 54230 6c775847 110 API calls 2 library calls 54226->54230 54228 6c77574e GetSystemInfo 54227->54228 54229 6c77574b 54227->54229 54228->54226 54229->54228 54230->54158 54232 6c777887 __EH_prolog3 54231->54232 54233 6c777938 ctype 54232->54233 54234 6c77789e RegOpenKeyExW 54232->54234 54233->54081 54235 6c7778c2 RegQueryValueExW RegCloseKey 54234->54235 54236 6c777908 SHGetFolderPathW 54234->54236 54235->54236 54239 6c7778ef GetFileAttributesW 54235->54239 54237 6c77793e 54236->54237 54238 6c77791d 54236->54238 54263 6c775d3f 54237->54263 54254 6c7cb8ad 54238->54254 54239->54236 54241 6c777900 54239->54241 54241->54233 54243 6c777930 GetFileAttributesW 54243->54233 54243->54237 54245 6c77795e 54276 6c7a8e8b 54245->54276 54248 6c7c8f0e ctype RtlFreeHeap 54249 6c77797c 54248->54249 54250 6c7cb927 __NMSG_WRITE 66 API calls 54249->54250 54251 6c777986 GetFileAttributesW 54250->54251 54252 6c777991 54251->54252 54253 6c7c8f0e ctype RtlFreeHeap 54252->54253 54253->54233 54255 6c7cb8c2 54254->54255 54258 6c7cb8bb 54254->54258 54282 6c7cbd29 66 API calls __getptd_noexit 54255->54282 54257 6c7cb8c7 54283 6c7cecf4 11 API calls _memcpy_s 54257->54283 54258->54255 54261 6c7cb8f7 54258->54261 54260 6c777929 54260->54237 54260->54243 54261->54260 54284 6c7cbd29 66 API calls __getptd_noexit 54261->54284 54264 6c775d4b __EH_prolog3 54263->54264 54265 6c775d8c GetModuleFileNameW 54264->54265 54267 6c7c8d3a ctype 70 API calls 54264->54267 54285 6c7c8afc 54265->54285 54269 6c775d89 54267->54269 54269->54265 54270 6c7a833e ctype 110 API calls 54271 6c775dad 54270->54271 54290 6c7a8f73 54271->54290 54274 6c7c8f0e ctype RtlFreeHeap 54275 6c775dc0 ctype 54274->54275 54275->54245 54277 6c7a8ea9 54276->54277 54278 6c7a8eb0 PathCombineW 54276->54278 54280 6c7c8d3a ctype 70 API calls 54277->54280 54279 6c7c8afc ctype KiUserExceptionDispatcher 54278->54279 54281 6c777971 54279->54281 54280->54278 54281->54248 54282->54257 54283->54260 54284->54257 54286 6c7c8b01 _wcsnlen 54285->54286 54287 6c775da4 54286->54287 54288 6c7c8e8c ctype KiUserExceptionDispatcher 54286->54288 54287->54270 54289 6c7c8b34 54288->54289 54291 6c7c8d91 ctype 70 API calls 54290->54291 54292 6c7a8f83 PathRemoveFileSpecW 54291->54292 54293 6c7c8afc ctype KiUserExceptionDispatcher 54292->54293 54294 6c775db8 54293->54294 54294->54274 54299 6c773c8f 54295->54299 54297 6c7744a0 54297->54087 54298->54090 54300 6c773c9b __EH_prolog3 54299->54300 54301 6c7a833e ctype 110 API calls 54300->54301 54302 6c773cb7 54301->54302 54303 6c7c8e54 ctype KiUserExceptionDispatcher 54302->54303 54304 6c773cca 54303->54304 54305 6c773a16 ctype 111 API calls 54304->54305 54306 6c773cdd 54305->54306 54307 6c7a89f0 ctype 67 API calls 54306->54307 54341 6c773ded 54306->54341 54309 6c773cfe 54307->54309 54308 6c7c8f0e ctype RtlFreeHeap 54310 6c773e36 ctype 54308->54310 54311 6c7a84b9 ctype 101 API calls 54309->54311 54310->54297 54312 6c773d07 54311->54312 54313 6c7c8f0e ctype RtlFreeHeap 54312->54313 54314 6c773d16 54313->54314 54342 6c7a8989 54314->54342 54318 6c773d29 ctype 54319 6c7c8f0e ctype RtlFreeHeap 54318->54319 54320 6c773d48 54319->54320 54321 6c773d50 54320->54321 54325 6c773def _wcspbrk 54320->54325 54322 6c7a89f0 ctype 67 API calls 54321->54322 54323 6c773d5e 54322->54323 54324 6c7a84b9 ctype 101 API calls 54323->54324 54326 6c773d67 54324->54326 54328 6c7a8aed ctype 67 API calls 54325->54328 54325->54341 54327 6c7c8f0e ctype RtlFreeHeap 54326->54327 54333 6c773d76 ctype 54327->54333 54329 6c773e17 54328->54329 54330 6c7a84b9 ctype 101 API calls 54329->54330 54331 6c773e20 54330->54331 54332 6c7c8f0e ctype RtlFreeHeap 54331->54332 54332->54341 54334 6c7a8aed ctype 67 API calls 54333->54334 54333->54341 54335 6c773dc5 54334->54335 54336 6c7a84b9 ctype 101 API calls 54335->54336 54337 6c773dce 54336->54337 54338 6c7c8f0e ctype RtlFreeHeap 54337->54338 54339 6c773ddd 54338->54339 54360 6c7a8636 54339->54360 54341->54308 54370 6c7a8931 54342->54370 54345 6c7a8992 54346 6c7a89a9 54345->54346 54378 6c7cc49f 54345->54378 54347 6c7c8d91 ctype 70 API calls 54346->54347 54352 6c773d1d 54346->54352 54348 6c7a89bc 54347->54348 54381 6c7c7942 67 API calls 2 library calls 54348->54381 54350 6c7a89d9 54351 6c7c8dcd ctype 101 API calls 54350->54351 54351->54352 54353 6c7a8aed 54352->54353 54354 6c7a8b02 54353->54354 54355 6c7a8b0b 54354->54355 54357 6c7a8b1a ctype 54354->54357 54356 6c7c8eab std::bad_exception::bad_exception 67 API calls 54355->54356 54358 6c7a8b13 54356->54358 54387 6c7afeb7 67 API calls 3 library calls 54357->54387 54358->54318 54362 6c7a8646 ctype 54360->54362 54361 6c7a8780 54361->54341 54362->54361 54363 6c7c8d91 ctype 70 API calls 54362->54363 54368 6c7a86d1 ctype 54363->54368 54364 6c7a8776 54365 6c7c8dcd ctype 101 API calls 54364->54365 54365->54361 54367 6c7cb1f3 _memcpy_s 66 API calls 54367->54368 54368->54364 54368->54367 54388 6c7c7942 67 API calls 2 library calls 54368->54388 54389 6c7c896e 54368->54389 54371 6c7a897e 54370->54371 54372 6c7a8944 54370->54372 54371->54345 54373 6c7cc49f ctype GetStringTypeW 54372->54373 54374 6c7a8967 54372->54374 54373->54372 54374->54371 54375 6c7c8d91 ctype 70 API calls 54374->54375 54376 6c7a8975 54375->54376 54377 6c7c8dcd ctype 101 API calls 54376->54377 54377->54371 54382 6c7d094f 54378->54382 54380 6c7cc4ae 54380->54345 54381->54350 54383 6c7d0964 54382->54383 54384 6c7d0960 54382->54384 54385 6c7d097f GetStringTypeW 54383->54385 54386 6c7d096f 54383->54386 54384->54380 54385->54386 54386->54380 54387->54358 54388->54368 54390 6c7c899e 54389->54390 54391 6c7c8972 54389->54391 54390->54368 54391->54390 54392 6c7c8e8c ctype KiUserExceptionDispatcher 54391->54392 54392->54391 54394 6c77383d 54393->54394 54395 6c773858 GetCommandLineW 54393->54395 55024 6c7cb1d7 76 API calls __cinit 54394->55024 54395->53985 54398 6c773a16 ctype 111 API calls 54397->54398 54399 6c774285 54398->54399 54400 6c773a16 ctype 111 API calls 54399->54400 54403 6c7742a7 54399->54403 54401 6c774296 54400->54401 54402 6c773a16 ctype 111 API calls 54401->54402 54401->54403 54402->54403 54403->53989 54404 6c7a72e4 54403->54404 54405 6c7a72f0 __EH_prolog3_catch 54404->54405 54406 6c7743c4 112 API calls 54405->54406 54407 6c7a731e 54406->54407 54408 6c7a833e ctype 110 API calls 54407->54408 54409 6c7a732d 54408->54409 54410 6c7a84b9 ctype 101 API calls 54409->54410 54411 6c7a733c 54410->54411 54412 6c7c8f0e ctype RtlFreeHeap 54411->54412 54413 6c7a7347 54412->54413 54414 6c7c8f0e ctype RtlFreeHeap 54413->54414 54415 6c7a7356 54414->54415 55025 6c7a8ed0 54415->55025 54417 6c7a7362 55036 6c7a8901 54417->55036 54420 6c7c8eab std::bad_exception::bad_exception 67 API calls 54421 6c7a7375 54420->54421 54422 6c7c8f0e ctype RtlFreeHeap 54421->54422 54423 6c7a738a 54422->54423 54424 6c7a85bc ctype KiUserExceptionDispatcher 54423->54424 54425 6c7a739a 54424->54425 54426 6c7a739e 54425->54426 54427 6c7a73dd 54425->54427 54429 6c7cc0aa ctype 77 API calls 54426->54429 54428 6c7a85bc ctype KiUserExceptionDispatcher 54427->54428 54430 6c7a73eb 54428->54430 54431 6c7a73a5 54429->54431 54432 6c7a7448 54430->54432 54434 6c7a85bc ctype KiUserExceptionDispatcher 54430->54434 54433 6c7a73bd 54431->54433 55056 6c7a3b2b 54431->55056 54435 6c7cc0aa ctype 77 API calls 54432->54435 54441 6c7c8f0e ctype RtlFreeHeap 54433->54441 54437 6c7a73fd 54434->54437 54440 6c7a744f 54435->54440 54437->54432 54438 6c7a7401 54437->54438 54442 6c7a740a 54438->54442 54443 6c7a7437 54438->54443 54439 6c7a747c 54439->54433 54448 6c7c8f0e ctype RtlFreeHeap 54439->54448 54440->54439 54444 6c7743c4 112 API calls 54440->54444 54458 6c7a73cb 54441->54458 54446 6c7cc0aa ctype 77 API calls 54442->54446 54445 6c7c8f0e ctype RtlFreeHeap 54443->54445 54447 6c7a7469 54444->54447 54449 6c7a743f 54445->54449 54450 6c7a7411 54446->54450 54451 6c7aec5a 198 API calls 54447->54451 54448->54433 54454 6c7cc0aa ctype 77 API calls 54449->54454 54453 6c7a7424 54450->54453 54455 6c7aec5a 198 API calls 54450->54455 54451->54439 54452 6c7c8f0e ctype RtlFreeHeap 54459 6c7a73d6 ctype 54452->54459 54456 6c7c8f0e ctype RtlFreeHeap 54453->54456 54457 6c7a74e3 54454->54457 54455->54453 54456->54458 54457->54458 55043 6c7aec5a 54457->55043 54458->54452 54459->53995 54462 6c7743d0 __EH_prolog3 54461->54462 54463 6c7a833e ctype 110 API calls 54462->54463 54464 6c7743e2 54463->54464 54465 6c773c8f ctype 112 API calls 54464->54465 54466 6c7743f7 54465->54466 54467 6c7c8f0e ctype RtlFreeHeap 54466->54467 54468 6c774402 ctype 54467->54468 54468->53998 54470 6c7a75c1 __EH_prolog3_GS 54469->54470 54471 6c7c8e54 ctype KiUserExceptionDispatcher 54470->54471 54472 6c7a75e6 GetLocalTime 54471->54472 55708 6c7b9257 54472->55708 54475 6c7a8e8b 71 API calls 54476 6c7a7666 54475->54476 54477 6c7c8eab std::bad_exception::bad_exception 67 API calls 54476->54477 54478 6c7a7674 54477->54478 54479 6c7a84b9 ctype 101 API calls 54478->54479 54480 6c7a7688 54479->54480 54481 6c7c8f0e ctype RtlFreeHeap 54480->54481 54482 6c7a7690 54481->54482 54483 6c7c8f0e ctype RtlFreeHeap 54482->54483 54484 6c7a7698 54483->54484 54485 6c7d6f1f ctype 5 API calls 54484->54485 54486 6c7a769f 54485->54486 54486->54016 54488 6c7a7f79 __EH_prolog3_GS 54487->54488 54489 6c7a833e ctype 110 API calls 54488->54489 54490 6c7a7f8d 54489->54490 54491 6c7a833e ctype 110 API calls 54490->54491 54492 6c7a7fa3 _memset 54491->54492 54493 6c7a7fd9 GetVersionExW 54492->54493 54498 6c7a7ffb ctype 54493->54498 54512 6c7a80df 54493->54512 54495 6c7a80ff 54496 6c7c8f0e ctype RtlFreeHeap 54495->54496 54497 6c7a810d 54496->54497 54500 6c7d6f1f ctype 5 API calls 54497->54500 54499 6c7a8098 54498->54499 54501 6c7aff21 ctype 101 API calls 54498->54501 55725 6c7754fb GetSystemInfo 54499->55725 54502 6c7a8112 54500->54502 54503 6c7a806d 54501->54503 54513 6c7a7b40 54502->54513 54506 6c7aff21 ctype 101 API calls 54503->54506 54506->54499 54508 6c7a80c6 54509 6c7c8f0e ctype RtlFreeHeap 54508->54509 54510 6c7a80d7 54509->54510 54511 6c7c8f0e ctype RtlFreeHeap 54510->54511 54511->54512 55755 6c77395e 54512->55755 54514 6c7a7b4f __EH_prolog3_GS 54513->54514 54515 6c7a833e ctype 110 API calls 54514->54515 54516 6c7a7b61 54515->54516 54517 6c7a833e ctype 110 API calls 54516->54517 54518 6c7a7b77 GetCommandLineW 54517->54518 54520 6c7a7bcc _memset ctype 54518->54520 54521 6c7a7bf9 GetTimeZoneInformation 54520->54521 54522 6c7a7c0e ctype 54521->54522 54525 6c7a7c30 GetThreadLocale 54522->54525 54529 6c7a7c48 ctype 54522->54529 54523 6c7c8f0e ctype RtlFreeHeap 54524 6c7a7c75 54523->54524 54526 6c77395e ctype 101 API calls 54524->54526 54525->54529 54527 6c7a7c85 54526->54527 54528 6c7c8f0e ctype RtlFreeHeap 54527->54528 54530 6c7a7c93 54528->54530 54529->54523 54531 6c7d6f1f ctype 5 API calls 54530->54531 54532 6c7a7c98 54531->54532 54533 6c777b20 54532->54533 54534 6c777b2c __EH_prolog3 54533->54534 54535 6c7c8eab std::bad_exception::bad_exception 67 API calls 54534->54535 54536 6c777b3a 54535->54536 54538 6c777b5e 54536->54538 55765 6c7a90f5 68 API calls 3 library calls 54536->55765 54539 6c7c8f0e ctype RtlFreeHeap 54538->54539 54540 6c777b71 54539->54540 54541 6c777b82 ctype 54540->54541 54542 6c7a9067 ctype 71 API calls 54540->54542 54541->53999 54542->54541 54544 6c7bb39f __EH_prolog3_catch 54543->54544 55766 6c7bd446 54544->55766 54546 6c7bb3b6 55825 6c7bd713 54546->55825 54549 6c7a833e ctype 110 API calls 54550 6c7bb3d6 54549->54550 55828 6c7b988c 54550->55828 55024->54395 55026 6c7a8edc __EH_prolog3 55025->55026 55027 6c7c8e54 ctype KiUserExceptionDispatcher 55026->55027 55028 6c7a8ef1 PathFindExtensionW 55027->55028 55029 6c7a8f3a ctype 55028->55029 55030 6c7a8f0d 55028->55030 55029->54417 55030->55029 55031 6c7a89f0 ctype 67 API calls 55030->55031 55032 6c7a8f24 55031->55032 55033 6c7a84b9 ctype 101 API calls 55032->55033 55034 6c7a8f2f 55033->55034 55035 6c7c8f0e ctype RtlFreeHeap 55034->55035 55035->55029 55037 6c7c8d91 ctype 70 API calls 55036->55037 55038 6c7a8912 55037->55038 55073 6c7cc416 55038->55073 55041 6c7c8dcd ctype 101 API calls 55042 6c7a736b 55041->55042 55042->54420 55044 6c7aec66 __EH_prolog3 55043->55044 55045 6c7a3b2b 183 API calls 55044->55045 55046 6c7aec79 55045->55046 55047 6c7c8e54 ctype KiUserExceptionDispatcher 55046->55047 55048 6c7aec92 55047->55048 55049 6c7c8e54 ctype KiUserExceptionDispatcher 55048->55049 55050 6c7aeca0 55049->55050 55051 6c7c8e54 ctype KiUserExceptionDispatcher 55050->55051 55052 6c7aecae 55051->55052 55124 6c7b2c16 55052->55124 55055 6c7aecc8 ctype 55055->54458 55057 6c7a3b37 __EH_prolog3 55056->55057 55058 6c7a833e ctype 110 API calls 55057->55058 55059 6c7a3b57 55058->55059 55060 6c7a833e ctype 110 API calls 55059->55060 55061 6c7a3b67 55060->55061 55062 6c7a4513 180 API calls 55061->55062 55063 6c7a3b75 55062->55063 55064 6c7c8e54 ctype KiUserExceptionDispatcher 55063->55064 55065 6c7a3b8e 55064->55065 55066 6c778168 2 API calls 55065->55066 55067 6c7a3b9f 55066->55067 55068 6c7a3bb9 55067->55068 55703 6c7780f7 WriteFile 55067->55703 55070 6c778129 2 API calls 55068->55070 55071 6c7a3bc5 InitializeCriticalSection 55070->55071 55072 6c7a3bd6 ctype 55071->55072 55072->54433 55076 6c7cc3de 55073->55076 55077 6c7cc12f _LocaleUpdate::_LocaleUpdate 76 API calls 55076->55077 55078 6c7cc3f1 55077->55078 55081 6c7cc269 55078->55081 55082 6c7cc299 _wcsnlen 55081->55082 55083 6c7cc285 55081->55083 55082->55083 55086 6c7cc2b0 55082->55086 55114 6c7cbd29 66 API calls __getptd_noexit 55083->55114 55085 6c7cc28a 55115 6c7cecf4 11 API calls _memcpy_s 55085->55115 55093 6c7cc294 55086->55093 55116 6c7d2016 LCMapStringW _wcsnlen 55086->55116 55089 6c7cc2f6 55090 6c7cc319 55089->55090 55091 6c7cc302 55089->55091 55095 6c7cc31e 55090->55095 55102 6c7cc32f 55090->55102 55117 6c7cbd29 66 API calls __getptd_noexit 55091->55117 55092 6c7cb091 __NMSG_WRITE 5 API calls 55096 6c7a891c 55092->55096 55093->55092 55119 6c7cbd29 66 API calls __getptd_noexit 55095->55119 55096->55041 55097 6c7cc307 55118 6c7cbd29 66 API calls __getptd_noexit 55097->55118 55099 6c7cc37a 55120 6c7cbd29 66 API calls __getptd_noexit 55099->55120 55100 6c7cc387 55121 6c7d2016 LCMapStringW _wcsnlen 55100->55121 55106 6c7cc34a __crtGetStringTypeA_stat 55102->55106 55107 6c7cbfb3 _malloc 66 API calls 55102->55107 55105 6c7cc39a 55108 6c7cc3a1 55105->55108 55109 6c7cc3b2 55105->55109 55106->55099 55106->55100 55107->55106 55110 6c7cb927 __NMSG_WRITE 66 API calls 55108->55110 55122 6c7cbd29 66 API calls __getptd_noexit 55109->55122 55112 6c7cc3ab 55110->55112 55123 6c7cc244 66 API calls _free 55112->55123 55114->55085 55115->55093 55116->55089 55117->55097 55118->55093 55119->55085 55120->55097 55121->55105 55122->55112 55123->55093 55162 6c778168 GetFileSize 55124->55162 55127 6c7b2dc6 55284 6c7b3e97 124 API calls 4 library calls 55127->55284 55128 6c7b2c79 55166 6c7b401f 55128->55166 55131 6c7b2c83 55135 6c7a833e ctype 110 API calls 55131->55135 55132 6c7aecb7 InitializeCriticalSection 55132->55055 55133 6c7b2dcd 55133->55132 55134 6c7a833e ctype 110 API calls 55133->55134 55136 6c7b2de0 55134->55136 55137 6c7b2c93 55135->55137 55138 6c778329 67 API calls 55136->55138 55140 6c7b2df7 55138->55140 55163 6c778186 55162->55163 55164 6c77818b 55162->55164 55285 6c7c89c8 GetLastError 55163->55285 55164->55127 55164->55128 55167 6c7b402b __EH_prolog3 55166->55167 55168 6c7a833e ctype 110 API calls 55167->55168 55169 6c7b403d GetThreadLocale 55168->55169 55170 6c7b4058 ctype 55169->55170 55171 6c7b40ac GetModuleFileNameW 55170->55171 55172 6c7c8d3a ctype 70 API calls 55170->55172 55173 6c7c8afc ctype KiUserExceptionDispatcher 55171->55173 55174 6c7b40a9 55172->55174 55175 6c7b40c4 55173->55175 55174->55171 55176 6c7a833e ctype 110 API calls 55175->55176 55177 6c7b40ce 55176->55177 55178 6c7a8f73 ctype 71 API calls 55177->55178 55179 6c7b40da 55178->55179 55180 6c7a8e8b 71 API calls 55179->55180 55181 6c7b40fd PathFileExistsW 55180->55181 55182 6c7b410b 55181->55182 55183 6c7b4119 55181->55183 55185 6c7a8e8b 71 API calls 55182->55185 55184 6c7c8eab std::bad_exception::bad_exception 67 API calls 55183->55184 55186 6c7b4124 55184->55186 55185->55183 55187 6c7c8f0e ctype RtlFreeHeap 55186->55187 55188 6c7b4134 55187->55188 55189 6c7c8f0e ctype RtlFreeHeap 55188->55189 55190 6c7b413f 55189->55190 55191 6c7c8f0e ctype RtlFreeHeap 55190->55191 55192 6c7b4147 55191->55192 55193 6c7c8f0e ctype RtlFreeHeap 55192->55193 55194 6c7b414f 55193->55194 55195 6c7c8f0e ctype RtlFreeHeap 55194->55195 55196 6c7b415a ctype 55195->55196 55196->55131 55284->55133 55285->55164 55704 6c778117 55703->55704 55705 6c77811c 55703->55705 55707 6c7c89c8 GetLastError 55704->55707 55705->55068 55707->55705 55709 6c7b926d 55708->55709 55710 6c7b9263 55708->55710 55714 6c7bcbbb 55709->55714 55711 6c7c8e8c ctype KiUserExceptionDispatcher 55710->55711 55711->55709 55713 6c7a763b 55713->54475 55723 6c7d6e1a 55714->55723 55716 6c7bcbc7 GetLastError SetLastError FormatMessageW GetLastError 55717 6c7bcc01 55716->55717 55718 6c7bcc06 SetLastError 55716->55718 55724 6c7c77cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 55717->55724 55720 6c7c8c76 ctype 101 API calls 55718->55720 55721 6c7bcc16 LocalFree 55720->55721 55722 6c7bcc24 ctype 55721->55722 55722->55713 55723->55716 55724->55718 55726 6c77557c 55725->55726 55727 6c775597 55726->55727 55728 6c775580 55726->55728 55729 6c775727 3 API calls 55727->55729 55730 6c7a833e ctype 110 API calls 55728->55730 55732 6c7755b0 55729->55732 55731 6c77558e 55730->55731 55733 6c7cb091 __NMSG_WRITE 5 API calls 55731->55733 55763 6c7758b6 112 API calls ctype 55732->55763 55735 6c775698 55733->55735 55751 6c7739ad 55735->55751 55736 6c7755d9 55764 6c775847 110 API calls 2 library calls 55736->55764 55738 6c7755f2 55739 6c775485 114 API calls 55738->55739 55740 6c775605 ctype 55739->55740 55741 6c7c8f0e ctype RtlFreeHeap 55740->55741 55742 6c775639 55741->55742 55743 6c7c8f0e ctype RtlFreeHeap 55742->55743 55744 6c775645 55743->55744 55745 6c7c8f0e ctype RtlFreeHeap 55744->55745 55746 6c775659 55745->55746 55747 6c7c8eab std::bad_exception::bad_exception 67 API calls 55746->55747 55748 6c775665 55747->55748 55749 6c7c8f0e ctype RtlFreeHeap 55748->55749 55750 6c775676 55749->55750 55750->55731 55752 6c7739b9 __EH_prolog3 55751->55752 55753 6c7c8f0e ctype RtlFreeHeap 55752->55753 55754 6c7739f5 ctype 55753->55754 55754->54508 55756 6c77396a __EH_prolog3 55755->55756 55757 6c7a8c24 ctype 101 API calls 55756->55757 55758 6c77397d 55757->55758 55759 6c7c8f0e ctype RtlFreeHeap 55758->55759 55760 6c773996 55759->55760 55761 6c7c8f0e ctype RtlFreeHeap 55760->55761 55762 6c7739a0 ctype 55761->55762 55762->54495 55763->55736 55764->55738 55765->54538 55767 6c7bd452 __EH_prolog3_catch 55766->55767 55768 6c7c8e54 ctype KiUserExceptionDispatcher 55767->55768 55769 6c7bd47f GetCommandLineW 55768->55769 55770 6c773e77 ctype 114 API calls 55769->55770 55771 6c7bd49e 55770->55771 55772 6c773a16 ctype 111 API calls 55771->55772 55773 6c7bd4b2 55772->55773 55774 6c7bd4ca 55773->55774 55775 6c77420c 111 API calls 55773->55775 55777 6c7bd6ba 55774->55777 56607 6c778934 55774->56607 55776 6c7bd4be 55775->55776 55776->55774 55780 6c774272 111 API calls 55776->55780 55779 6c7741a9 ctype 67 API calls 55777->55779 55782 6c7bd6c2 ctype 55779->55782 55780->55774 55782->54546 55783 6c7bd50c 55784 6c7a833e ctype 110 API calls 55783->55784 55785 6c7bd521 55784->55785 55786 6c7b988c 123 API calls 55785->55786 55787 6c7bd52a 55786->55787 55788 6c7c8eab std::bad_exception::bad_exception 67 API calls 55787->55788 55789 6c7bd548 55788->55789 55790 6c77a8cc 124 API calls 55789->55790 55791 6c7bd553 55790->55791 56611 6c77b00d 55791->56611 55793 6c7bd55b 55794 6c7c8f0e ctype RtlFreeHeap 55793->55794 55795 6c7bd56c 55794->55795 55796 6c7a833e ctype 110 API calls 55795->55796 55800 6c7bd62f CoUninitialize 55795->55800 55797 6c7bd582 55796->55797 55798 6c7a833e ctype 110 API calls 55797->55798 55801 6c7bd594 55798->55801 55800->55777 56643 6c77a4c2 55801->56643 55826 6c7bd71f CreateThread 55825->55826 55827 6c7bb3c4 55825->55827 55826->55827 56736 6c7c23e8 140 API calls std::bad_exception::bad_exception 55826->56736 55827->54549 55829 6c7b9898 __EH_prolog3 55828->55829 55830 6c7c8e54 ctype KiUserExceptionDispatcher 55829->55830 55831 6c7b98b1 GetCommandLineW 55830->55831 55832 6c773e77 ctype 114 API calls 55831->55832 55833 6c7b98c4 55832->55833 56737 6c774412 55833->56737 55835 6c7b98d5 55836 6c7c8f0e ctype RtlFreeHeap 55835->55836 55837 6c7b98e9 55836->55837 55838 6c7b98f1 55837->55838 55839 6c7b99d0 55837->55839 55841 6c774412 112 API calls 55838->55841 55840 6c775d3f ctype 112 API calls 55839->55840 55843 6c7b99d9 55840->55843 55842 6c7b98fe 55841->55842 55844 6c7a833e ctype 110 API calls 55842->55844 55845 6c7a84b9 ctype 101 API calls 55843->55845 55846 6c7b990d 55844->55846 55847 6c7b99c7 55845->55847 55848 6c7c8eab std::bad_exception::bad_exception 67 API calls 55846->55848 55850 6c7c8f0e ctype RtlFreeHeap 55847->55850 55849 6c7b991c 55848->55849 55852 6c7b99f3 55850->55852 56608 6c77893d 56607->56608 56609 6c778958 CoInitialize 56607->56609 56661 6c7cb1d7 76 API calls __cinit 56608->56661 56609->55783 56612 6c77b019 __EH_prolog3 56611->56612 56662 6c7a91af CoCreateInstance 56612->56662 56614 6c77b029 56615 6c77b030 56614->56615 56620 6c77b055 56614->56620 56616 6c7739ad ctype RtlFreeHeap 56615->56616 56617 6c77b03e SysFreeString 56616->56617 56618 6c77b052 ctype 56617->56618 56618->55793 56619 6c7a833e ctype 110 API calls 56636 6c77b101 56619->56636 56622 6c7a833e ctype 110 API calls 56620->56622 56620->56636 56624 6c77b0a9 56622->56624 56623 6c77838a 110 API calls 56623->56636 56663 6c77b1ea 111 API calls 2 library calls 56624->56663 56626 6c77b160 SysFreeString 56626->56636 56627 6c77b0b7 56628 6c77838a 110 API calls 56627->56628 56629 6c77b0c8 56628->56629 56631 6c7c8f0e ctype RtlFreeHeap 56629->56631 56630 6c778415 101 API calls 56630->56636 56632 6c77b0d3 56631->56632 56634 6c7c8f0e ctype RtlFreeHeap 56632->56634 56633 6c7739ad ctype RtlFreeHeap 56633->56636 56635 6c77b0e2 56634->56635 56664 6c778415 56635->56664 56636->56619 56636->56623 56636->56626 56636->56630 56636->56633 56639 6c7c8f0e RtlFreeHeap ctype 56636->56639 56641 6c77a378 67 API calls 56636->56641 56642 6c7d14aa __CxxThrowException@8 KiUserExceptionDispatcher 56636->56642 56680 6c77b1ea 111 API calls 2 library calls 56636->56680 56639->56636 56641->56636 56642->56636 56644 6c77a4ef 56643->56644 56684 6c778d44 56644->56684 56661->56609 56662->56614 56663->56627 56665 6c778421 __EH_prolog3 56664->56665 56681 6c778364 56665->56681 56668 6c7a8cd5 ctype 101 API calls 56680->56636 56682 6c7c8eab std::bad_exception::bad_exception 67 API calls 56681->56682 56683 6c778379 56682->56683 56683->56668 56685 6c778d50 __EH_prolog3 56684->56685 56686 6c778e6f 56685->56686 56714 6c778996 56685->56714 56688 6c7a833e ctype 110 API calls 56686->56688 56690 6c778e7d 56688->56690 56717 6c7b95ac 56714->56717 56738 6c77441e __EH_prolog3 56737->56738 56739 6c7a833e ctype 110 API calls 56738->56739 56740 6c774430 56739->56740 56741 6c773c8f ctype 112 API calls 56740->56741 56742 6c774445 56741->56742 56743 6c7c8f0e ctype RtlFreeHeap 56742->56743 56744 6c774450 ctype 56743->56744 56744->55835 61586 6c7bff5c EnterCriticalSection 61587 6c7c08fc LeaveCriticalSection 61586->61587 61588 6c7bffae 61586->61588 61589 6c774cb2 112 API calls 61588->61589 61590 6c7bffbb 61589->61590 61591 6c7a833e ctype 110 API calls 61590->61591 61592 6c7bffd3 61591->61592 61593 6c7a8cd5 ctype 101 API calls 61592->61593 61594 6c7bffee 61593->61594 61595 6c77391d 110 API calls 61594->61595 61603 6c7c0017 61595->61603 61596 6c7c009e 61597 6c7cc0aa ctype 77 API calls 61596->61597 61598 6c7c00a5 61597->61598 61600 6c7cc0aa ctype 77 API calls 61598->61600 61599 6c7cc0aa ctype 77 API calls 61599->61603 61602 6c7c00d6 61600->61602 61601 6c7924cd 111 API calls 61601->61603 61644 6c7c2480 61602->61644 61603->61596 61603->61599 61603->61601 61640 6c7c2306 61603->61640 61660 6c7abc6d 71 API calls 2 library calls 61603->61660 61607 6c7c08a0 61608 6c7b657a _receive_impl 67 API calls 61607->61608 61610 6c7c08b1 61608->61610 61609 6c7c8e54 ctype KiUserExceptionDispatcher 61629 6c7c0133 61609->61629 61652 6c7c24d1 61610->61652 61612 6c7924cd 111 API calls 61612->61629 61614 6c77395e ctype 101 API calls 61615 6c7c08d8 61614->61615 61616 6c7c8f0e ctype RtlFreeHeap 61615->61616 61617 6c7c08e4 61616->61617 61618 6c7c8f0e ctype RtlFreeHeap 61617->61618 61620 6c7c08f0 61618->61620 61619 6c7d68b5 67 API calls ctype 61619->61629 61621 6c7c8f0e ctype RtlFreeHeap 61620->61621 61621->61587 61622 6c773834 76 API calls 61622->61629 61624 6c7abc09 CloseHandle ctype 61624->61629 61625 6c7c2306 177 API calls 61625->61629 61626 6c7c0924 61664 6c7c78c8 RaiseException 61626->61664 61628 6c7c0929 61629->61607 61629->61609 61629->61612 61629->61619 61629->61622 61629->61624 61629->61625 61629->61626 61630 6c786cb7 110 API calls 61629->61630 61631 6c7c8eab 67 API calls std::bad_exception::bad_exception 61629->61631 61633 6c7c4c0c 177 API calls 61629->61633 61634 6c7a8f9e ctype 71 API calls 61629->61634 61635 6c7c4ee6 71 API calls 61629->61635 61637 6c7c8f0e RtlFreeHeap ctype 61629->61637 61638 6c7a84b9 101 API calls ctype 61629->61638 61639 6c7a9067 ctype 71 API calls 61629->61639 61661 6c7a902f KiUserExceptionDispatcher ctype 61629->61661 61662 6c78f454 115 API calls 4 library calls 61629->61662 61663 6c78d25c 111 API calls 4 library calls 61629->61663 61630->61629 61631->61629 61633->61629 61634->61629 61635->61629 61637->61629 61638->61629 61639->61629 61641 6c7c2312 __EH_prolog3 61640->61641 61665 6c7c4c71 61641->61665 61643 6c7c2356 ctype 61643->61603 61645 6c7c24b3 61644->61645 61647 6c7c2489 61644->61647 61646 6c7c24c3 61645->61646 61649 6c7cbe0e _free 66 API calls 61645->61649 61646->61629 61650 6c7c8f0e ctype RtlFreeHeap 61647->61650 61651 6c7c24a9 61647->61651 61648 6c7cbe0e _free 66 API calls 61648->61645 61649->61646 61650->61647 61651->61648 61797 6c7c236b 61652->61797 61656 6c7c08bf 61656->61614 61657 6c7924cd 111 API calls 61658 6c7c24ee 61657->61658 61658->61656 61658->61657 61659 6c7cbe92 70 API calls __recalloc 61658->61659 61659->61658 61660->61603 61661->61629 61662->61629 61663->61629 61664->61628 61666 6c7c4cc1 61665->61666 61679 6c7c4c88 61665->61679 61668 6c7c4cdd 61666->61668 61669 6c7c4cc6 61666->61669 61667 6c7c4cbf 61673 6c7c4d29 61667->61673 61753 6c7c55d7 177 API calls ctype 61667->61753 61670 6c7c4cf9 61668->61670 61671 6c7c4ce2 61668->61671 61751 6c7c5748 177 API calls ctype 61669->61751 61680 6c7c537a 61670->61680 61752 6c7c5668 177 API calls ctype 61671->61752 61673->61643 61677 6c7c4c71 177 API calls 61677->61679 61679->61667 61679->61677 61750 6c78d25c 111 API calls 4 library calls 61679->61750 61681 6c7c5386 __EH_prolog3 61680->61681 61682 6c7a833e ctype 110 API calls 61681->61682 61683 6c7c5394 61682->61683 61684 6c7d68b5 ctype 67 API calls 61683->61684 61685 6c7c53ae 61684->61685 61686 6c7d68b5 ctype 67 API calls 61685->61686 61687 6c7c53c3 61686->61687 61688 6c7c53cd 61687->61688 61689 6c7c5414 61687->61689 61690 6c786cb7 110 API calls 61688->61690 61706 6c7c543b 61689->61706 61793 6c790b24 67 API calls std::bad_exception::bad_exception 61689->61793 61691 6c7c53d8 61690->61691 61694 6c7c8eab std::bad_exception::bad_exception 67 API calls 61691->61694 61692 6c7d68b5 ctype 67 API calls 61695 6c7c544d 61692->61695 61697 6c7c53e6 61694->61697 61700 6c7a84b9 ctype 101 API calls 61695->61700 61713 6c7c5412 61695->61713 61696 6c7c5420 61698 6c7a84b9 ctype 101 API calls 61696->61698 61699 6c7a84b9 ctype 101 API calls 61697->61699 61702 6c7c542c 61698->61702 61703 6c7c53fb 61699->61703 61700->61713 61701 6c7a8cd5 ctype 101 API calls 61704 6c7c5473 61701->61704 61705 6c7c8f0e ctype RtlFreeHeap 61702->61705 61707 6c7c8f0e ctype RtlFreeHeap 61703->61707 61708 6c7a8cd5 ctype 101 API calls 61704->61708 61705->61706 61706->61692 61709 6c7c5403 61707->61709 61710 6c7c5481 61708->61710 61711 6c7c8f0e ctype RtlFreeHeap 61709->61711 61712 6c77391d 110 API calls 61710->61712 61711->61713 61714 6c7c549d 61712->61714 61713->61701 61715 6c7c8f0e ctype RtlFreeHeap 61714->61715 61716 6c7c54ac 61715->61716 61717 6c7c55b8 61716->61717 61718 6c7d68b5 ctype 67 API calls 61716->61718 61759 6c7c59f8 61717->61759 61720 6c7c54ca 61718->61720 61727 6c7c54df 61720->61727 61754 6c7c5b5d 61720->61754 61721 6c7c558c 61723 6c77395e ctype 101 API calls 61721->61723 61725 6c7c559b 61723->61725 61728 6c7c8f0e ctype RtlFreeHeap 61725->61728 61726 6c7c5539 61729 6c7c554a 61726->61729 61730 6c7c5540 61726->61730 61732 6c7aff21 ctype 101 API calls 61727->61732 61731 6c7c55a6 61728->61731 61735 6c7d68b5 ctype 67 API calls 61729->61735 61794 6c790b4a 119 API calls 4 library calls 61730->61794 61734 6c7c8f0e ctype RtlFreeHeap 61731->61734 61736 6c7c54ee 61732->61736 61744 6c7c5511 ctype 61734->61744 61738 6c7c555a 61735->61738 61739 6c77395e ctype 101 API calls 61736->61739 61737 6c7c5548 61740 6c7b657a _receive_impl 67 API calls 61737->61740 61738->61717 61795 6c7917a5 72 API calls 61738->61795 61741 6c7c54fb 61739->61741 61743 6c7c5579 61740->61743 61745 6c7c8f0e ctype RtlFreeHeap 61741->61745 61743->61717 61746 6c7c557d 61743->61746 61744->61667 61747 6c7c5506 61745->61747 61748 6c7aff21 ctype 101 API calls 61746->61748 61749 6c7c8f0e ctype RtlFreeHeap 61747->61749 61748->61721 61749->61744 61750->61679 61751->61667 61752->61667 61753->61673 61755 6c7d68b5 ctype 67 API calls 61754->61755 61756 6c7c5b7b 61755->61756 61757 6c7d68b5 ctype 67 API calls 61756->61757 61758 6c7c5529 61756->61758 61757->61758 61758->61726 61758->61727 61760 6c7c5a04 __EH_prolog3 61759->61760 61761 6c7d68b5 ctype 67 API calls 61760->61761 61762 6c7c5a19 61761->61762 61763 6c7c5a2a 61762->61763 61764 6c7d68b5 ctype 67 API calls 61762->61764 61765 6c7aff21 ctype 101 API calls 61763->61765 61766 6c7c5a52 GetCommandLineW 61764->61766 61771 6c7c5a39 ctype 61765->61771 61768 6c773e77 ctype 114 API calls 61766->61768 61769 6c7c5a74 61768->61769 61770 6c774486 ctype 112 API calls 61769->61770 61772 6c7c5a82 61770->61772 61771->61721 61773 6c7c2b01 171 API calls 61772->61773 61774 6c7c5a9c 61773->61774 61775 6c7c8f0e ctype RtlFreeHeap 61774->61775 61776 6c7c5aaa 61775->61776 61777 6c7741a9 ctype 67 API calls 61776->61777 61778 6c7c5ab6 61777->61778 61779 6c7c5abb 61778->61779 61780 6c7c5af6 61778->61780 61779->61763 61785 6c7c5ad7 61779->61785 61796 6c7c5be8 68 API calls ctype 61780->61796 61782 6c7c5afc 61783 6c7c5b00 61782->61783 61784 6c7c5b13 61782->61784 61786 6c7aff21 ctype 101 API calls 61783->61786 61787 6c7a833e ctype 110 API calls 61784->61787 61788 6c7aff21 ctype 101 API calls 61785->61788 61786->61771 61789 6c7c5b21 61787->61789 61788->61771 61790 6c7aff21 ctype 101 API calls 61789->61790 61791 6c7c5b37 61790->61791 61792 6c7c8f0e ctype RtlFreeHeap 61791->61792 61792->61771 61793->61696 61794->61737 61795->61737 61796->61782 61798 6c7c2377 61797->61798 61799 6c7c2371 61797->61799 61800 6c7c2388 61798->61800 61802 6c7cbe0e _free 66 API calls 61798->61802 61801 6c7cbe0e _free 66 API calls 61799->61801 61803 6c7c2397 61800->61803 61801->61798 61802->61800 61806 6c7c23c9 61803->61806 61808 6c7c23a0 61803->61808 61804 6c7cbe0e _free 66 API calls 61804->61806 61805 6c7cbe0e _free 66 API calls 61807 6c7c23da 61805->61807 61806->61805 61806->61807 61807->61658 61808->61804 61809 6c79d0c1 #88 61810 6c79f544 GetTickCount 61814 6c79f567 61810->61814 61811 6c79f5e3 61812 6c79f573 GetTickCount 61813 6c79f5e5 SetLastError 61812->61813 61812->61814 61813->61811 61814->61811 61814->61812 61815 6c79f5ca Sleep 61814->61815 61815->61814 61816 6c7ad654 61825 6c7ad75a 71 API calls 2 library calls 61816->61825 61818 6c7ad69a 61826 6c7b2026 76 API calls ctype 61818->61826 61820 6c7ad6d2 61827 6c7ad87c 61820->61827 61822 6c7ad720 61823 6c7cbe0e _free 66 API calls 61822->61823 61824 6c7ad73c 61822->61824 61823->61824 61825->61818 61826->61820 61828 6c7a833e ctype 110 API calls 61827->61828 61829 6c7ad8c5 61828->61829 61830 6c7a833e ctype 110 API calls 61829->61830 61833 6c7ad8e0 61830->61833 61831 6c7ad95f 61832 6c799811 ctype 72 API calls 61831->61832 61964 6c7ad973 ctype 61832->61964 61833->61831 62219 6c7b19c7 71 API calls 2 library calls 61833->62219 61835 6c7b9711 ctype 66 API calls 61836 6c7ae83a 61835->61836 61837 6c7ae84a 61836->61837 61839 6c7cbe0e _free 66 API calls 61836->61839 61838 6c77395e ctype 101 API calls 61837->61838 61840 6c7ae85d 61838->61840 61839->61837 61842 6c7c8f0e ctype RtlFreeHeap 61840->61842 61841 6c7998e4 ctype RaiseException 61841->61964 61856 6c7ae34f 61842->61856 61843 6c7ae2f7 61915 6c7ae5e9 61843->61915 62232 6c7b2096 110 API calls 2 library calls 61843->62232 61845 6c7a8cd5 ctype 101 API calls 61845->61964 61846 6c7c8f0e RtlFreeHeap ctype 61846->61964 61847 6c7ada90 Sleep 61848 6c7ae2fc 61847->61848 61847->61964 61849 6c7b9711 ctype 66 API calls 61848->61849 61850 6c7ae320 61849->61850 61851 6c7ae330 61850->61851 61852 6c7cbe0e _free 66 API calls 61850->61852 61853 6c77395e ctype 101 API calls 61851->61853 61852->61851 61854 6c7ae343 61853->61854 61855 6c7c8f0e ctype RtlFreeHeap 61854->61855 61855->61856 61856->61822 61857 6c7a8c7a 101 API calls ctype 61857->61964 61858 6c7adbd1 GetCommandLineW 61859 6c773e77 ctype 114 API calls 61858->61859 61859->61964 61860 6c7d68b5 67 API calls ctype 61860->61964 61861 6c77420c 111 API calls 61861->61964 61862 6c7cc0aa 77 API calls ctype 61862->61964 61871 6c7739ad ctype RtlFreeHeap 61871->61964 61872 6c796fbd ctype 76 API calls 61872->61964 61873 6c7ae37f 61874 6c7a833e ctype 110 API calls 61873->61874 61875 6c7ae38e 61874->61875 62228 6c7ab057 111 API calls 2 library calls 61875->62228 61877 6c777ee4 101 API calls 61877->61964 61878 6c7ae3a3 61879 6c7c8f0e ctype RtlFreeHeap 61878->61879 61882 6c7ae354 61879->61882 61880 6c7741a9 ctype 67 API calls 61880->61848 61881 6c7abe94 67 API calls ctype 61881->61964 61882->61880 61884 6c7741a9 ctype 67 API calls 61884->61964 61887 6c7ae587 61888 6c7c8f0e ctype RtlFreeHeap 61887->61888 61892 6c7ae59b 61888->61892 61889 6c7ae79a 61894 6c7c8f0e ctype RtlFreeHeap 61889->61894 61890 6c7ae3db ctype 61890->61887 62229 6c777ff6 110 API calls ctype 61890->62229 62230 6c7b2096 110 API calls 2 library calls 61892->62230 61893 6c7ae5ee ctype 61893->61889 62231 6c777ff6 110 API calls ctype 61893->62231 61897 6c7ae7ae 61894->61897 61895 6c7ae43e 61899 6c77c5d4 ctype 69 API calls 61895->61899 61898 6c7ae7cf 61897->61898 61907 6c7ae5d2 61897->61907 61901 6c7abe94 ctype 67 API calls 61898->61901 61902 6c7ae458 61899->61902 61900 6c7ae651 61903 6c77c5d4 ctype 69 API calls 61900->61903 61901->61843 61904 6c7c8f0e ctype RtlFreeHeap 61902->61904 61906 6c7ae66b 61903->61906 61908 6c7ae46e 61904->61908 61910 6c7c8f0e ctype RtlFreeHeap 61906->61910 61912 6c7abe94 ctype 67 API calls 61907->61912 61911 6c7a833e ctype 110 API calls 61908->61911 61913 6c7ae681 61910->61913 61914 6c7ae47d 61911->61914 61912->61915 61916 6c7a833e ctype 110 API calls 61913->61916 61917 6c7b1236 ctype 101 API calls 61914->61917 61915->61835 61918 6c7ae690 61916->61918 61919 6c7ae490 61917->61919 61920 6c7b1236 ctype 101 API calls 61918->61920 61922 6c7c8f0e ctype RtlFreeHeap 61919->61922 61921 6c7ae6a3 61920->61921 61924 6c7c8f0e ctype RtlFreeHeap 61921->61924 61925 6c7ae4a4 61922->61925 61923 6c7a833e 110 API calls ctype 61923->61964 61926 6c7ae6b7 61924->61926 61927 6c7c8eab std::bad_exception::bad_exception 67 API calls 61925->61927 61928 6c7c8eab std::bad_exception::bad_exception 67 API calls 61926->61928 61929 6c7ae4b2 ctype 61927->61929 61934 6c7ae6c5 ctype 61928->61934 61930 6c7ae504 61929->61930 61932 6c7a8aed ctype 67 API calls 61929->61932 61935 6c77c5d4 ctype 69 API calls 61930->61935 61931 6c7c8eab std::bad_exception::bad_exception 67 API calls 61931->61964 61938 6c7ae4df 61932->61938 61933 6c7ae717 61937 6c77c5d4 ctype 69 API calls 61933->61937 61934->61933 61936 6c7a8aed ctype 67 API calls 61934->61936 61939 6c7ae51a 61935->61939 61941 6c7ae6f2 61936->61941 61943 6c7ae72d 61937->61943 61940 6c7a84b9 ctype 101 API calls 61938->61940 61942 6c7a833e ctype 110 API calls 61939->61942 61946 6c7ae4f0 61940->61946 61944 6c7a84b9 ctype 101 API calls 61941->61944 61947 6c7ae52b 61942->61947 61945 6c7a833e ctype 110 API calls 61943->61945 61952 6c7ae703 61944->61952 61948 6c7ae73e 61945->61948 61950 6c7c8f0e ctype RtlFreeHeap 61946->61950 61953 6c7b1236 ctype 101 API calls 61947->61953 61955 6c7b1236 ctype 101 API calls 61948->61955 61949 6c7a8aed ctype 67 API calls 61949->61964 61950->61930 61951 6c77c5d4 69 API calls ctype 61951->61964 61954 6c7c8f0e ctype RtlFreeHeap 61952->61954 61956 6c7ae53e 61953->61956 61954->61933 61957 6c7ae751 61955->61957 61959 6c7c8f0e ctype RtlFreeHeap 61956->61959 61960 6c7c8f0e ctype RtlFreeHeap 61957->61960 61958 6c7a84b9 ctype 101 API calls 61958->61964 61961 6c7ae54a ctype 61959->61961 61962 6c7ae75d ctype 61960->61962 61965 6c7c8f0e ctype RtlFreeHeap 61961->61965 61966 6c7c8f0e ctype RtlFreeHeap 61962->61966 61963 6c7b1236 101 API calls ctype 61963->61964 61964->61841 61964->61843 61964->61845 61964->61846 61964->61847 61964->61857 61964->61858 61964->61860 61964->61861 61964->61862 61964->61871 61964->61872 61964->61873 61964->61877 61964->61881 61964->61882 61964->61884 61964->61890 61964->61893 61964->61898 61964->61923 61964->61931 61964->61949 61964->61951 61964->61958 61964->61963 61968 6c7b2123 61964->61968 61983 6c7b2329 61964->61983 62000 6c7abf25 61964->62000 62099 6c79b8a3 61964->62099 62103 6c79b1fe 61964->62103 62220 6c7b271f 144 API calls 2 library calls 61964->62220 62221 6c7b2226 77 API calls ctype 61964->62221 62222 6c7b257c 144 API calls 2 library calls 61964->62222 62223 6c7b28c7 120 API calls 2 library calls 61964->62223 62224 6c7b23e4 125 API calls 2 library calls 61964->62224 62225 6c7b2481 78 API calls 2 library calls 61964->62225 62226 6c79b010 169 API calls 3 library calls 61964->62226 62227 6c777ff6 110 API calls ctype 61964->62227 61965->61887 61966->61889 61969 6c7b2138 61968->61969 62233 6c7b3d56 61969->62233 61972 6c7b21eb 61974 6c7cc0aa ctype 77 API calls 61972->61974 61973 6c7b2152 61975 6c7b21bc 61973->61975 61976 6c7b2155 61973->61976 61982 6c7b2171 61974->61982 61977 6c7cc0aa ctype 77 API calls 61975->61977 61978 6c7b2189 61976->61978 61979 6c7b2158 61976->61979 61977->61982 61980 6c7cc0aa ctype 77 API calls 61978->61980 61981 6c7cc0aa ctype 77 API calls 61979->61981 61980->61982 61981->61982 61982->61964 61984 6c7b2335 __EH_prolog3 61983->61984 61985 6c7b3d56 67 API calls 61984->61985 61986 6c7b2357 61985->61986 61987 6c7b235c 61986->61987 61988 6c7b23b4 61986->61988 61990 6c7b235f 61987->61990 61991 6c7b23a0 61987->61991 61989 6c7cc0aa ctype 77 API calls 61988->61989 61993 6c7b2393 61989->61993 61994 6c7b238c 61990->61994 61995 6c7b2362 61990->61995 61992 6c7cc0aa ctype 77 API calls 61991->61992 61992->61993 61999 6c7b237b ctype 61993->61999 62238 6c79f0b7 110 API calls 3 library calls 61993->62238 61996 6c7cc0aa ctype 77 API calls 61994->61996 61997 6c7cc0aa ctype 77 API calls 61995->61997 61996->61993 61997->61999 61999->61964 62001 6c7a833e ctype 110 API calls 62000->62001 62002 6c7abf6e 62001->62002 62003 6c786cb7 110 API calls 62002->62003 62004 6c7abf86 62003->62004 62005 6c7c8eab std::bad_exception::bad_exception 67 API calls 62004->62005 62006 6c7abf98 62005->62006 62007 6c7c8f0e ctype RtlFreeHeap 62006->62007 62008 6c7abfb3 62007->62008 62009 6c7c8eab std::bad_exception::bad_exception 67 API calls 62008->62009 62010 6c7abfcb 62009->62010 62011 6c7a8cd5 ctype 101 API calls 62010->62011 62012 6c7abff1 62011->62012 62013 6c77391d 110 API calls 62012->62013 62014 6c7ac013 62013->62014 62015 6c7c8f0e ctype RtlFreeHeap 62014->62015 62016 6c7ac027 62015->62016 62239 6c7b1a88 62016->62239 62018 6c7ac033 62289 6c79bdee 62018->62289 62020 6c7ac05b 62310 6c78b00d 62020->62310 62023 6c7a84b9 ctype 101 API calls 62024 6c7ac083 62023->62024 62025 6c7c8f0e ctype RtlFreeHeap 62024->62025 62026 6c7ac09f 62025->62026 62313 6c786cd8 62026->62313 62029 6c7badda ctype 127 API calls 62030 6c7ac0da 62029->62030 62031 6c7c8f0e ctype RtlFreeHeap 62030->62031 62032 6c7ac0ee 62031->62032 62033 6c77c338 KiUserExceptionDispatcher 62032->62033 62034 6c7ac12c 62033->62034 62035 6c786cd8 110 API calls 62034->62035 62036 6c7ac148 62035->62036 62316 6c7b077f 62036->62316 62038 6c7ac175 62039 6c7c8f0e ctype RtlFreeHeap 62038->62039 62040 6c7ac181 62039->62040 62100 6c79b8af __EH_prolog3 62099->62100 62101 6c7a833e ctype 110 API calls 62100->62101 62102 6c79b8c5 ctype 62101->62102 62102->61964 62104 6c79b20a __EH_prolog3 62103->62104 62105 6c7c8eab std::bad_exception::bad_exception 67 API calls 62104->62105 62110 6c79b213 ctype 62104->62110 62106 6c79b23a 62105->62106 62416 6c79b918 62106->62416 62108 6c79b249 62109 6c7a8cd5 ctype 101 API calls 62108->62109 62111 6c79b25e 62109->62111 62110->61964 62112 6c7a8c7a ctype 101 API calls 62111->62112 62113 6c79b272 62112->62113 62114 6c7a8c24 ctype 101 API calls 62113->62114 62115 6c79b284 62114->62115 62116 6c7c8f0e ctype RtlFreeHeap 62115->62116 62117 6c79b2a0 62116->62117 62118 6c7c8f0e ctype RtlFreeHeap 62117->62118 62119 6c79b2ab 62118->62119 62120 6c7c8f0e ctype RtlFreeHeap 62119->62120 62121 6c79b2ba 62120->62121 62122 6c7a85bc ctype KiUserExceptionDispatcher 62121->62122 62123 6c79b2c7 62122->62123 62124 6c79b824 62123->62124 62126 6c7ab331 ctype KiUserExceptionDispatcher 62123->62126 62125 6c7a85bc ctype KiUserExceptionDispatcher 62124->62125 62127 6c79b832 62125->62127 62137 6c79b2dd 62126->62137 62128 6c79b3fc 62127->62128 62129 6c7a85bc ctype KiUserExceptionDispatcher 62127->62129 62131 6c7c8f0e ctype RtlFreeHeap 62128->62131 62129->62128 62130 6c79b81f 62433 6c7c78c8 RaiseException 62130->62433 62131->62110 62133 6c79b338 62135 6c79b374 ctype 62133->62135 62136 6c79b347 62133->62136 62134 6c7a85bc ctype KiUserExceptionDispatcher 62134->62137 62135->62130 62145 6c79b3e0 62135->62145 62149 6c79b41b 62135->62149 62430 6c7b1a3d 67 API calls 3 library calls 62135->62430 62429 6c7abe3a 71 API calls __recalloc 62136->62429 62137->62128 62137->62130 62137->62133 62137->62134 62139 6c79b367 62140 6c79b7bb 62139->62140 62431 6c7959aa 67 API calls std::bad_exception::bad_exception 62139->62431 62143 6c79b751 62140->62143 62147 6c79b7b8 ctype 62140->62147 62142 6c79b440 62146 6c7753d4 72 API calls 62142->62146 62144 6c7c8f0e ctype RtlFreeHeap 62143->62144 62144->62110 62154 6c7c8f0e ctype RtlFreeHeap 62145->62154 62148 6c79b466 62146->62148 62147->62140 62152 6c79b7fd Sleep 62147->62152 62150 6c792d50 67 API calls 62148->62150 62153 6c7c8f0e ctype RtlFreeHeap 62149->62153 62155 6c79b471 62150->62155 62156 6c7c8f0e ctype RtlFreeHeap 62152->62156 62153->62139 62154->62128 62157 6c792d73 67 API calls 62155->62157 62156->62143 62158 6c79b480 62157->62158 62159 6c7d68b5 ctype 67 API calls 62158->62159 62160 6c79b49a 62159->62160 62161 6c79b4a1 62160->62161 62162 6c7ab331 ctype KiUserExceptionDispatcher 62160->62162 62166 6c7c8f0e ctype RtlFreeHeap 62161->62166 62163 6c79b4e4 62162->62163 62164 6c79b4e9 62163->62164 62165 6c79b565 62163->62165 62164->62130 62171 6c79b4fa 62164->62171 62168 6c7a8cd5 ctype 101 API calls 62165->62168 62167 6c79b4bd 62166->62167 62169 6c7c8f0e ctype RtlFreeHeap 62167->62169 62170 6c79b576 62168->62170 62172 6c79b4c8 62169->62172 62176 6c7c8f0e ctype RtlFreeHeap 62170->62176 62432 6c7984a9 161 API calls ctype 62171->62432 62174 6c7c8f0e ctype RtlFreeHeap 62172->62174 62174->62145 62175 6c79b523 62177 6c79b527 62175->62177 62178 6c79b596 62175->62178 62176->62161 62179 6c7a8cd5 ctype 101 API calls 62177->62179 62180 6c7d68b5 ctype 67 API calls 62178->62180 62181 6c79b538 62179->62181 62182 6c79b5a8 62180->62182 62185 6c7c8f0e ctype RtlFreeHeap 62181->62185 62183 6c79b5c5 62182->62183 62188 6c79b554 ctype 62182->62188 62184 6c79b5db 62183->62184 62186 6c7a84b9 ctype 101 API calls 62183->62186 62187 6c7a84b9 ctype 101 API calls 62184->62187 62189 6c79b5f6 62184->62189 62185->62188 62186->62184 62187->62189 62188->62161 62190 6c7a8cd5 ctype 101 API calls 62189->62190 62191 6c79b65e 62190->62191 62192 6c7c8f0e ctype RtlFreeHeap 62191->62192 62193 6c79b67e 62192->62193 62194 6c7a8cd5 ctype 101 API calls 62193->62194 62195 6c79b68f 62194->62195 62196 6c7c8f0e ctype RtlFreeHeap 62195->62196 62197 6c79b6af 62196->62197 62198 6c7a8cd5 ctype 101 API calls 62197->62198 62199 6c79b6c0 62198->62199 62200 6c7c8f0e ctype RtlFreeHeap 62199->62200 62201 6c79b6e0 ctype 62200->62201 62202 6c79b6fe ctype 62201->62202 62203 6c79b763 ctype 62201->62203 62204 6c7c8f0e ctype RtlFreeHeap 62202->62204 62205 6c7c8f0e ctype RtlFreeHeap 62203->62205 62206 6c79b72e 62204->62206 62207 6c79b793 62205->62207 62208 6c7c8f0e ctype RtlFreeHeap 62206->62208 62209 6c7c8f0e ctype RtlFreeHeap 62207->62209 62210 6c79b739 62208->62210 62211 6c79b79e 62209->62211 62212 6c7c8f0e ctype RtlFreeHeap 62210->62212 62213 6c7c8f0e ctype RtlFreeHeap 62211->62213 62214 6c79b744 62212->62214 62215 6c79b7a9 62213->62215 62216 6c7c8f0e ctype RtlFreeHeap 62214->62216 62217 6c7c8f0e ctype RtlFreeHeap 62215->62217 62218 6c79b74f 62216->62218 62217->62147 62218->62143 62219->61833 62220->61964 62221->61964 62222->61964 62223->61964 62224->61964 62225->61964 62226->61964 62227->61964 62228->61878 62229->61895 62230->61907 62231->61900 62232->61915 62234 6c7d68b5 ctype 67 API calls 62233->62234 62235 6c7b3d74 62234->62235 62236 6c7d68b5 ctype 67 API calls 62235->62236 62237 6c7b2149 62235->62237 62236->62237 62237->61972 62237->61973 62238->61999 62240 6c7b1a94 __EH_prolog3 62239->62240 62241 6c7a8f73 ctype 71 API calls 62240->62241 62242 6c7b1ab8 62241->62242 62243 6c7a833e ctype 110 API calls 62242->62243 62244 6c7b1ac6 62243->62244 62245 6c786cb7 110 API calls 62244->62245 62246 6c7b1ad9 62245->62246 62247 6c7a8f9e ctype 71 API calls 62246->62247 62248 6c7b1ae5 62247->62248 62249 6c7c8eab std::bad_exception::bad_exception 67 API calls 62248->62249 62250 6c7b1af0 62249->62250 62251 6c7aff21 ctype 101 API calls 62250->62251 62252 6c7b1b06 62251->62252 62253 6c7c8f0e ctype RtlFreeHeap 62252->62253 62254 6c7b1b12 62253->62254 62255 6c775e41 112 API calls 62254->62255 62256 6c7b1b2c 62255->62256 62257 6c7a833e ctype 110 API calls 62256->62257 62258 6c7b1b41 62257->62258 62259 6c7c8eab std::bad_exception::bad_exception 67 API calls 62258->62259 62260 6c7b1b52 62259->62260 62261 6c7a8c24 ctype 101 API calls 62260->62261 62262 6c7b1b69 62261->62262 62263 6c7a8c24 ctype 101 API calls 62262->62263 62264 6c7b1b7b 62263->62264 62265 6c7a8c24 ctype 101 API calls 62264->62265 62266 6c7b1b8e 62265->62266 62267 6c7a8c7a ctype 101 API calls 62266->62267 62268 6c7b1ba1 62267->62268 62269 6c7c8f0e ctype RtlFreeHeap 62268->62269 62270 6c7b1baf 62269->62270 62271 6c7c8f0e ctype RtlFreeHeap 62270->62271 62272 6c7b1bba 62271->62272 62273 6c7c8f0e ctype RtlFreeHeap 62272->62273 62274 6c7b1bc5 62273->62274 62275 6c7c8f0e ctype RtlFreeHeap 62274->62275 62276 6c7b1bd0 62275->62276 62277 6c7c8f0e ctype RtlFreeHeap 62276->62277 62278 6c7b1bdb 62277->62278 62279 6c7c8f0e ctype RtlFreeHeap 62278->62279 62280 6c7b1be6 62279->62280 62281 6c7c8f0e ctype RtlFreeHeap 62280->62281 62282 6c7b1bf5 62281->62282 62283 6c7c8f0e ctype RtlFreeHeap 62282->62283 62284 6c7b1c34 62283->62284 62285 6c7c8f0e ctype RtlFreeHeap 62284->62285 62286 6c7b1c3f 62285->62286 62287 6c7c8f0e ctype RtlFreeHeap 62286->62287 62288 6c7b1c4a ctype 62287->62288 62288->62018 62290 6c79bdfa __EH_prolog3 62289->62290 62291 6c7a833e ctype 110 API calls 62290->62291 62292 6c79be32 62291->62292 62293 6c7a833e ctype 110 API calls 62292->62293 62294 6c79be3f 62293->62294 62352 6c79bd95 62294->62352 62296 6c79be4c 62360 6c79953c 62296->62360 62298 6c79be5d 62299 6c79be6a 62298->62299 62300 6c7cbe0e _free 66 API calls 62298->62300 62301 6c79be9a #141 62299->62301 62302 6c79bea5 GetCommandLineW 62299->62302 62300->62299 62301->62302 62303 6c773e77 ctype 114 API calls 62302->62303 62304 6c79beb5 62303->62304 62305 6c77420c 111 API calls 62304->62305 62306 6c79bec8 #141 #281 #137 62305->62306 62308 6c7741a9 ctype 67 API calls 62306->62308 62309 6c79bf07 ctype 62308->62309 62309->62020 62311 6c7c8eab std::bad_exception::bad_exception 67 API calls 62310->62311 62312 6c78b025 62311->62312 62312->62023 62314 6c7a833e ctype 110 API calls 62313->62314 62315 6c786ced 62314->62315 62315->62029 62317 6c7b078b __EH_prolog3 62316->62317 62318 6c7c8eab std::bad_exception::bad_exception 67 API calls 62317->62318 62319 6c7b07a1 62318->62319 62320 6c7c8eab std::bad_exception::bad_exception 67 API calls 62319->62320 62321 6c7b07c6 62320->62321 62379 6c7baea8 62321->62379 62323 6c7b07d7 ctype 62323->62038 62353 6c79bda1 __EH_prolog3 62352->62353 62369 6c7abcdd 62353->62369 62356 6c7abcdd 71 API calls 62357 6c79bdd3 62356->62357 62358 6c7abcdd 71 API calls 62357->62358 62359 6c79bddf ctype 62358->62359 62359->62296 62364 6c799548 __EH_prolog3 62360->62364 62361 6c7995fa 62365 6c79960c 62361->62365 62376 6c7abc6d 71 API calls 2 library calls 62361->62376 62364->62361 62364->62365 62375 6c7abc6d 71 API calls 2 library calls 62364->62375 62367 6c799661 ctype 62365->62367 62377 6c7c78c8 RaiseException 62365->62377 62378 6c7abc6d 71 API calls 2 library calls 62365->62378 62367->62298 62370 6c7abce8 62369->62370 62373 6c79bdc7 62369->62373 62371 6c7abcff 62370->62371 62372 6c7c8e8c ctype KiUserExceptionDispatcher 62370->62372 62371->62373 62374 6c7cbe92 __recalloc 70 API calls 62371->62374 62372->62371 62373->62356 62374->62373 62375->62364 62376->62365 62377->62365 62378->62365 62410 6c7d6e1a 62379->62410 62381 6c7baeb4 EnterCriticalSection 62382 6c7a833e ctype 110 API calls 62381->62382 62383 6c7baed6 62382->62383 62384 6c7c60c6 ctype 119 API calls 62383->62384 62385 6c7baee7 62384->62385 62386 6c7c8f0e ctype RtlFreeHeap 62385->62386 62387 6c7baef6 62386->62387 62388 6c7ab331 ctype KiUserExceptionDispatcher 62387->62388 62393 6c7baf02 62388->62393 62389 6c7bb02d LeaveCriticalSection 62390 6c7c8f0e ctype RtlFreeHeap 62389->62390 62392 6c7bb041 62390->62392 62391 6c7bb05f 62413 6c7c78c8 RaiseException 62391->62413 62395 6c7c8f0e ctype RtlFreeHeap 62392->62395 62393->62389 62393->62391 62400 6c77c1f5 ctype KiUserExceptionDispatcher 62393->62400 62397 6c7bb04c 62395->62397 62396 6c7bb064 62398 6c7c8f0e ctype RtlFreeHeap 62397->62398 62399 6c7bb057 ctype 62398->62399 62399->62323 62401 6c7baf97 ctype 62400->62401 62402 6c7baff7 62401->62402 62411 6c7c6c1a 75 API calls ctype 62401->62411 62403 6c7c8f0e ctype RtlFreeHeap 62402->62403 62405 6c7bb006 62403->62405 62405->62391 62406 6c7bb00b 62405->62406 62407 6c7c8f0e ctype RtlFreeHeap 62406->62407 62409 6c7bb01f ctype 62406->62409 62407->62409 62412 6c7bccb2 72 API calls 2 library calls 62409->62412 62410->62381 62411->62402 62412->62389 62413->62396 62417 6c79b924 __EH_prolog3 62416->62417 62418 6c79b978 62417->62418 62420 6c7ab331 ctype KiUserExceptionDispatcher 62417->62420 62419 6c7a833e ctype 110 API calls 62418->62419 62421 6c79b971 62419->62421 62424 6c79b93f 62420->62424 62422 6c7c8f0e ctype RtlFreeHeap 62421->62422 62423 6c79b998 ctype 62422->62423 62423->62108 62424->62418 62425 6c79b973 62424->62425 62426 6c79b961 62424->62426 62435 6c7c78c8 RaiseException 62425->62435 62434 6c7959aa 67 API calls std::bad_exception::bad_exception 62426->62434 62429->62139 62430->62149 62431->62142 62432->62175 62433->62124 62434->62421 62435->62418

                                                Executed Functions

                                                Function 6C7BE49E Relevance: 44.9, APIs: 7, Strings: 18, Instructions: 1148COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1196 6c7be49e-6c7be4ac 1197 6c7be4c9-6c7be4cf 1196->1197 1198 6c7be4ae-6c7be4b0 1196->1198 1201 6c7be4dc-6c7be4ea 1197->1201 1202 6c7be4d1-6c7be4db call 6c7cbe0e 1197->1202 1199 6c7be4eb-6c7be699 call 6c7c78c8 call 6c7d2130 call 6c7a833e * 2 call 6c7c25e1 call 6c7c27f1 call 6c775d3f call 6c7c8eab call 6c7c8f0e 1198->1199 1200 6c7be4b2-6c7be4b5 1198->1200 1227 6c7be69b-6c7be6a3 GetLastError 1199->1227 1228 6c7be6b3 1199->1228 1200->1199 1203 6c7be4b7-6c7be4c7 CloseHandle 1200->1203 1202->1201 1203->1197 1203->1198 1229 6c7be6af-6c7be6b1 1227->1229 1230 6c7be6a5-6c7be6aa 1227->1230 1231 6c7be6b5-6c7be704 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c192c 1228->1231 1229->1231 1230->1229 1240 6c7be726-6c7be734 1231->1240 1241 6c7be706-6c7be722 call 6c7c19eb call 6c7b19c7 1231->1241 1246 6c7be86b-6c7be875 1240->1246 1247 6c7be73a-6c7be744 1240->1247 1241->1240 1251 6c7be87b-6c7be885 1246->1251 1252 6c7be995-6c7be9e3 call 6c799811 call 6c7c192c 1246->1252 1253 6c7be74a-6c7be7e7 call 6c7c8190 1247->1253 1254 6c7be85c-6c7be865 1247->1254 1261 6c7be88b-6c7be929 call 6c7c8190 1251->1261 1262 6c7be986-6c7be98f 1251->1262 1267 6c7be9e9-6c7beaeb call 6c79991f call 6c7998e4 call 6c7a833e * 2 call 6c7badda call 6c7c8f0e call 6c7ae922 call 6c7a833e * 2 call 6c7c19eb call 6c7aaf7d call 6c7c8f0e * 2 1252->1267 1268 6c7beb41-6c7beb76 1252->1268 1288 6c7be7e9-6c7be800 call 6c7739ad 1253->1288 1289 6c7be803-6c7be858 call 6c7d0d20 call 6c7b19c7 call 6c7c8f0e * 3 1253->1289 1254->1246 1254->1247 1305 6c7be92b-6c7be942 call 6c7739ad 1261->1305 1306 6c7be945-6c7be982 call 6c7b19c7 call 6c7c8f0e * 3 1261->1306 1262->1251 1262->1252 1408 6c7beaed-6c7beb31 call 6c775349 call 6c7739ad SysFreeString 1267->1408 1409 6c7beb35-6c7beb3c call 6c799aa1 1267->1409 1282 6c7beb7c-6c7beb80 1268->1282 1283 6c7bef62-6c7bef71 1268->1283 1282->1283 1287 6c7beb86-6c7beb90 call 6c799b0f 1282->1287 1299 6c7bf4e8-6c7bf4f2 call 6c799b0f 1283->1299 1300 6c7bef77-6c7bef7b 1283->1300 1287->1283 1307 6c7beb96-6c7bec39 call 6c7c8190 1287->1307 1288->1289 1289->1254 1319 6c7bf503-6c7bf50b 1299->1319 1320 6c7bf4f4-6c7bf501 1299->1320 1300->1299 1302 6c7bef81-6c7bef8f call 6c799b0f 1300->1302 1302->1299 1327 6c7bef95-6c7befa6 1302->1327 1305->1306 1306->1262 1379 6c7bee4a-6c7bee57 1307->1379 1380 6c7bec3f-6c7bed73 call 6c7998e4 call 6c7a833e call 6c7c8eab call 6c7c8d91 PathCompactPathExW call 6c7c8afc call 6c7a84b9 call 6c7c8f0e call 6c7c8c59 call 6c7aff21 call 6c7c8eab call 6c7a8f9e call 6c7c8eab call 6c7badda call 6c7c1236 1307->1380 1323 6c7bf50d-6c7bf522 call 6c7a8f9e call 6c7b059a 1319->1323 1324 6c7bf527-6c7bf55c call 6c7c8f0e call 6c7b9711 1319->1324 1320->1324 1323->1324 1366 6c7bf568-6c7bf58c call 6c7bfbad call 6c77395e 1324->1366 1367 6c7bf55e-6c7bf567 call 6c7cbe0e 1324->1367 1345 6c7befac-6c7bf05d call 6c79991f call 6c7998e4 call 6c7c8190 call 6c7aea74 1327->1345 1346 6c7bf4d4-6c7bf4e2 1327->1346 1422 6c7bf05f-6c7bf062 call 6c7a29fc 1345->1422 1423 6c7bf067-6c7bf326 call 6c7a833e * 4 call 6c7a8c24 * 3 call 6c7c8f0e * 6 call 6c7c8eab call 6c7a8cd5 call 6c7a8c7a call 6c7a8c24 call 6c7c8f0e * 4 call 6c7c8eab call 6c7a8f9e call 6c7c8eab * 2 call 6c7c8e54 call 6c7bf5c8 call 6c7999ee 1345->1423 1346->1299 1346->1300 1381 6c7bf591-6c7bf5c0 call 6c7c8f0e call 6c7cb091 1366->1381 1367->1366 1392 6c7bee59-6c7bee60 1379->1392 1393 6c7bee65-6c7beea3 call 6c7c8f0e * 3 1379->1393 1474 6c7bed79-6c7bed9c call 6c7a8c7a 1380->1474 1475 6c7beeae-6c7beeed call 6c7739ad * 2 1380->1475 1392->1393 1393->1282 1429 6c7beea9 1393->1429 1408->1409 1409->1268 1422->1423 1553 6c7bf328-6c7bf330 call 6c7a84b9 1423->1553 1554 6c7bf335-6c7bf33e call 6c799b0f 1423->1554 1429->1283 1484 6c7beda1-6c7bee48 call 6c7c8f0e call 6c7a833e call 6c7aaf7d call 6c7c8f0e call 6c7a833e call 6c7c8f0e * 3 1474->1484 1489 6c7bef09-6c7bef5d call 6c7c8f0e * 6 1475->1489 1490 6c7beeef-6c7beefa call 6c799aa1 1475->1490 1484->1393 1489->1283 1490->1489 1501 6c7beefc-6c7bef04 call 6c7a84b9 1490->1501 1501->1489 1553->1554 1558 6c7bf45d-6c7bf4cf call 6c7a833e call 6c7bf9a3 call 6c7c8f0e * 5 1554->1558 1559 6c7bf344-6c7bf3a2 call 6c7c1a49 1554->1559 1558->1346 1564 6c7bf418-6c7bf425 call 6c796fbd 1559->1564 1565 6c7bf3a4-6c7bf3d2 call 6c7999ee 1559->1565 1571 6c7bf433 1564->1571 1572 6c7bf427-6c7bf431 1564->1572 1578 6c7bf40b-6c7bf413 call 6c7a84b9 1565->1578 1579 6c7bf3d4-6c7bf3d9 1565->1579 1575 6c7bf438-6c7bf458 call 6c7c1b0b 1571->1575 1572->1571 1572->1575 1575->1558 1578->1564 1579->1564 1582 6c7bf3db-6c7bf409 call 6c7bf734 call 6c7999ee 1579->1582 1582->1564 1582->1578
                                                APIs
                                                • CloseHandle.KERNEL32(?,6C76897C,6C7BC7F9,?,?,?,?,00000001), ref: 6C7BE4BD
                                                • _free.LIBCMT ref: 6C7BE4D2
                                                • GetLastError.KERNEL32 ref: 6C7BE69B
                                                • __aulldiv.LIBCMT ref: 6C7BE80E
                                                  • Part of subcall function 6C7B19C7: __recalloc.LIBCMT ref: 6C7B1A05
                                                • SysFreeString.OLEAUT32(?), ref: 6C7BEB2B
                                                • _free.LIBCMT ref: 6C7BF562
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • PathCompactPathExW.SHLWAPI(00000000,00000010,0000003C,00000000), ref: 6C7BECA7
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C7A8F9E: PathStripPathW.SHLWAPI(00000000,?,?,6C7BF516), ref: 6C7A8FAE
                                                  • Part of subcall function 6C7BADDA: __EH_prolog3.LIBCMT ref: 6C7BADE1
                                                  • Part of subcall function 6C7BADDA: EnterCriticalSection.KERNEL32(00000001,00000014,6C7BF80F,00000000,00000002,00000007,00000000,6C7AFA6E,.tmp,?,00000000,00000000,00000018,6C7BF3FD,?), ref: 6C7BADED
                                                  • Part of subcall function 6C7BADDA: LeaveCriticalSection.KERNEL32(00000000,-00000960,?,-00000960,00000000,-00000960,?,00000001,00000001), ref: 6C7BAE8A
                                                  • Part of subcall function 6C7A8C7A: __EH_prolog3.LIBCMT ref: 6C7A8C81
                                                  • Part of subcall function 6C7AAF7D: __EH_prolog3.LIBCMT ref: 6C7AAF84
                                                Strings
                                                • Package Files, xrefs: 6C7BEA21, 6C7BEA26, 6C7BEA83
                                                • ", xrefs: 6C7BF042
                                                • ://, xrefs: 6C7BF09D
                                                • Downloading , xrefs: 6C7BF184
                                                • Failed to record SKU, xrefs: 6C7BE6B5
                                                • Copy of package file to download location failed with error code: 0x%x - %s , xrefs: 6C7BEB11
                                                • Downloading and/or Verifying Items, xrefs: 6C7BE583
                                                • 6, xrefs: 6C7BF450
                                                • to , xrefs: 6C7BF1A2
                                                • Verifying Digital Signatures: , xrefs: 6C7BEC4B
                                                • Failed to verify and authenticate the file -%s, xrefs: 6C7BEEB5
                                                • complete, xrefs: 6C7BE544
                                                • Success, xrefs: 6C7BED79
                                                • Please delete the file, %s and run the package again, xrefs: 6C7BEED8
                                                • 2, xrefs: 6C7BF1CD
                                                • Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's verification on , xrefs: 6C7BE7F4
                                                • Action, xrefs: 6C7BE564, 6C7BE569, 6C7BE598
                                                • Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's download on the , xrefs: 6C7BE936
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3Path$CriticalSection_free_memcpy_s_wcsnlen$CloseCompactEnterErrorFreeHandleLastLeaveStringStrip__aulldiv__recalloc
                                                • String ID: Success$ complete$ to $"$2$6$://$Action$Copy of package file to download location failed with error code: 0x%x - %s $Downloading $Downloading and/or Verifying Items$Failed to record SKU$Failed to verify and authenticate the file -%s$Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's download on the $Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's verification on $Package Files$Please delete the file, %s and run the package again$Verifying Digital Signatures:
                                                • API String ID: 1652209462-1323978009
                                                • Opcode ID: b4c93bbfd49da5719efc097143d93408d603021ebfb43e2b5e2dce80989f211b
                                                • Instruction ID: 7a97571aa509a3f47d67812d0a97a85161e6ece92d08c84acd2041fdce1b36ad
                                                • Opcode Fuzzy Hash: b4c93bbfd49da5719efc097143d93408d603021ebfb43e2b5e2dce80989f211b
                                                • Instruction Fuzzy Hash: 75B24A312083819FD720CF68C988B9ABBE5BF89318F044A5DF5A9977A1D770D909CB53
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B0C91 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 247COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2424 6c7b0c91-6c7b0cb5 call 6c7d6e8d GetModuleHandleW 2427 6c7b0cea-6c7b0cfb 2424->2427 2428 6c7b0cb7-6c7b0ce5 call 6c7a833e GetLastError call 6c7b1236 2424->2428 2433 6c7b0cfd 2427->2433 2434 6c7b0d03-6c7b0db0 GetNativeSystemInfo call 6c774e07 call 6c77c5d4 call 6c7c8f0e call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c774fd5 2427->2434 2437 6c7b1007-6c7b1014 call 6c7c8f0e call 6c7d6f1f 2428->2437 2433->2434 2456 6c7b0dca 2434->2456 2457 6c7b0db2-6c7b0dba GetLastError 2434->2457 2460 6c7b0dcc-6c7b0e13 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c774fac 2456->2460 2458 6c7b0dbc-6c7b0dc1 2457->2458 2459 6c7b0dc6-6c7b0dc8 2457->2459 2458->2459 2459->2460 2469 6c7b0e19 2460->2469 2470 6c7b0e15-6c7b0e17 2460->2470 2471 6c7b0e20-6c7b0e36 2469->2471 2470->2471 2473 6c7b0e38-6c7b0e40 GetLastError 2471->2473 2474 6c7b0e50 2471->2474 2476 6c7b0e4c-6c7b0e4e 2473->2476 2477 6c7b0e42-6c7b0e47 2473->2477 2475 6c7b0e52-6c7b0e9d call 6c7a833e call 6c7b1236 call 6c7c8f0e 2474->2475 2486 6c7b0e9f-6c7b0ea7 GetLastError 2475->2486 2487 6c7b0eb7 2475->2487 2476->2475 2477->2476 2489 6c7b0ea9-6c7b0eae 2486->2489 2490 6c7b0eb3-6c7b0eb5 2486->2490 2488 6c7b0eb9-6c7b0f5d call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7ce770 call 6c774fac call 6c775727 call 6c7b356c 2487->2488 2506 6c7b0f5f-6c7b0f67 GetLastError 2488->2506 2507 6c7b0f77 2488->2507 2489->2490 2490->2488 2508 6c7b0f69-6c7b0f6e 2506->2508 2509 6c7b0f73-6c7b0f75 2506->2509 2510 6c7b0f79-6c7b0fb4 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c77712b 2507->2510 2508->2509 2509->2510 2518 6c7b0fb9-6c7b1001 call 6c77c5d4 call 6c7c8f0e call 6c7a833e call 6c7b1236 2510->2518 2518->2437
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7B0C9B
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,0000029C,6C7AA587,?,6C76A794,?,-00000960,?,00000000,?,Failed to record current state name), ref: 6C7B0CAD
                                                • GetLastError.KERNEL32(?,Failed to record OSFullBuildNumber), ref: 6C7B0CCC
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                • GetNativeSystemInfo.KERNEL32(?), ref: 6C7B0D21
                                                • GetLastError.KERNEL32(?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6C7B0DB2
                                                • GetLastError.KERNEL32(?,00000000,?,Failed to record OSAbbr,?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6C7B0E38
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$H_prolog3$H_prolog3_HandleInfoModuleNativeSystem
                                                • String ID: Failed to record OSAbbr$Failed to record OSComplete$Failed to record OSFullBuildNumber$Failed to record OsSpLevel$Failed to record SystemLocale$Failed to record WindowsInstallerVersion$GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 684166175-3561000745
                                                • Opcode ID: f1daba9804223d4fd70acf94346b339dd40aa4326ac116691ffce13367ac8ac2
                                                • Instruction ID: 0ae34ab4b5386965d9639aa3427abd06f3125df05d26002665b7dfb11667d735
                                                • Opcode Fuzzy Hash: f1daba9804223d4fd70acf94346b339dd40aa4326ac116691ffce13367ac8ac2
                                                • Instruction Fuzzy Hash: 1BA1B371A00659AFDB20EBA4CF4CBCDB7B9AF45309F1045D4A404F7A80DB74EA898B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B17D1 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B17D8
                                                • CryptQueryObject.CRYPT32(00000001,00000000,00000400,0000000E,00000000,00000000,00000000,00000000,?,6C7AFA6E,00000000,00000034,6C7ABAB6,?,-00000960), ref: 6C7B1820
                                                • GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B182B
                                                • CertCloseStore.CRYPT32(?,00000000), ref: 6C7B1915
                                                • CryptMsgClose.CRYPT32(6C7AFA6E), ref: 6C7B1926
                                                • GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B195A
                                                • CertFreeCertificateContext.CRYPT32(00000000), ref: 6C7B198F
                                                • CertCloseStore.CRYPT32(?,00000000), ref: 6C7B19A1
                                                • CryptMsgClose.CRYPT32(6C7AFA6E), ref: 6C7B19B2
                                                Strings
                                                • : failed to get certificate. Error: , xrefs: 6C7B1891
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Close$CertCrypt$ErrorLastStore$CertificateContextFreeH_prolog3ObjectQuery
                                                • String ID: : failed to get certificate. Error:
                                                • API String ID: 3710956895-1883283244
                                                • Opcode ID: 8cf58a1c83d80ad607ec25e09955d2ffb4256c5b4d5698ce61c976dda6e8d974
                                                • Instruction ID: 85d6ca49205eed41c43dbcbc75c8812842347ac854a26dc4a3deee169eaebbdf
                                                • Opcode Fuzzy Hash: 8cf58a1c83d80ad607ec25e09955d2ffb4256c5b4d5698ce61c976dda6e8d974
                                                • Instruction Fuzzy Hash: 6A512F7190018AEFDB00DFE4CA89AEEBBB5BF04318F244669E125B7690D730DA45DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A76A7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 99libraryloaderthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A76AE
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6C7AF845,?), ref: 6C7A7748
                                                • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C7A7758
                                                • SetThreadStackGuarantee.KERNEL32(00020000), ref: 6C7A776D
                                                • SetUnhandledExceptionFilter.KERNEL32(6C7B416A), ref: 6C7A7774
                                                • GetCommandLineW.KERNEL32 ref: 6C7A777A
                                                  • Part of subcall function 6C777C6E: __EH_prolog3.LIBCMT ref: 6C777C75
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$AddressCommandExceptionFilterGuaranteeHandleLineModuleProcStackThreadUnhandled_malloc
                                                • String ID: SetThreadStackGuarantee$kernel32.dll$passive
                                                • API String ID: 4088884676-825548933
                                                • Opcode ID: afda846726ce3ae191e52023d20a5ffd1398dbe60e73f193d25c397babf06d4e
                                                • Instruction ID: 6487b72b6bf41ecab031c466baededd06f4dc6a17890e0b90aadf3b7b3ade967
                                                • Opcode Fuzzy Hash: afda846726ce3ae191e52023d20a5ffd1398dbe60e73f193d25c397babf06d4e
                                                • Instruction Fuzzy Hash: 5F418EB1A017458FDB20DFB9CA8869ABBF4BB15308F60897ED0499BF11C7309649CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7B40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7A7B4A
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • GetCommandLineW.KERNEL32 ref: 6C7A7BB4
                                                • _memset.LIBCMT ref: 6C7A7BF4
                                                • GetTimeZoneInformation.KERNEL32(?), ref: 6C7A7C03
                                                • GetThreadLocale.KERNEL32(00000007,?), ref: 6C7A7C3F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CommandH_prolog3H_prolog3_InformationLineLocaleThreadTimeZone_memset
                                                • String ID: CommandLine = %s$Environment details$Initial LCID = %u$TimeZone = %s
                                                • API String ID: 1050886296-4009495903
                                                • Opcode ID: 7728865e7fd23e0af97ee26435dae558c494d52c6779189b13eda91122759f4c
                                                • Instruction ID: 808ccc7b6e80366b795c4ba901b780d1b924c8e50f3b95f06e8c8d02dd94c2ae
                                                • Opcode Fuzzy Hash: 7728865e7fd23e0af97ee26435dae558c494d52c6779189b13eda91122759f4c
                                                • Instruction Fuzzy Hash: BE312C71A00218EBDB10DBA4CD4DFCDBBB9BF04305F1446A5E108E7A91DB349A49CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C785B82 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C785B8C
                                                • _memset.LIBCMT ref: 6C785BBB
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                • FindFirstFileW.KERNEL32(?,?,????), ref: 6C785BDA
                                                • FindNextFileW.KERNEL32(?,?), ref: 6C785CA8
                                                • FindClose.KERNEL32(?), ref: 6C785CC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Find$File$AppendCloseFirstH_prolog3_NextPath_memset
                                                • String ID: ????
                                                • API String ID: 2365859831-1216582215
                                                • Opcode ID: 80f52c408ed526a86039f1396999d64624362223ed5ba11dbca597df8aacc1da
                                                • Instruction ID: 14f41f44e27cf84acd41dc0195b7ed0fe9ff21496ebf913b43a4f0785687a4db
                                                • Opcode Fuzzy Hash: 80f52c408ed526a86039f1396999d64624362223ed5ba11dbca597df8aacc1da
                                                • Instruction Fuzzy Hash: F131D07190521A9AEF10AFA4CE8C7DE77B8AF00359F1046E6E509E6690DB35DA88CF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C785CE1 Relevance: 7.6, APIs: 5, Instructions: 113comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C785CE8
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • CoInitialize.OLE32(00000000), ref: 6C785D1A
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,?,00000014,6C785F14,?,?,?,?,342C82DB,ParameterInfo.xml,00000000), ref: 6C785D38
                                                • CoUninitialize.OLE32(?,?,00000014,6C785F14,?,?,?,?,342C82DB,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6C785DE8
                                                • SysFreeString.OLEAUT32(00000738), ref: 6C785DF1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CreateException@8FileFreeInitializeInstanceModuleNamePathRelativeStringThrowUninitialize
                                                • String ID:
                                                • API String ID: 2737710906-0
                                                • Opcode ID: fe04d97d4b7dfdaccd636ee470c80f74a404ac3566e545137b977c6015313c99
                                                • Instruction ID: 60a4a48435c2771ec41ee2213f020f8a0606f5e27fb40203184c6950607d784e
                                                • Opcode Fuzzy Hash: fe04d97d4b7dfdaccd636ee470c80f74a404ac3566e545137b977c6015313c99
                                                • Instruction Fuzzy Hash: 90413A70A01249AFDF00CFA4CA8C9AD7BB9BF45304F6484B8E656DB641C735DA45CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795238 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C795254
                                                • _memset.LIBCMT ref: 6C79526E
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 6C795288
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 6C7952A3
                                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 6C7952B7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
                                                • String ID:
                                                • API String ID: 949835396-0
                                                • Opcode ID: a088721613a8e1876cb51f1de429bd3b4347b073ea62e753e8a5f5196b28cbeb
                                                • Instruction ID: 6b4ffa3e32fd2105c2b0f3d522a5e882e7f7eedcf1155a06dcbb4acd874be1ca
                                                • Opcode Fuzzy Hash: a088721613a8e1876cb51f1de429bd3b4347b073ea62e753e8a5f5196b28cbeb
                                                • Instruction Fuzzy Hash: EA018471601128ABCB109BA5AD8DDDE7778EB86315F9002A5E914D3280DB349E45CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B1602 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,6C7AFA6E,?,?,?,?,?,?,6C7B34F1,6C7AFA6E,000000FF), ref: 6C7B1637
                                                • GetLastError.KERNEL32(?,6C7AFA6E,?,?,?,?,?,?,6C7B34F1,6C7AFA6E,000000FF,?,?,00000738,6C7AFA6E,?), ref: 6C7B1647
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DiskErrorFreeH_prolog3LastSpace
                                                • String ID: GetDiskFreeSpaceEx
                                                • API String ID: 3776785849-3355056173
                                                • Opcode ID: f9e58f96b0d9f4a6ea1032fb7f03b39045d774bc9f3a354d66ebffde3304c9cf
                                                • Instruction ID: eea0852b8185aed960dcf1a371cdb3dfeaa0d2e69236a7ba4737a53dc45a08f4
                                                • Opcode Fuzzy Hash: f9e58f96b0d9f4a6ea1032fb7f03b39045d774bc9f3a354d66ebffde3304c9cf
                                                • Instruction Fuzzy Hash: 120128B6A00219FB8B00DF99D9458EEBBB9EB98710F104459E905F7200D770AB09CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AD87C Relevance: 58.9, APIs: 4, Strings: 29, Instructions: 1110sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 6c7ad87c-6c7ad920 call 6c7a833e * 2 7 6c7ad95f-6c7ad9ad call 6c799811 0->7 8 6c7ad922-6c7ad95d call 6c7b19c7 0->8 14 6c7ae7ee-6c7ae7f2 7->14 15 6c7ad9b3-6c7ad9b7 7->15 8->7 17 6c7ae823-6c7ae83f call 6c7b9711 14->17 18 6c7ae7f4-6c7ae7f9 14->18 15->18 19 6c7ad9bd-6c7ada81 call 6c79991f call 6c7998e4 call 6c7a8cd5 call 6c7a8c7a call 6c7c8f0e * 3 15->19 28 6c7ae84b-6c7ae879 call 6c77395e call 6c7c8f0e call 6c796fff 17->28 29 6c7ae841-6c7ae84a call 6c7cbe0e 17->29 18->17 21 6c7ae7fb-6c7ae804 18->21 55 6c7adaa6-6c7adab1 19->55 21->17 31 6c7ae806-6c7ae81e call 6c7b2096 21->31 43 6c7ae87c-6c7ae891 28->43 29->28 31->17 57 6c7ada83-6c7ada8e 55->57 58 6c7adab3-6c7adb26 call 6c7a8c7a call 6c7c8f0e * 2 55->58 57->58 62 6c7ada90-6c7adaa0 Sleep 57->62 82 6c7adb28-6c7adb90 call 6c7a8c7a call 6c7c8f0e * 2 58->82 83 6c7adb95-6c7adba7 58->83 62->55 64 6c7ae2fc-6c7ae301 62->64 66 6c7ae309-6c7ae325 call 6c7b9711 64->66 72 6c7ae331-6c7ae34f call 6c77395e call 6c7c8f0e 66->72 73 6c7ae327-6c7ae330 call 6c7cbe0e 66->73 72->43 73->72 106 6c7ae2e2-6c7ae2f1 82->106 86 6c7adcdc-6c7add7a call 6c7abe94 call 6c7d68b5 83->86 87 6c7adbad-6c7adc03 call 6c7a833e GetCommandLineW call 6c773e77 call 6c77420c 83->87 109 6c7ade1c-6c7ade26 call 6c7cc0aa 86->109 110 6c7add80 86->110 127 6c7adc0d-6c7adc2f call 6c7739ad 87->127 128 6c7adc05 87->128 106->15 129 6c7ae2f7 106->129 140 6c7ade28-6c7ade32 109->140 141 6c7ade34 109->141 110->109 113 6c7addba-6c7addc2 call 6c7b257c 110->113 114 6c7addda-6c7adde2 call 6c7b23e4 110->114 115 6c7addab-6c7addb8 call 6c7b2226 110->115 116 6c7addee-6c7addf8 call 6c7cc0aa 110->116 117 6c7addcf-6c7addd3 call 6c7b2329 110->117 118 6c7add87-6c7add8f call 6c7b271f 110->118 119 6c7add94-6c7add9c call 6c7b2123 110->119 120 6c7addc4-6c7addcd call 6c7b28c7 110->120 121 6c7adde4-6c7addec call 6c7b2481 110->121 149 6c7ade36 113->149 114->149 142 6c7adda1-6c7adda6 115->142 150 6c7addfa-6c7ade04 116->150 151 6c7ade06 116->151 146 6c7addd8 117->146 118->149 119->142 120->149 121->149 154 6c7adc81-6c7adc8b 127->154 155 6c7adc31-6c7adc4f call 6c79991f 127->155 128->127 129->14 140->149 141->149 148 6c7ade39-6c7ade47 142->148 146->149 156 6c7adf9f 148->156 149->148 153 6c7ade08-6c7ade15 150->153 151->153 159 6c7ade1a 153->159 166 6c7ae37f-6c7ae3d9 call 6c7a833e call 6c7ab057 call 6c7c8f0e 154->166 167 6c7adc91-6c7adca7 154->167 177 6c7ae354-6c7ae36c 155->177 178 6c7adc55-6c7adc71 155->178 158 6c7adfa4-6c7adfa8 156->158 161 6c7adfae-6c7adfbb call 6c796fbd 158->161 162 6c7ade4c-6c7ade4e 158->162 159->148 172 6c7adfbd-6c7adfc1 161->172 173 6c7adfc5-6c7adfd0 call 6c799b0f 161->173 162->161 165 6c7ade54-6c7adeb6 call 6c7a833e call 6c777ee4 call 6c7c8f0e call 6c7abf25 call 6c799aa1 162->165 222 6c7adebc-6c7adebd 165->222 223 6c7adf44-6c7adf85 call 6c79b010 165->223 195 6c7ae371-6c7ae37d call 6c7741a9 166->195 167->127 172->173 188 6c7ae27f-6c7ae28a 173->188 189 6c7adfd6-6c7adffe call 6c7d68b5 173->189 177->195 199 6c7adcac-6c7adcd7 call 6c7741a9 178->199 200 6c7adc73-6c7adc7f 178->200 193 6c7ae2af-6c7ae2b2 call 6c799a69 188->193 194 6c7ae28c-6c7ae2ad call 6c799a69 188->194 215 6c7ae000-6c7ae001 189->215 216 6c7ae016-6c7ae019 189->216 207 6c7ae2b7-6c7ae2dd call 6c7abe94 193->207 194->207 195->66 199->86 200->154 200->155 207->106 220 6c7ae00e-6c7ae014 215->220 221 6c7ae003-6c7ae004 215->221 218 6c7ae01c-6c7ae024 216->218 225 6c7ae026-6c7ae028 218->225 226 6c7ae034-6c7ae039 218->226 220->218 221->216 230 6c7ae006-6c7ae00c 221->230 222->223 231 6c7adec3-6c7adec4 222->231 236 6c7adf8a-6c7adf8c 223->236 225->226 233 6c7ae02a-6c7ae030 225->233 234 6c7ae3db-6c7ae41e call 6c799a69 226->234 235 6c7ae03f-6c7ae041 226->235 230->218 231->223 237 6c7adec6-6c7adec9 231->237 233->226 257 6c7ae428-6c7ae4d0 call 6c777fcb call 6c777ff6 call 6c77c5d4 call 6c7c8f0e call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8eab call 6c7a8897 234->257 258 6c7ae420-6c7ae422 234->258 239 6c7ae5ee-6c7ae631 call 6c799a69 235->239 240 6c7ae047-6c7ae04a 235->240 236->158 242 6c7adf8e-6c7adf93 236->242 237->223 238 6c7adecb-6c7adece 237->238 238->223 243 6c7aded0-6c7adf21 call 6c79b8a3 call 6c79b1fe 238->243 261 6c7ae63b-6c7ae6e3 call 6c777fcb call 6c777ff6 call 6c77c5d4 call 6c7c8f0e call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8eab call 6c7a8897 239->261 262 6c7ae633-6c7ae635 239->262 240->207 244 6c7ae050-6c7ae059 240->244 242->158 245 6c7adf95-6c7adf9d 242->245 259 6c7adf26-6c7adf42 call 6c7c8f0e 243->259 255 6c7ae05f-6c7ae063 244->255 256 6c7ae247-6c7ae24c 244->256 245->156 245->158 255->256 260 6c7ae069-6c7ae0a3 255->260 263 6c7ae24e-6c7ae25a 256->263 347 6c7ae4d2-6c7ae4ff call 6c7a8aed call 6c7a84b9 call 6c7c8f0e 257->347 348 6c7ae504-6c7ae582 call 6c77c5d4 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8a55 call 6c7c8f0e 257->348 258->257 264 6c7ae587-6c7ae5d2 call 6c7c8f0e call 6c7b2096 258->264 259->236 281 6c7ae0ad-6c7ae155 call 6c777fcb call 6c777ff6 call 6c77c5d4 call 6c7c8f0e call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8eab call 6c7a8897 260->281 282 6c7ae0a5-6c7ae0a7 260->282 351 6c7ae717-6c7ae795 call 6c77c5d4 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8a55 call 6c7c8f0e 261->351 352 6c7ae6e5-6c7ae712 call 6c7a8aed call 6c7a84b9 call 6c7c8f0e 261->352 262->261 267 6c7ae79a-6c7ae7c8 call 6c7c8f0e 262->267 283 6c7ae7cf 263->283 284 6c7ae260-6c7ae27d 263->284 310 6c7ae5d9-6c7ae5e9 call 6c7abe94 264->310 285 6c7ae7d6-6c7ae7e9 call 6c7abe94 267->285 303 6c7ae7ca 267->303 365 6c7ae189-6c7ae207 call 6c77c5d4 call 6c7a833e call 6c7b1236 call 6c7c8f0e call 6c7c8a55 call 6c7c8f0e 281->365 366 6c7ae157-6c7ae184 call 6c7a8aed call 6c7a84b9 call 6c7c8f0e 281->366 282->281 288 6c7ae20c-6c7ae245 call 6c7c8f0e call 6c799a69 282->288 283->285 284->207 285->14 288->263 303->310 310->17 347->348 348->264 351->267 352->351 365->288 366->365
                                                APIs
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B19C7: __recalloc.LIBCMT ref: 6C7B1A05
                                                • Sleep.KERNEL32(000003E8), ref: 6C7ADA99
                                                • GetCommandLineW.KERNEL32(?,6C76AB18), ref: 6C7ADBD9
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C777EE4: __EH_prolog3.LIBCMT ref: 6C777EEB
                                                • _free.LIBCMT ref: 6C7AE32B
                                                  • Part of subcall function 6C79B8A3: __EH_prolog3.LIBCMT ref: 6C79B8AA
                                                  • Part of subcall function 6C79B1FE: __EH_prolog3.LIBCMT ref: 6C79B205
                                                • _free.LIBCMT ref: 6C7AE845
                                                Strings
                                                • Other installation completed, continuing., xrefs: 6C7ADCBF
                                                • Failed to record current Item Name, xrefs: 6C7AE1A1, 6C7AE51C, 6C7AE72F
                                                • ", xrefs: 6C7AE1B6
                                                • Another installation is already running, waiting up to %i seconds for it to finish, xrefs: 6C7ADC14
                                                • Performing actions on all Items, xrefs: 6C7AD8EC
                                                • Item Failed. OnFailureBehavior for this item is not specified., xrefs: 6C7AE234
                                                • Item Requested Reboot., xrefs: 6C7AE291
                                                • complete, xrefs: 6C7AD8B6
                                                • Item ignored as it is not available and is ignorable, xrefs: 6C7ADB39
                                                • Wait for Item (, xrefs: 6C7AD9FF
                                                • Action, xrefs: 6C7AD8D0, 6C7AD8D5, 6C7AD8FB
                                                • OnFailureBehavior for this item is to Rollback., xrefs: 6C7AE5A0
                                                • User has aborted the install, exit from the wait., xrefs: 6C7AE366
                                                • Another installation is already running and the user has chosen to cancel rather than wait, xrefs: 6C7AE3BC
                                                • Created new DoNothingPerformer for File item, xrefs: 6C7ADE0B
                                                • Aborting. OnFailureBehavior for current item will be ignored., xrefs: 6C7AE80B
                                                • Another installation is already running and the user has chosen to wait for it to finish before continuing, xrefs: 6C7ADC96
                                                • OnFailureBehavior for this item is to Stop., xrefs: 6C7AE7B3
                                                • Msi Handle released., xrefs: 6C7ADCB1
                                                • Default behavior for Repair and Uninstall is to continue and report this failure., xrefs: 6C7AE23E
                                                • <, xrefs: 6C7ADBD1
                                                • , xrefs: 6C7AE145
                                                • , xrefs: 6C7AE175
                                                • ) to be available, xrefs: 6C7ADA1B
                                                • Global\_MSIExecute, xrefs: 6C7ADB97, 6C7ADC57
                                                • is now available to install, xrefs: 6C7ADAC4
                                                • Item Failed. OnFailureBehavior for this item is to Continue., xrefs: 6C7AE247
                                                • MSIBusy, xrefs: 6C7AE37F
                                                • Failed to record Current Phase (sdpFaultPhase) , xrefs: 6C7AE0F3, 6C7AE46E, 6C7AE681
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$_free$CommandLineSleep__recalloc
                                                • String ID: $ $ Item ignored as it is not available and is ignorable$ complete$ is now available to install$"$) to be available$<$Aborting. OnFailureBehavior for current item will be ignored.$Action$Another installation is already running and the user has chosen to cancel rather than wait$Another installation is already running and the user has chosen to wait for it to finish before continuing$Another installation is already running, waiting up to %i seconds for it to finish$Created new DoNothingPerformer for File item$Default behavior for Repair and Uninstall is to continue and report this failure.$Failed to record Current Phase (sdpFaultPhase) $Failed to record current Item Name$Global\_MSIExecute$Item Failed. OnFailureBehavior for this item is not specified.$Item Failed. OnFailureBehavior for this item is to Continue.$Item Requested Reboot.$MSIBusy$Msi Handle released.$OnFailureBehavior for this item is to Rollback.$OnFailureBehavior for this item is to Stop.$Other installation completed, continuing.$Performing actions on all Items$User has aborted the install, exit from the wait.$Wait for Item (
                                                • API String ID: 4092982380-977886159
                                                • Opcode ID: e03ca8429a35b881d21486a5c1375050de1d55804406069fb7d0f5bae6c27bc3
                                                • Instruction ID: 3c7e1dc6bade27820cf7dee9a5f118b2a6cf97166148fb34dc7a0ece14a5137b
                                                • Opcode Fuzzy Hash: e03ca8429a35b881d21486a5c1375050de1d55804406069fb7d0f5bae6c27bc3
                                                • Instruction Fuzzy Hash: 62A2B571208340CFD724CF64C688B9ABBE5BF89318F144A5DF9959B791CB30D949CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BB390 Relevance: 50.5, APIs: 12, Strings: 16, Instructions: 1496threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 407 6c7bb390-6c7bb4a9 call 6c7d6e52 call 6c7bd446 call 6c7bd713 call 6c7a833e call 6c7b988c call 6c7a4e70 call 6c7c8f0e call 6c7a833e call 6c7b988c call 6c7c8eab call 6c77a8cc call 6c7a833e call 6c7a5033 call 6c7c8f0e call 6c7a51c0 SysFreeString call 6c7c8f0e call 6c7bd01e call 6c7859b8 call 6c786083 446 6c7bb4ab-6c7bb50f call 6c7a833e * 2 call 6c77838a call 6c7c8f0e * 2 call 6c77a378 call 6c7d14aa 407->446 447 6c7bb514-6c7bb54d call 6c785e2b GetCommandLineW call 6c773e77 call 6c7b9293 407->447 446->447 460 6c7bb54f 447->460 461 6c7bb555-6c7bb5ac call 6c7a833e call 6c7b988c call 6c794718 call 6c7c8f0e call 6c7a833e 447->461 460->461 479 6c7bb5ae 461->479 480 6c7bb5b4-6c7bb614 call 6c7a84b9 call 6c7c8f0e * 2 461->480 479->480 488 6c7bb630-6c7bb75a call 6c792d50 call 6c792d73 call 6c773a16 GetThreadLocale call 6c7741d6 call 6c7a7889 call 6c7a7db0 call 6c7a7c9e call 6c7a7e78 call 6c7743c4 call 6c775e41 480->488 489 6c7bb616-6c7bb620 call 6c794a3f 480->489 513 6c7bb768-6c7bb785 call 6c7a8f73 488->513 514 6c7bb75c-6c7bb762 488->514 492 6c7bb625-6c7bb627 489->492 492->488 494 6c7bb629 492->494 494->488 526 6c7bb7a8-6c7bb7c2 call 6c7a833e 513->526 527 6c7bb787-6c7bb7a6 call 6c7c8eab 513->527 514->513 515 6c7bb883-6c7bb887 514->515 516 6c7bb889-6c7bb88d 515->516 517 6c7bb893-6c7bb8a3 call 6c7a53e5 515->517 516->517 520 6c7bb956-6c7bb9a8 call 6c7a6dcb call 6c792d2f call 6c774272 516->520 517->520 528 6c7bb8a9-6c7bb953 call 6c7bcb31 call 6c7a833e call 6c7bce5c call 6c7c8f0e * 2 call 6c7a5a5a call 6c7943ed call 6c7741a9 call 6c785b32 call 6c7bd6d1 call 6c7d6f06 517->528 543 6c7bb9aa-6c7bb9b8 call 6c7742b6 520->543 544 6c7bb9c3-6c7bb9c5 520->544 538 6c7bb7c9-6c7bb7f7 call 6c792d50 call 6c7a75b5 call 6c7c8f0e 526->538 527->538 565 6c7bb80b-6c7bb813 538->565 566 6c7bb7f9-6c7bb806 call 6c7c8f0e 538->566 543->544 556 6c7bb9ba-6c7bb9bd 543->556 549 6c7bb9c6-6c7bba05 call 6c796e46 call 6c7c8f0e 544->549 574 6c7bba7c-6c7bbab6 call 6c792d50 call 6c7c8f0e 549->574 575 6c7bba07-6c7bba27 call 6c7bcb31 549->575 556->544 560 6c7bb9bf-6c7bb9c1 556->560 560->549 568 6c7bb820-6c7bb84b call 6c7a8e8b 565->568 569 6c7bb815-6c7bb81b call 6c7c8f0e 565->569 566->565 591 6c7bb850-6c7bb852 568->591 569->568 603 6c7bbab8-6c7bbadc call 6c7bcb31 574->603 604 6c7bbae1-6c7bbb00 call 6c77be2b 574->604 586 6c7bba2c-6c7bba75 call 6c7a833e call 6c7bce5c call 6c796f61 call 6c7abe94 call 6c7c8f0e * 2 575->586 586->574 595 6c7bb85e-6c7bb87e call 6c7c8f0e * 3 591->595 596 6c7bb854-6c7bb859 call 6c7a7a1c 591->596 595->515 596->595 603->586 617 6c7bbbd0-6c7bbc04 call 6c792d50 call 6c7c8f0e 604->617 618 6c7bbb06-6c7bbb0d 604->618 635 6c7bbb2c-6c7bbb74 call 6c792d50 call 6c7bcec8 call 6c7c8f0e 617->635 638 6c7bbc0a-6c7bbc48 call 6c7bcb31 call 6c7a833e call 6c7bce5c 617->638 618->617 621 6c7bbb13-6c7bbb1d call 6c7cc0aa 618->621 631 6c7bbbc8-6c7bbbcb 621->631 632 6c7bbb23-6c7bbb29 621->632 631->635 632->635 649 6c7bbc5b-6c7bbc68 call 6c774272 635->649 650 6c7bbb7a-6c7bbbc0 call 6c796f61 call 6c7abe94 call 6c7c8f0e * 2 635->650 654 6c7bbc4b-6c7bbc56 638->654 656 6c7bbc6a-6c7bbc78 call 6c7742b6 649->656 657 6c7bbc7f-6c7bbccc call 6c7bcb31 call 6c7a833e call 6c7bce5c 649->657 650->631 654->649 656->657 666 6c7bbc7a-6c7bbc7d 656->666 685 6c7bbcce-6c7bbcda 657->685 666->657 669 6c7bbcdf-6c7bbd02 call 6c7a833e call 6c774552 666->669 682 6c7bbd72-6c7bbdcb call 6c792d50 call 6c7a586d call 6c7c8f0e call 6c7a594b 669->682 683 6c7bbd04-6c7bbd6d call 6c7bcb31 call 6c7a833e call 6c7bce5c call 6c7c8f0e 669->683 702 6c7bbeed-6c7bbf26 call 6c792d50 call 6c7c8f0e 682->702 703 6c7bbdd1-6c7bbdd6 682->703 683->685 685->654 725 6c7bbf9b-6c7bc011 call 6c792d50 call 6c798fce call 6c774486 call 6c7c8f0e 702->725 726 6c7bbf28-6c7bbf91 CloseHandle call 6c7c8f0e * 2 call 6c796f61 call 6c7abe94 call 6c7c8f0e * 2 702->726 706 6c7bbe8d-6c7bbee8 call 6c7bcb31 call 6c7a833e call 6c7bce5c CloseHandle call 6c7c8f0e 703->706 707 6c7bbddc-6c7bbe85 call 6c7a833e call 6c7aae4a call 6c77420c call 6c7a7a92 CloseHandle call 6c7c8f0e * 2 call 6c796f61 call 6c7abe94 call 6c7c8f0e * 2 703->707 706->702 707->706 752 6c7bc100-6c7bc16c call 6c774486 call 6c7a833e call 6c7c8f0e 725->752 753 6c7bc017-6c7bc01b 725->753 726->725 793 6c7bc17b-6c7bc233 GetTempPathW call 6c7c8afc call 6c792d73 call 6c792d50 call 6c7a8c7a call 6c7a8c24 call 6c7aff21 call 6c7c8f0e * 4 CreateDirectoryW 752->793 794 6c7bc16e-6c7bc178 call 6c7c8d3a 752->794 755 6c7bc01d-6c7bc021 753->755 756 6c7bc023-6c7bc030 call 6c77420c 753->756 755->756 760 6c7bc036-6c7bc03d call 6c799048 755->760 756->752 756->760 771 6c7bc042-6c7bc04c 760->771 782 6c7bc04e-6c7bc051 771->782 783 6c7bc053-6c7bc060 771->783 786 6c7bc0a4-6c7bc0e5 call 6c77420c call 6c7a7a92 call 6c7c8f0e 782->786 783->786 790 6c7bc062-6c7bc06b 783->790 801 6c7bc0ea-6c7bc0f3 786->801 790->801 802 6c7bc06d-6c7bc09d call 6c7a833e call 6c7ab057 call 6c7c8f0e 790->802 834 6c7bc25c-6c7bc275 call 6c7a833e call 6c7a84b9 793->834 835 6c7bc235-6c7bc240 GetLastError 793->835 794->793 801->752 813 6c7bc0f5-6c7bc0fb call 6c7bd713 801->813 802->786 813->752 845 6c7bc278-6c7bc3ec call 6c7c8f0e * 2 call 6c7bd779 call 6c7be449 call 6c7759a2 call 6c7a1494 call 6c775d3f call 6c7c8eab call 6c774486 834->845 835->834 837 6c7bc242-6c7bc25a call 6c775d3f call 6c7a84b9 835->837 837->845 865 6c7bc3ee 845->865 866 6c7bc3f4-6c7bc4e1 call 6c7759a2 call 6c7c8f0e call 6c774460 call 6c7976bb call 6c7c8f0e call 6c774460 call 6c7976bb call 6c7c8f0e call 6c774460 call 6c7c8f0e 845->866 865->866 887 6c7bc4e3-6c7bc4f2 866->887 888 6c7bc4f5-6c7bc52f call 6c797053 866->888 887->888 892 6c7bc627-6c7bc68f call 6c795d96 call 6c7a6c9d 888->892 893 6c7bc535-6c7bc622 call 6c7bcb31 call 6c7a833e call 6c7bce5c call 6c797148 call 6c797773 * 2 call 6c797292 call 6c7c8f0e * 2 call 6c797292 call 6c7be49e call 6c7bd985 call 6c7c8f0e * 2 888->893 910 6c7bc692-6c7bc6a5 892->910 893->892 915 6c7bc6cc-6c7bc6e8 call 6c77420c 910->915 916 6c7bc6a7-6c7bc6c0 910->916 928 6c7bc6ea-6c7bc6f8 915->928 929 6c7bc713-6c7bc740 call 6c7a7a92 call 6c792d50 915->929 916->915 922 6c7bc6c2-6c7bc6c9 916->922 922->915 930 6c7bc6fa-6c7bc6fd 928->930 931 6c7bc6ff-6c7bc70d 928->931 942 6c7bc742-6c7bc750 call 6c7c63d7 929->942 943 6c7bc755-6c7bc8ec call 6c7c8f0e call 6c797148 call 6c797773 * 2 call 6c797292 call 6c7c8f0e * 2 call 6c797292 call 6c7be49e call 6c7bd985 call 6c7c8f0e * 3 CloseHandle call 6c7c8f0e * 2 call 6c796f61 call 6c7abe94 call 6c7c8f0e * 2 call 6c7a5a5a call 6c7943ed call 6c7741a9 call 6c785b32 call 6c7bd6d1 929->943 930->929 930->931 931->929 942->943
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7BB39A
                                                  • Part of subcall function 6C7BD446: __EH_prolog3_catch.LIBCMT ref: 6C7BD44D
                                                  • Part of subcall function 6C7BD446: GetCommandLineW.KERNEL32(0000006C,6C7BB3B6,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7BD48E
                                                  • Part of subcall function 6C7BD446: CoInitialize.OLE32(00000000), ref: 6C7BD4EF
                                                  • Part of subcall function 6C7BD713: CreateThread.KERNEL32(00000000,00000000,6C7C23E8,?,00000000,00000000), ref: 6C7BD729
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B988C: __EH_prolog3.LIBCMT ref: 6C7B9893
                                                  • Part of subcall function 6C7B988C: GetCommandLineW.KERNEL32(0000002C,6C7BD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B98B4
                                                  • Part of subcall function 6C7B988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B996E
                                                  • Part of subcall function 6C7A4E70: __EH_prolog3.LIBCMT ref: 6C7A4E77
                                                  • Part of subcall function 6C7A4E70: __CxxThrowException@8.LIBCMT ref: 6C7A4F68
                                                  • Part of subcall function 6C7A4E70: ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6C7A4F7E
                                                  • Part of subcall function 6C7A4E70: FindCloseChangeNotification.KERNEL32(?), ref: 6C7A4FA1
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                  • Part of subcall function 6C7A5033: __EH_prolog3.LIBCMT ref: 6C7A503A
                                                  • Part of subcall function 6C7A5033: __CxxThrowException@8.LIBCMT ref: 6C7A50B6
                                                  • Part of subcall function 6C7A51C0: __EH_prolog3_catch.LIBCMT ref: 6C7A51C7
                                                  • Part of subcall function 6C7A51C0: CoInitialize.OLE32(00000000), ref: 6C7A51DC
                                                • SysFreeString.OLEAUT32(?), ref: 6C7BB471
                                                  • Part of subcall function 6C7BD01E: __EH_prolog3.LIBCMT ref: 6C7BD025
                                                  • Part of subcall function 6C7BD01E: PathFileExistsW.SHLWAPI(?,6C7661FC,graphics,?,00000054,6C7BB48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C7BD0BE
                                                  • Part of subcall function 6C7859B8: __EH_prolog3.LIBCMT ref: 6C7859BF
                                                  • Part of subcall function 6C786083: __EH_prolog3_catch.LIBCMT ref: 6C78608A
                                                • GetCommandLineW.KERNEL32(?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?,00000738,6C7AFA6E,?), ref: 6C7BB51F
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C7BB50F
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                  • Part of subcall function 6C773A16: __EH_prolog3.LIBCMT ref: 6C773A1D
                                                • GetThreadLocale.KERNEL32(?,passive,00000000), ref: 6C7BB6C8
                                                  • Part of subcall function 6C7A7889: __EH_prolog3.LIBCMT ref: 6C7A7890
                                                  • Part of subcall function 6C7A7DB0: __EH_prolog3.LIBCMT ref: 6C7A7DB7
                                                  • Part of subcall function 6C7A7C9E: __EH_prolog3.LIBCMT ref: 6C7A7CA5
                                                  • Part of subcall function 6C7A7E78: __EH_prolog3.LIBCMT ref: 6C7A7E7F
                                                  • Part of subcall function 6C7743C4: __EH_prolog3.LIBCMT ref: 6C7743CB
                                                  • Part of subcall function 6C775E41: __EH_prolog3.LIBCMT ref: 6C775E48
                                                  • Part of subcall function 6C775E41: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,6C775E13,?,6C7A831D,?,0000000C,6C777D3D,?,00000000,?,?,6C76AB18,00000008), ref: 6C775E83
                                                  • Part of subcall function 6C775E41: PathFindExtensionW.SHLWAPI(?), ref: 6C775EA0
                                                  • Part of subcall function 6C7A6DCB: GetCommandLineW.KERNEL32(342C82DB,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6C7A6E16
                                                  • Part of subcall function 6C7A594B: __EH_prolog3.LIBCMT ref: 6C7A5952
                                                • CloseHandle.KERNEL32(?,?,?,?,OneInstance,?,00000000,?,ParameterInfo.xml,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7BBED4
                                                  • Part of subcall function 6C7AAE4A: __EH_prolog3.LIBCMT ref: 6C7AAE51
                                                • CloseHandle.KERNEL32(?,?,00000000,?,00000001,00000007,?,OneInstance,?,?,00000000,?,?,?,?,?), ref: 6C7BBE22
                                                  • Part of subcall function 6C796F61: __EH_prolog3.LIBCMT ref: 6C796F68
                                                  • Part of subcall function 6C7ABE94: _free.LIBCMT ref: 6C7ABEBC
                                                  • Part of subcall function 6C7ABE94: _free.LIBCMT ref: 6C7ABECD
                                                • CloseHandle.KERNEL32(?), ref: 6C7BBF2E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Path$CloseCommandException@8FileH_prolog3_catchLineThrow$FindHandle$InitializeNameRelativeThread_free$ChangeCreateDispatcherExceptionExistsExtensionFreeLocaleModuleNotificationReadStringUser
                                                • String ID: !$#(loc.ids_wer_message)$%TEMP%\$Blocker$Command-line option error: $CreateFilesInUser$CreateHelpUsage$CreateUiMode$FactoryInitialization$InvalidArguments$OneInstance$PISemanticChecker$ParameterInfo.xml$Parameterinfo.xml or UiInfo.xml has a #Loc that is not defined in LocalizeData.xml $W$passive
                                                • API String ID: 1658402695-280204926
                                                • Opcode ID: c60733d599e0adca1fc2ed7d0e267937754d03fdb6e8789b44d9e65c294c6066
                                                • Instruction ID: d8b1fa1f6d4bc9225cf51b155c1f176fbd50c0aae6bc202136c616f66fa4557c
                                                • Opcode Fuzzy Hash: c60733d599e0adca1fc2ed7d0e267937754d03fdb6e8789b44d9e65c294c6066
                                                • Instruction Fuzzy Hash: D7E24A71900259DFCF11DFA8CA88ADDBBB8AF05318F148295E518B7791DB30AB49CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79B1FE Relevance: 46.0, APIs: 2, Strings: 24, Instructions: 515COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1002 6c79b1fe-6c79b211 call 6c7d6e1a 1005 6c79b213-6c79b21d 1002->1005 1006 6c79b227-6c79b290 call 6c7c8eab call 6c79b918 call 6c7a8cd5 call 6c7a8c7a call 6c7a8c24 1002->1006 1008 6c79b222 1005->1008 1022 6c79b295-6c79b2c9 call 6c7c8f0e * 3 call 6c7a85bc 1006->1022 1010 6c79b894 1008->1010 1012 6c79b896-6c79b89b call 6c7d6f06 1010->1012 1031 6c79b2cf-6c79b2e0 call 6c7ab331 1022->1031 1032 6c79b824-6c79b834 call 6c7a85bc 1022->1032 1039 6c79b889-6c79b88f call 6c7c8f0e 1031->1039 1040 6c79b2e6-6c79b2ee 1031->1040 1037 6c79b856-6c79b866 call 6c7a85bc 1032->1037 1038 6c79b836-6c79b84e 1032->1038 1037->1039 1050 6c79b868-6c79b880 1037->1050 1038->1039 1049 6c79b850-6c79b854 1038->1049 1039->1010 1042 6c79b81f call 6c7c78c8 1040->1042 1043 6c79b2f4-6c79b2f7 1040->1043 1042->1032 1043->1042 1047 6c79b2fd-6c79b313 1043->1047 1051 6c79b338 1047->1051 1052 6c79b315-6c79b32b call 6c7a85bc 1047->1052 1049->1039 1050->1039 1059 6c79b882 1050->1059 1053 6c79b33c-6c79b345 1051->1053 1060 6c79b32d-6c79b336 1052->1060 1061 6c79b36c-6c79b372 1052->1061 1055 6c79b374-6c79b383 1053->1055 1056 6c79b347-6c79b367 call 6c7abe3a 1053->1056 1055->1042 1065 6c79b389-6c79b38c 1055->1065 1068 6c79b42d-6c79b432 1056->1068 1059->1039 1060->1051 1060->1052 1061->1053 1065->1042 1067 6c79b392-6c79b3de call 6c7c8b7a 1065->1067 1085 6c79b401-6c79b40a 1067->1085 1086 6c79b3e0-6c79b3ec 1067->1086 1070 6c79b438-6c79b49f call 6c7959aa call 6c7753d4 call 6c792d50 call 6c792d73 call 6c7d68b5 1068->1070 1071 6c79b7bb-6c79b7bf 1068->1071 1106 6c79b4d8-6c79b4e7 call 6c7ab331 1070->1106 1107 6c79b4a1-6c79b4ad 1070->1107 1073 6c79b818-6c79b81a 1071->1073 1074 6c79b7c1-6c79b813 call 6c7c8b7a Sleep call 6c7c8f0e 1071->1074 1078 6c79b751-6c79b75e call 6c7c8f0e 1073->1078 1074->1073 1078->1012 1090 6c79b40c-6c79b41b call 6c7b1a3d 1085->1090 1091 6c79b41e-6c79b428 call 6c7c8f0e 1085->1091 1092 6c79b3f1-6c79b3fc call 6c7c8f0e 1086->1092 1090->1091 1091->1068 1092->1039 1111 6c79b4e9-6c79b4eb 1106->1111 1112 6c79b565-6c79b591 call 6c7a8cd5 call 6c7c8f0e 1106->1112 1110 6c79b4b2-6c79b4d3 call 6c7c8f0e * 3 1107->1110 1110->1092 1111->1042 1116 6c79b4f1-6c79b4f4 1111->1116 1112->1110 1116->1042 1119 6c79b4fa-6c79b525 call 6c7984a9 1116->1119 1127 6c79b527-6c79b54f call 6c7a8cd5 call 6c7c8f0e 1119->1127 1128 6c79b596-6c79b5b0 call 6c7d68b5 1119->1128 1144 6c79b554-6c79b560 call 6c79847f 1127->1144 1134 6c79b5b2-6c79b5c3 1128->1134 1135 6c79b5c5-6c79b5cb 1128->1135 1134->1144 1137 6c79b5dd-6c79b5e3 1135->1137 1138 6c79b5cd-6c79b5db call 6c7a84b9 1135->1138 1142 6c79b5e5-6c79b5f1 call 6c7a84b9 1137->1142 1143 6c79b5f6-6c79b6fc call 6c799baa call 6c7759a2 call 6c7a8cd5 call 6c7c8f0e call 6c7a8cd5 call 6c7c8f0e call 6c7a8cd5 call 6c7c8f0e call 6c77605c 1137->1143 1138->1137 1142->1143 1172 6c79b6fe-6c79b74f call 6c79847f call 6c7c8f0e * 4 1143->1172 1173 6c79b763-6c79b7b8 call 6c79847f call 6c7c8f0e * 4 1143->1173 1144->1110 1172->1078 1173->1071
                                                APIs
                                                Strings
                                                • Helper item execution succeed., xrefs: 6C79B763
                                                • Delaying for Starting to delay, xrefs: 6C79B7F1
                                                • Failure, xrefs: 6C79B85A
                                                • Argument provided: , xrefs: 6C79B67E
                                                • Retry %u of %u of custom error handling, xrefs: 6C79B3BD
                                                • HelperItems not found : , xrefs: 6C79B565
                                                • Executing Helper item with the following parameters:, xrefs: 6C79B637
                                                • is mapped to Custom Error: , xrefs: 6C79B25E
                                                • HelperItem is not Exe item., xrefs: 6C79B5B7
                                                • Retry, xrefs: 6C79B2BD
                                                • No CustomError defined for this item., xrefs: 6C79B218
                                                • New custom error, add to the map, xrefs: 6C79B347
                                                • HelperItem verification failed. Cannot run the retry helper : , xrefs: 6C79B527
                                                • Overwrite the current error to E_FAIL., xrefs: 6C79B86D
                                                • Error , xrefs: 6C79B250
                                                • Retry count over existing limit, not going to retry again., xrefs: 6C79B3E5
                                                • Delaying for %u seconds before retrying., xrefs: 6C79B7DE
                                                • Helper item execution failed., xrefs: 6C79B6FE
                                                • Overwrite the current error to S_OK., xrefs: 6C79B83B
                                                • HelperItems can't be read., xrefs: 6C79B4A6
                                                • Helper Item name: , xrefs: 6C79B64D
                                                • Existing custom error found in the map., xrefs: 6C79B374
                                                • Log File name: , xrefs: 6C79B6AF
                                                • Success, xrefs: 6C79B828
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: is mapped to Custom Error: $Argument provided: $Delaying for %u seconds before retrying.$Delaying for Starting to delay$Error $Executing Helper item with the following parameters:$Existing custom error found in the map.$Failure$Helper Item name: $Helper item execution failed.$Helper item execution succeed.$HelperItem is not Exe item.$HelperItem verification failed. Cannot run the retry helper : $HelperItems can't be read.$HelperItems not found : $Log File name: $New custom error, add to the map$No CustomError defined for this item.$Overwrite the current error to E_FAIL.$Overwrite the current error to S_OK.$Retry$Retry %u of %u of custom error handling$Retry count over existing limit, not going to retry again.$Success
                                                • API String ID: 431132790-3612092767
                                                • Opcode ID: fbe219f1ea3ccae02ba75fe91a7bfa96d7e91355dced65c554f6700f84e530e9
                                                • Instruction ID: f5710e661211585af0fcbc3af006f170b64ff6fa45719113b1916bf98196b708
                                                • Opcode Fuzzy Hash: fbe219f1ea3ccae02ba75fe91a7bfa96d7e91355dced65c554f6700f84e530e9
                                                • Instruction Fuzzy Hash: B922B131600249DFDB10CFA8CA89B9D7BB5BF05318F148655E924AB791CB30EA59CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B09E3 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 228registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1598 6c7b09e3-6c7b0a25 call 6c7d6e8d call 6c775727 1604 6c7b0a3f 1598->1604 1605 6c7b0a27-6c7b0a2f GetLastError 1598->1605 1608 6c7b0a41-6c7b0a80 call 6c7a833e call 6c7b1236 call 6c7c8f0e 1604->1608 1606 6c7b0a3b-6c7b0a3d 1605->1606 1607 6c7b0a31-6c7b0a36 1605->1607 1606->1608 1607->1606 1616 6c7b0a9a 1608->1616 1617 6c7b0a82-6c7b0a8a GetLastError 1608->1617 1620 6c7b0a9c-6c7b0ae9 call 6c7a833e call 6c7b1236 call 6c7c8f0e RegOpenKeyExW 1616->1620 1618 6c7b0a8c-6c7b0a91 1617->1618 1619 6c7b0a96-6c7b0a98 1617->1619 1618->1619 1619->1620 1627 6c7b0aef-6c7b0b14 RegQueryValueExW 1620->1627 1628 6c7b0bc2-6c7b0bd9 call 6c7ce770 1620->1628 1629 6c7b0b52-6c7b0b5f RegCloseKey 1627->1629 1630 6c7b0b16-6c7b0b34 RegQueryValueExW 1627->1630 1636 6c7b0bdc-6c7b0be1 1628->1636 1633 6c7b0b61-6c7b0b73 1629->1633 1634 6c7b0bc0 1629->1634 1630->1629 1632 6c7b0b36-6c7b0b4f RegQueryValueExW 1630->1632 1632->1629 1639 6c7b0b8d 1633->1639 1640 6c7b0b75-6c7b0b7d GetLastError 1633->1640 1634->1628 1636->1636 1638 6c7b0be3-6c7b0bf2 GlobalMemoryStatusEx 1636->1638 1641 6c7b0c4f-6c7b0c74 call 6c7a833e GetLastError call 6c7b1236 1638->1641 1642 6c7b0bf4-6c7b0c13 1638->1642 1646 6c7b0b8f-6c7b0bbf call 6c7a833e call 6c7b1236 call 6c7c8f0e 1639->1646 1644 6c7b0b89-6c7b0b8b 1640->1644 1645 6c7b0b7f-6c7b0b84 1640->1645 1659 6c7b0c77-6c7b0c8b call 6c7c8f0e call 6c7b3439 call 6c7d6f1f 1641->1659 1651 6c7b0c2b-6c7b0c4d call 6c7a833e call 6c7b1236 1642->1651 1652 6c7b0c15-6c7b0c1d GetLastError 1642->1652 1644->1646 1645->1644 1646->1634 1651->1659 1655 6c7b0c29 1652->1655 1656 6c7b0c1f-6c7b0c24 1652->1656 1655->1651 1656->1655
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7B09ED
                                                  • Part of subcall function 6C775727: GetModuleHandleW.KERNEL32(kernel32.dll,?,6C775782,00000000,6C7A831D), ref: 6C775731
                                                  • Part of subcall function 6C775727: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6C775741
                                                • GetLastError.KERNEL32 ref: 6C7B0A27
                                                • GetLastError.KERNEL32 ref: 6C7B0A82
                                                • RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?,?,00000000,?,Failed to record NumberOfProcessor), ref: 6C7B0ADE
                                                • RegQueryValueExW.KERNEL32(?,~MHz,00000000,00000000,?,?), ref: 6C7B0B0D
                                                • RegQueryValueExW.ADVAPI32(?,~Mhz,00000000,00000000,?,?), ref: 6C7B0B2D
                                                • RegQueryValueExW.ADVAPI32(?,~mhz,00000000,00000000,?,?), ref: 6C7B0B4D
                                                • RegCloseKey.KERNEL32(?), ref: 6C7B0B55
                                                • GetLastError.KERNEL32 ref: 6C7B0B75
                                                • _memset.LIBCMT ref: 6C7B0BCC
                                                • GlobalMemoryStatusEx.KERNEL32(?,?,?,6C76A738,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7B0BEA
                                                • GetLastError.KERNEL32(?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7B0C15
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • GetLastError.KERNEL32(?,GlobalMemoryStatusEx failed,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7B0C60
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$QueryValue$H_prolog3$AddressCloseGlobalH_prolog3_HandleMemoryModuleOpenProcStatus_memset
                                                • String ID: Failed to record CpuArchitecture$Failed to record NumberOfProcessor$Failed to record SystemMemory$GlobalMemoryStatusEx failed$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz$~Mhz$~mhz
                                                • API String ID: 2659457873-2309824155
                                                • Opcode ID: 176709611c27818c932388a41c0c248417ae234b6f4231fcd6b13ed3f087f139
                                                • Instruction ID: 0819fa7f6c24b6f9c01e37e8819cae4bd3a6e452f8b3db0e1853ba842d64979c
                                                • Opcode Fuzzy Hash: 176709611c27818c932388a41c0c248417ae234b6f4231fcd6b13ed3f087f139
                                                • Instruction Fuzzy Hash: AE817E71A00249AFDB20DFE5CE49BDEBBB9AF05314F204625E515FB690DB34DA05CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BD01E Relevance: 35.1, APIs: 3, Strings: 17, Instructions: 92COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BD025
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                • PathFileExistsW.SHLWAPI(?,6C7661FC,graphics,?,00000054,6C7BB48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C7BD0BE
                                                • __CxxThrowException@8.LIBCMT ref: 6C7BD16E
                                                  • Part of subcall function 6C7A8F73: PathRemoveFileSpecW.SHLWAPI(00000000,2806C750,00000010,80004005,6C775DB8,6C7AF845,00000010,?,6C7A831D,00000000), ref: 6C7A8F84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FilePath$H_prolog3$AppendException@8ExistsModuleNameRemoveSpecThrow
                                                • String ID: Graphic file %s does not exists$Print.ico$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$Save.ico$Setup.ico$SysReqMet.ico$SysReqNotMet.ico$graphics$stop.ico$warn.ico
                                                • API String ID: 419085990-1965610755
                                                • Opcode ID: 8289d4970c9718700d09385d1688d078d75ebc2511102823bfb250b99f70d40f
                                                • Instruction ID: 3bd69211909a0473494f33d580c0acbb0f27491a3555ceed03722609cd2cd7d9
                                                • Opcode Fuzzy Hash: 8289d4970c9718700d09385d1688d078d75ebc2511102823bfb250b99f70d40f
                                                • Instruction Fuzzy Hash: 8B41F7B290025D9FCB00DFE6CA4ABDEBBB9BF04314F904559D814BBA51C7309B098BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78A82C Relevance: 33.9, APIs: 2, Strings: 17, Instructions: 638COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1705 6c78a82c-6c78a854 call 6c7d6e1a 1708 6c78a85c-6c78a87c call 6c786249 1705->1708 1709 6c78a856-6c78a858 1705->1709 1712 6c78a87e-6c78a880 1708->1712 1713 6c78a884-6c78a8a8 call 6c786440 1708->1713 1709->1708 1712->1713 1716 6c78a8aa-6c78a8ac 1713->1716 1717 6c78a8b0-6c78a8e4 call 6c7869b7 call 6c7a833e 1713->1717 1716->1717 1722 6c78a8ec-6c78a8fe call 6c778d44 call 6c781c2e 1717->1722 1723 6c78a8e6-6c78a8e8 1717->1723 1727 6c78a903-6c78a90c 1722->1727 1723->1722 1728 6c78a90e-6c78a910 1727->1728 1729 6c78a914-6c78a94a call 6c7c8f0e call 6c7a833e 1727->1729 1728->1729 1734 6c78a94c-6c78a94e 1729->1734 1735 6c78a952-6c78a972 call 6c778d44 call 6c781d3d 1729->1735 1734->1735 1740 6c78a97a-6c78a9b0 call 6c7c8f0e call 6c7a833e 1735->1740 1741 6c78a974-6c78a976 1735->1741 1746 6c78a9b8-6c78a9de call 6c778d44 call 6c78784c 1740->1746 1747 6c78a9b2-6c78a9b4 1740->1747 1741->1740 1752 6c78a9e0-6c78a9e2 1746->1752 1753 6c78a9e6-6c78aa1b call 6c7c8f0e call 6c7a833e 1746->1753 1747->1746 1752->1753 1758 6c78aa1d-6c78aa1f 1753->1758 1759 6c78aa23-6c78aa48 call 6c779411 call 6c783ba9 1753->1759 1758->1759 1764 6c78aa4a-6c78aa4c 1759->1764 1765 6c78aa50-6c78aa72 call 6c7c8f0e 1759->1765 1764->1765 1768 6c78aa7a-6c78aa99 call 6c786d1f 1765->1768 1769 6c78aa74-6c78aa76 1765->1769 1772 6c78aa9b-6c78aa9d 1768->1772 1773 6c78aaa1-6c78aac3 call 6c786e28 1768->1773 1769->1768 1772->1773 1776 6c78aacb-6c78ab73 call 6c7870c5 call 6c7897ce call 6c7a833e 1773->1776 1777 6c78aac5-6c78aac7 1773->1777 1784 6c78ab7b-6c78abc1 call 6c7795c1 call 6c7c8f0e call 6c7a833e 1776->1784 1785 6c78ab75-6c78ab77 1776->1785 1777->1776 1792 6c78abc9-6c78ac09 call 6c779703 call 6c7c8f0e call 6c7a833e 1784->1792 1793 6c78abc3-6c78abc5 1784->1793 1785->1784 1800 6c78ac0b-6c78ac0d 1792->1800 1801 6c78ac11-6c78ac54 call 6c779703 call 6c7c8f0e call 6c7a833e 1792->1801 1793->1792 1800->1801 1808 6c78ac5c-6c78ac86 call 6c779703 call 6c7c8f0e 1801->1808 1809 6c78ac56-6c78ac58 1801->1809 1814 6c78ac88-6c78ac8a 1808->1814 1815 6c78ac8e-6c78aca9 call 6c7789b7 1808->1815 1809->1808 1814->1815 1818 6c78acab-6c78acad 1815->1818 1819 6c78acb1-6c78acbc call 6c77922c 1815->1819 1818->1819 1822 6c78acbe-6c78ad0f call 6c7a833e * 2 call 6c77838a call 6c7c8f0e * 2 call 6c77a378 1819->1822 1823 6c78ad22-6c78ad46 call 6c7a833e 1819->1823 1848 6c78ad14-6c78ad1d call 6c7d14aa 1822->1848 1828 6c78ad48-6c78ad4a 1823->1828 1829 6c78ad4e-6c78ad93 call 6c779703 call 6c7a833e call 6c77a2b5 call 6c7c8f0e * 2 1823->1829 1828->1829 1851 6c78ad95-6c78ada9 call 6c792d50 1829->1851 1852 6c78ae06-6c78ae33 call 6c7a833e 1829->1852 1848->1823 1857 6c78adab-6c78adb3 1851->1857 1858 6c78adbd 1851->1858 1859 6c78ae3b-6c78ae42 call 6c7790aa 1852->1859 1860 6c78ae35-6c78ae37 1852->1860 1861 6c78adb9-6c78adbb 1857->1861 1862 6c78adb5-6c78adb7 1857->1862 1863 6c78adbf-6c78adcc call 6c7c8f0e 1858->1863 1868 6c78ae89 1859->1868 1869 6c78ae44-6c78ae74 call 6c7a833e 1859->1869 1860->1859 1861->1863 1862->1858 1862->1861 1863->1852 1871 6c78adce-6c78ae01 call 6c7a833e * 2 call 6c77838a 1863->1871 1870 6c78ae8b-6c78ae8f 1868->1870 1881 6c78ae7c-6c78ae83 call 6c7790aa 1869->1881 1882 6c78ae76-6c78ae78 1869->1882 1873 6c78aea0-6c78aeab 1870->1873 1874 6c78ae91-6c78ae9b call 6c7c8f0e 1870->1874 1871->1848 1878 6c78aeb8-6c78aeba 1873->1878 1879 6c78aead-6c78aeb3 call 6c7c8f0e 1873->1879 1874->1873 1884 6c78aebc-6c78aefa call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 1878->1884 1885 6c78af22-6c78af2b 1878->1885 1879->1878 1881->1868 1893 6c78ae85-6c78ae87 1881->1893 1882->1881 1915 6c78aefe-6c78af1a call 6c7c8f0e call 6c77a378 1884->1915 1888 6c78af2d-6c78af6f call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 1885->1888 1889 6c78af71-6c78af7a 1885->1889 1888->1915 1894 6c78af7c-6c78af7e 1889->1894 1895 6c78af82-6c78af89 call 6c7d6f06 1889->1895 1893->1870 1894->1895 1915->1885
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78A833
                                                  • Part of subcall function 6C781D3D: __EH_prolog3.LIBCMT ref: 6C781D44
                                                  • Part of subcall function 6C781D3D: __CxxThrowException@8.LIBCMT ref: 6C781E11
                                                • __CxxThrowException@8.LIBCMT ref: 6C78AD1D
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: <$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$IsPresent$MSIOptions$MSIRepairOptions$MSIUninstallOptions$ParameterInfo.xml$ProductCode$RepairOverride$UninstallOverride$schema validation failure: MSI, AgileMSI and AgileMSP do not support RepairOverride or UninstallOverride child elements!$schema validation failure: Product Code cannot be emoty.$schema validation failure: wrong number of MSI child nodes!
                                                • API String ID: 2489616738-1903366528
                                                • Opcode ID: 79cb124968086796ba8cc710cbf35901a57c5169b086ac043ff09b1e372f5ba8
                                                • Instruction ID: 4c34a2e6e1443de971584123a8da6c0f9ff87b5811c55db3f6864ccffbc3fa7d
                                                • Opcode Fuzzy Hash: 79cb124968086796ba8cc710cbf35901a57c5169b086ac043ff09b1e372f5ba8
                                                • Instruction Fuzzy Hash: 0B423D71A05249EFDB04DFA8CA49ADE7BB8BF09318F144569F924EB780C734DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78148D Relevance: 32.0, APIs: 3, Strings: 15, Instructions: 510COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1920 6c78148d-6c781502 call 6c77ac58 call 6c7a85bc 1926 6c781508-6c78151d call 6c7cc0aa 1920->1926 1927 6c78158e-6c7815a1 call 6c7a85bc 1920->1927 1932 6c78151f-6c781552 call 6c7a833e call 6c780e96 call 6c7c8f0e 1926->1932 1933 6c781554 1926->1933 1934 6c78160b-6c78161c call 6c7a85bc 1927->1934 1935 6c7815a3-6c7815b8 call 6c7cc0aa 1927->1935 1939 6c781556-6c781561 1932->1939 1933->1939 1946 6c78161e-6c781631 call 6c7cc0aa 1934->1946 1947 6c781661-6c781674 call 6c7a85bc 1934->1947 1948 6c7815ba-6c7815ed call 6c7a833e call 6c780e96 call 6c7c8f0e 1935->1948 1949 6c7815ef 1935->1949 1943 6c781569 1939->1943 1944 6c781563-6c781565 1939->1944 1950 6c78156b-6c78158b call 6c7c8f0e 1943->1950 1944->1943 1967 6c781643 1946->1967 1968 6c781633-6c781641 call 6c7811f6 1946->1968 1964 6c7816c9-6c7816dc call 6c7a85bc 1947->1964 1965 6c781676-6c78168b call 6c7cc0aa 1947->1965 1955 6c7815f1-6c7815fc 1948->1955 1949->1955 1957 6c7815fe-6c781600 1955->1957 1958 6c781604-6c781606 1955->1958 1957->1958 1958->1950 1980 6c7816de-6c7816f3 call 6c7cc0aa 1964->1980 1981 6c781731-6c781744 call 6c7a85bc 1964->1981 1965->1949 1982 6c781691-6c7816c4 call 6c7a833e call 6c7800a7 call 6c7c8f0e 1965->1982 1973 6c781645-6c781650 1967->1973 1968->1973 1973->1950 1979 6c781656-6c78165c 1973->1979 1979->1950 1980->1949 1991 6c7816f9-6c78172c call 6c7a833e call 6c7800a7 call 6c7c8f0e 1980->1991 1993 6c781799-6c7817ac call 6c7a85bc 1981->1993 1994 6c781746-6c78175b call 6c7cc0aa 1981->1994 1982->1955 1991->1955 2005 6c7817ae-6c7817c3 call 6c7cc0aa 1993->2005 2006 6c781801-6c781814 call 6c7a85bc 1993->2006 1994->1949 2003 6c781761-6c781794 call 6c7a833e call 6c7800a7 call 6c7c8f0e 1994->2003 2003->1955 2005->1949 2020 6c7817c9-6c7817fc call 6c7a833e call 6c7800a7 call 6c7c8f0e 2005->2020 2017 6c781869-6c78187a call 6c7a85bc 2006->2017 2018 6c781816-6c78182b call 6c7cc0aa 2006->2018 2030 6c78187c-6c78188f call 6c7cc0aa 2017->2030 2031 6c7818a6-6c7818b7 call 6c7a85bc 2017->2031 2018->1949 2033 6c781831-6c781864 call 6c7a833e call 6c7800a7 call 6c7c8f0e 2018->2033 2020->1955 2030->1967 2043 6c781895-6c7818a1 call 6c780baa 2030->2043 2045 6c7818b9-6c7818c3 call 6c7cc0aa 2031->2045 2046 6c7818d7-6c7818e8 call 6c7a85bc 2031->2046 2033->1955 2043->2031 2045->1967 2056 6c7818c9 2045->2056 2057 6c7818ea-6c7818f4 call 6c7cc0aa 2046->2057 2058 6c781902-6c7819d7 call 6c7a833e call 6c7a8cd5 call 6c77838a call 6c7c8f0e * 2 call 6c778415 call 6c7c8f0e call 6c77a378 call 6c7d14aa call 6c7d6e1a call 6c778b9f call 6c78148d 2046->2058 2059 6c7818cf 2056->2059 2057->1967 2064 6c7818fa-6c781900 2057->2064 2088 6c7819dc-6c7819e8 2058->2088 2059->2046 2064->2059 2089 6c7819ea-6c7819ec 2088->2089 2090 6c7819f0-6c781a19 call 6c7c8eab 2088->2090 2089->2090 2093 6c781a1b-6c781a1d 2090->2093 2094 6c781a21-6c781a29 call 6c77922c 2090->2094 2093->2094 2097 6c781a2f-6c781ade call 6c7a833e call 6c7a8cd5 call 6c7a8c7a call 6c77838a call 6c7c8f0e * 3 call 6c778415 call 6c7c8f0e call 6c77a378 call 6c7d14aa 2094->2097 2098 6c781ae3-6c781aea call 6c7d6f06 2094->2098 2097->2098
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8FreeStringThrow_malloc
                                                • String ID: can only have one logical or arithmietic expression for a child node$+Byl$AlwaysTrue$And$Equals$Exists$GreaterThan$GreaterThanOrEqualTo$LessThan$LessThanOrEqualTo$NeverTrue$Not$ParameterInfo.xml$schema validation failure: $schema validation failure: unknown Expression:
                                                • API String ID: 1924927865-1675388498
                                                • Opcode ID: b89c8faaf2dcb83c423a1fb96a8126a8362e0c25dbe18472d7da1562e9071254
                                                • Instruction ID: 8f105be9a77d3a00fd2f07b940bf33dc6ea9f91553a9fd1676176ceb3f7ce41d
                                                • Opcode Fuzzy Hash: b89c8faaf2dcb83c423a1fb96a8126a8362e0c25dbe18472d7da1562e9071254
                                                • Instruction Fuzzy Hash: 0102C4712083459FD700DFA8CA48B9EB7E8AF85318F144A2EF5A5D7B91DB30D9098763
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C792582 Relevance: 32.0, APIs: 2, Strings: 16, Instructions: 464COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2123 6c792582-6c7925bb call 6c7d6e1a call 6c778996 call 6c7a85bc 2130 6c7925bd-6c7925d1 call 6c7cc0aa 2123->2130 2131 6c792635-6c792645 call 6c7a85bc 2123->2131 2136 6c79260f 2130->2136 2137 6c7925d3-6c7925fd call 6c7a833e 2130->2137 2138 6c792688-6c792698 call 6c7a85bc 2131->2138 2139 6c792647-6c79265b call 6c7cc0aa 2131->2139 2140 6c792611-6c79261f 2136->2140 2153 6c7925ff-6c792601 2137->2153 2154 6c792605-6c792608 call 6c78a82c 2137->2154 2150 6c7926da-6c7926ea call 6c7a85bc 2138->2150 2151 6c79269a-6c7926ae call 6c7cc0aa 2138->2151 2155 6c7928bd 2139->2155 2156 6c792661-6c792671 2139->2156 2144 6c792625-6c792630 call 6c7c8f0e 2140->2144 2145 6c7928c6-6c7928f1 call 6c7a833e call 6c7d68b5 2140->2145 2144->2145 2179 6c792938-6c79297b call 6c7a8cd5 call 6c7a8c7a call 6c7a8c24 2145->2179 2180 6c7928f3-6c792936 call 6c786cb7 call 6c7c8eab call 6c7a84b9 call 6c7c8f0e * 2 2145->2180 2170 6c79272b-6c79273b call 6c7a85bc 2150->2170 2171 6c7926ec-6c792700 call 6c7cc0aa 2150->2171 2151->2155 2173 6c7926b4-6c7926c5 2151->2173 2153->2154 2166 6c79260d 2154->2166 2161 6c7928bf-6c7928c3 2155->2161 2163 6c792679-6c792683 call 6c78f05d 2156->2163 2164 6c792673-6c792675 2156->2164 2161->2145 2163->2161 2164->2163 2166->2140 2190 6c79277d-6c79278d call 6c7a85bc 2170->2190 2191 6c79273d-6c792751 call 6c7cc0aa 2170->2191 2171->2155 2187 6c792706-6c792716 2171->2187 2176 6c7926cd-6c7926d5 call 6c78b69b 2173->2176 2177 6c7926c7-6c7926c9 2173->2177 2176->2161 2177->2176 2219 6c792980-6c7929c0 call 6c7c8f0e * 5 2179->2219 2180->2179 2193 6c792718-6c79271a 2187->2193 2194 6c79271e-6c792726 call 6c78d8a6 2187->2194 2206 6c79278f-6c7927a3 call 6c7cc0aa 2190->2206 2207 6c7927d0-6c7927e0 call 6c7a85bc 2190->2207 2191->2155 2203 6c792757-6c792768 2191->2203 2193->2194 2194->2161 2209 6c79276a-6c79276c 2203->2209 2210 6c792770-6c792778 call 6c78c922 2203->2210 2206->2155 2224 6c7927a9-6c7927b9 2206->2224 2222 6c792823-6c792833 call 6c7a85bc 2207->2222 2223 6c7927e2-6c7927f6 call 6c7cc0aa 2207->2223 2209->2210 2210->2161 2273 6c7929c8-6c7929d0 call 6c7d6f06 2219->2273 2274 6c7929c2-6c7929c4 2219->2274 2236 6c79286e-6c79287e call 6c7a85bc 2222->2236 2237 6c792835-6c792849 call 6c7cc0aa 2222->2237 2223->2155 2240 6c7927fc-6c79280c 2223->2240 2229 6c7927bb-6c7927bd 2224->2229 2230 6c7927c1-6c7927c6 call 6c78e30e 2224->2230 2229->2230 2238 6c7927cb 2230->2238 2253 6c7929d3-6c792ad5 call 6c7a8cd5 call 6c7a8c7a call 6c7c8f0e * 2 call 6c7a833e call 6c7a8cd5 call 6c77838a call 6c7c8f0e * 2 call 6c778415 call 6c7c8f0e call 6c77a378 call 6c7d14aa call 6c78632c 2236->2253 2254 6c792884-6c792898 call 6c7cc0aa 2236->2254 2237->2155 2250 6c79284b-6c79285c 2237->2250 2238->2161 2243 6c79280e-6c792810 2240->2243 2244 6c792814-6c79281e call 6c78facf 2240->2244 2243->2244 2244->2161 2256 6c79285e-6c792860 2250->2256 2257 6c792864-6c79286c call 6c7902c6 2250->2257 2304 6c792ade-6c792ae2 2253->2304 2305 6c792ad7-6c792add call 6c7cb081 2253->2305 2254->2155 2264 6c79289a-6c7928ab 2254->2264 2256->2257 2257->2161 2268 6c7928ad-6c7928af 2264->2268 2269 6c7928b3-6c7928bb call 6c791287 2264->2269 2268->2269 2269->2161 2274->2273 2305->2304
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C792589
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C792AB0
                                                  • Part of subcall function 6C7CC0AA: std::exception::exception.LIBCMT ref: 6C7CC0F9
                                                  • Part of subcall function 6C7CC0AA: std::exception::exception.LIBCMT ref: 6C7CC113
                                                  • Part of subcall function 6C7CC0AA: __CxxThrowException@8.LIBCMT ref: 6C7CC124
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throwstd::exception::exception$_malloc
                                                • String ID: ", local path $". Valid types are MSI, MSP, Exe, Patches, ServiceControl and File. Theses are case sensitive.$(not applicable)$Adding Item type "$AgileMSI$CleanupBlock$Exe$File$MSI$MSP$ParameterInfo.xml$Patches$RelatedProducts$ServiceControl$Unknown Item type "$schema validation failure: unknown Item type -
                                                • API String ID: 3439882596-1328758535
                                                • Opcode ID: b04df5acbe5077ad17b15043f3e9d87898cb182ef024db3c98230868da86bed5
                                                • Instruction ID: ccc0cff80b53f2cec8f7ffc9883860a33f3908171d63eabc9a15f1715618c0bb
                                                • Opcode Fuzzy Hash: b04df5acbe5077ad17b15043f3e9d87898cb182ef024db3c98230868da86bed5
                                                • Instruction Fuzzy Hash: 9D027271A05208AFDB00EBE8DE4CEED7BB4AF09318F144569F515E7B81DB30DA448B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C773E77 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 219COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A9067: __EH_prolog3.LIBCMT ref: 6C7A906E
                                                  • Part of subcall function 6C7A9067: __recalloc.LIBCMT ref: 6C7A90B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$__recalloc
                                                • String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
                                                • API String ID: 1900422986-634121796
                                                • Opcode ID: 5bd8de30b8a888688dea753d4019aa2f0683783fa372db86eadd8d7998e1df16
                                                • Instruction ID: d32112fe09f565c9228e1caba413ccf25f70d017bec0768376bc9620fafc10be
                                                • Opcode Fuzzy Hash: 5bd8de30b8a888688dea753d4019aa2f0683783fa372db86eadd8d7998e1df16
                                                • Instruction Fuzzy Hash: 2B910A3150428DAADB00DBF8C64CBCC7BA9AF1136CF54C646A8249BB81DB76D71D9722
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B9D05 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 311COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                • GetCommandLineW.KERNEL32(342C82DB,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6C7B9D54
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C773A16: __EH_prolog3.LIBCMT ref: 6C773A1D
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B9EBD
                                                Strings
                                                • NoSetupVersionCheck, xrefs: 6C7B9D6C
                                                • SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version., xrefs: 6C7B9F44
                                                • SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version., xrefs: 6C7B9F58
                                                • higher, xrefs: 6C7BA001, 6C7BA017
                                                • Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check., xrefs: 6C7B9D95
                                                • SetupVersion not specified, xrefs: 6C7B9E1F
                                                • 1.0, xrefs: 6C7B9D3D, 6C7B9D42, 6C7B9ED4, 6C7B9EFB
                                                • than the currently supported version., xrefs: 6C7BA006
                                                • SetupVersion specified in ParameterInfo.xml is '%s', xrefs: 6C7B9EC3
                                                • SetupVersion specified in ParameterInfo.xml is , xrefs: 6C7BA029
                                                • ParameterInfo.xml, xrefs: 6C7B9E2E, 6C7B9F67, 6C7BA096
                                                • Current SetupVersion = %s, xrefs: 6C7B9D43
                                                • lower, xrefs: 6C7B9FFA
                                                • SetupVersion, xrefs: 6C7B9DC0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CommandException@8LineThrow
                                                • String ID: than the currently supported version.$1.0$Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check.$Current SetupVersion = %s$NoSetupVersionCheck$ParameterInfo.xml$SetupVersion$SetupVersion not specified$SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version.$SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version.$SetupVersion specified in ParameterInfo.xml is $SetupVersion specified in ParameterInfo.xml is '%s'$higher$lower
                                                • API String ID: 1129948358-1674238012
                                                • Opcode ID: 0d990140ce678665caa5d8cfc0b1b39c217977038ae359f66f843d36936f7396
                                                • Instruction ID: 18fcb05ce6cc211e9a473d577dad8bf21d9c1c435d61d702ad7c616001fa6e87
                                                • Opcode Fuzzy Hash: 0d990140ce678665caa5d8cfc0b1b39c217977038ae359f66f843d36936f7396
                                                • Instruction Fuzzy Hash: 3CC15F721087809FD714DB78CA48B9FBBE8AF95318F140A5DF1A197B91DB30D9098B63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78293D Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 416COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2642 6c78293d-6c782982 call 6c7d6e1a call 6c7a833e * 2 2649 6c78298a-6c7829ae call 6c779411 call 6c782677 2642->2649 2650 6c782984-6c782986 2642->2650 2655 6c7829b0-6c7829b2 2649->2655 2656 6c7829b6-6c7829fc call 6c7c8f0e call 6c7a833e * 2 2649->2656 2650->2649 2655->2656 2663 6c7829fe-6c782a00 2656->2663 2664 6c782a04-6c782a2c call 6c779411 call 6c782677 2656->2664 2663->2664 2669 6c782a2e-6c782a30 2664->2669 2670 6c782a34-6c782a7a call 6c7c8f0e call 6c7a833e * 2 2664->2670 2669->2670 2677 6c782a7c-6c782a7e 2670->2677 2678 6c782a82-6c782aaa call 6c779411 call 6c782677 2670->2678 2677->2678 2683 6c782aac-6c782aae 2678->2683 2684 6c782ab2-6c782ac4 call 6c7c8f0e 2678->2684 2683->2684 2687 6c782aca-6c782ae8 call 6c7a833e 2684->2687 2688 6c782e05-6c782e0d call 6c7d6f06 2684->2688 2693 6c782aea-6c782aec 2687->2693 2694 6c782af0-6c782b23 call 6c7789b7 call 6c7c8f0e call 6c7a833e 2687->2694 2693->2694 2701 6c782b2b-6c782b4f call 6c7792d1 call 6c7a833e 2694->2701 2702 6c782b25-6c782b27 2694->2702 2707 6c782b51-6c782b53 2701->2707 2708 6c782b57-6c782b7b call 6c7792d1 call 6c7a833e 2701->2708 2702->2701 2707->2708 2713 6c782b7d-6c782b7f 2708->2713 2714 6c782b83-6c782b8c call 6c7792d1 2708->2714 2713->2714 2717 6c782b8e-6c782b90 2714->2717 2718 6c782c05 2714->2718 2719 6c782cc1 2717->2719 2720 6c782b96-6c782b98 2717->2720 2721 6c782c0b-6c782c0e 2718->2721 2722 6c782cbf 2718->2722 2723 6c782d62 2719->2723 2724 6c782cc7-6c782cca 2719->2724 2725 6c782b9e-6c782bfc call 6c7a833e * 2 call 6c77838a call 6c7c8f0e * 2 call 6c77a378 2720->2725 2726 6c782d64 2720->2726 2727 6c782c10-6c782c4e call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2721->2727 2728 6c782c73-6c782c79 2721->2728 2722->2719 2723->2726 2729 6c782ccc-6c782d0e call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2724->2729 2730 6c782d13-6c782d19 2724->2730 2801 6c782bff-6c782c00 call 6c7d14aa 2725->2801 2726->2688 2733 6c782d6a-6c782d6d 2726->2733 2789 6c782c52-6c782c71 call 6c7c8f0e call 6c77a378 2727->2789 2728->2722 2731 6c782c7b-6c782cbd call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2728->2731 2729->2789 2730->2723 2738 6c782d1b-6c782d59 call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2730->2738 2731->2789 2735 6c782d6f-6c782dad call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2733->2735 2736 6c782db6-6c782dbc 2733->2736 2735->2736 2736->2688 2746 6c782dbe-6c782dfc call 6c7a833e * 2 call 6c77838a call 6c7c8f0e 2736->2746 2738->2723 2746->2688 2789->2801 2801->2718
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C782944
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C782677: __EH_prolog3.LIBCMT ref: 6C78267E
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C782C00
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: 8$Blockers$ParameterInfo.xml$StopBlockers$SuccessBlockers$WarnBlockers$schema validation failure: More than 1 Stop Block defined.$schema validation failure: More than 1 Success Block defined.$schema validation failure: More than 1 Warning Block defined.$schema validation failure: Stop blockers has no child node$schema validation failure: Success blockers has no child node$schema validation failure: Warn blockers has no child node$schema validation failure: no valid child element found for 'Blockers' node.
                                                • API String ID: 3417717588-4180151753
                                                • Opcode ID: 2cabd48727cc12b86a234fdb7aaba279b966658321a0c74a4067c93ba633fad5
                                                • Instruction ID: 62658154a3aad17d01bac4db34e5f4445cceecd1f4c6b6cae0e2f9d65c26d9ab
                                                • Opcode Fuzzy Hash: 2cabd48727cc12b86a234fdb7aaba279b966658321a0c74a4067c93ba633fad5
                                                • Instruction Fuzzy Hash: 58F12071905149EBCF04DBE8CA4CADE7BB8AF15318F148169F524E7B81DB34DA09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BA6B8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 142COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7BA6BF
                                                • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 6C7BA705
                                                • K32GetModuleBaseNameW.KERNEL32(?,?,?,00000104), ref: 6C7BA732
                                                • GetLastError.KERNEL32 ref: 6C7BA739
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                • GetLastError.KERNEL32 ref: 6C7BA770
                                                • K32GetProcessImageFileNameW.KERNEL32(?,?,00000104,?,?,?,psapi.dll), ref: 6C7BA7F5
                                                • GetLastError.KERNEL32 ref: 6C7BA7FC
                                                • PathStripPathW.SHLWAPI(00000000), ref: 6C7BA823
                                                • FindCloseChangeNotification.KERNEL32(?), ref: 6C7BA8AD
                                                • GetLastError.KERNEL32 ref: 6C7BA8B5
                                                Strings
                                                • EnumProcessModules failed with error %u, will try GetProcessImageFileName, xrefs: 6C7BA77A
                                                • psapi.dll, xrefs: 6C7BA795
                                                • GetModuleBaseName, xrefs: 6C7BA742
                                                • GetProcessImageFileName, xrefs: 6C7BA805
                                                • OpenProcess, xrefs: 6C7BA8BE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$NamePathProcess$BaseChangeCloseEnumFileFindH_prolog3_catchImageModuleModulesNotificationStrip_wcsnlen
                                                • String ID: EnumProcessModules failed with error %u, will try GetProcessImageFileName$GetModuleBaseName$GetProcessImageFileName$OpenProcess$psapi.dll
                                                • API String ID: 3594929559-952504876
                                                • Opcode ID: 90f5baf436d2e32c0962807561d589ab242139fd207315979eea3f90f28b7885
                                                • Instruction ID: f24a5cd7ee7aabce1d3150ae87326844b8d2a7598724a9d6b7057778eaa5245e
                                                • Opcode Fuzzy Hash: 90f5baf436d2e32c0962807561d589ab242139fd207315979eea3f90f28b7885
                                                • Instruction Fuzzy Hash: A251707160020AAFDB01EFB9CA4DA9E7BB5AF04315F004525F925E7B90DB30D9169B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2C9B Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 295memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2858 6c3c2c9b-6c3c2ccc 2859 6c3c2cce-6c3c2cd4 2858->2859 2860 6c3c2cda-6c3c2cdd 2858->2860 2859->2860 2861 6c3d1464-6c3d146e 2859->2861 2862 6c3d1491-6c3d149b 2860->2862 2863 6c3c2ce3-6c3c2ce5 2860->2863 2864 6c3d1487-6c3d148c 2861->2864 2865 6c3d1470-6c3d1473 2861->2865 2866 6c3d14a1-6c3d14a5 2862->2866 2867 6c3c2dd1 2862->2867 2868 6c3c3b28-6c3c3b5d memset call 6c3c18e5 2863->2868 2869 6c3c2ceb-6c3c2ced 2863->2869 2871 6c3c2dd3-6c3c2de1 call 6c3c171f 2864->2871 2865->2864 2870 6c3d1475-6c3d1482 call 6c3d5f11 2865->2870 2866->2867 2872 6c3d14ab-6c3d14bd call 6c3d5f11 2866->2872 2867->2871 2890 6c3d14c2-6c3d14ce 2868->2890 2891 6c3c3b63-6c3c3b7d OpenFileMappingW 2868->2891 2874 6c3d160c-6c3d1616 2869->2874 2875 6c3c2cf3-6c3c2d0f VirtualAlloc 2869->2875 2870->2864 2872->2867 2876 6c3d1618-6c3d161c 2874->2876 2877 6c3d1630 2874->2877 2882 6c3c2d15 2875->2882 2883 6c3d15a7-6c3d15b1 2875->2883 2876->2877 2884 6c3d161e-6c3d1623 2876->2884 2885 6c3d1635-6c3d163a 2877->2885 2892 6c3c2d1f-6c3c2d2f 2882->2892 2886 6c3d1550-6c3d155a GetLastError 2883->2886 2887 6c3d15b3-6c3d15b7 2883->2887 2893 6c3d1625-6c3d162b call 6c3d5f11 2884->2893 2894 6c3d163c-6c3d1642 2885->2894 2895 6c3d165f-6c3d1665 2885->2895 2897 6c3d15fa-6c3d160a GetLastError 2886->2897 2898 6c3d1560-6c3d1564 GetLastError 2886->2898 2887->2886 2896 6c3d15b9-6c3d15c4 2887->2896 2899 6c3d14e9-6c3d14ee 2890->2899 2900 6c3d14d0-6c3d14d4 2890->2900 2901 6c3d14f3-6c3d14f5 2891->2901 2902 6c3c3b83-6c3c3b85 2891->2902 2892->2867 2903 6c3c2d35-6c3c2d57 call 6c3c2a40 VirtualAlloc 2892->2903 2893->2877 2911 6c3d1644-6c3d164a UnmapViewOfFile 2894->2911 2912 6c3d1650-6c3d165d CloseHandle 2894->2912 2914 6c3d1667-6c3d167b VirtualFree 2895->2914 2915 6c3d16a1-6c3d16a7 2895->2915 2913 6c3d15c6-6c3d15d1 call 6c3d99f8 2896->2913 2897->2885 2898->2885 2899->2885 2900->2899 2904 6c3d14d6-6c3d14e4 call 6c3d99f8 2900->2904 2909 6c3c3bbe-6c3c3bd5 MapViewOfFile 2901->2909 2910 6c3d14fb-6c3d1505 2901->2910 2905 6c3c3b8b-6c3c3bae CreateFileMappingW 2902->2905 2906 6c3d1584-6c3d158e 2902->2906 2925 6c3c2d5d-6c3c2dce call 6c3c2de9 * 2 2903->2925 2926 6c3d15d6-6c3d15e0 2903->2926 2904->2899 2917 6c3d152c-6c3d1536 2905->2917 2918 6c3c3bb4 2905->2918 2906->2877 2921 6c3d1594-6c3d1598 2906->2921 2909->2892 2920 6c3c3bdb-6c3d1573 2909->2920 2910->2909 2922 6c3d150b-6c3d150f 2910->2922 2911->2912 2912->2915 2913->2886 2914->2915 2924 6c3d167d-6c3d1687 2914->2924 2915->2871 2917->2886 2930 6c3d1538-6c3d153c 2917->2930 2918->2909 2920->2886 2933 6c3d1575-6c3d1579 2920->2933 2921->2877 2928 6c3d159e-6c3d15a5 2921->2928 2922->2909 2929 6c3d1515-6c3d1527 call 6c3d5f11 2922->2929 2924->2915 2932 6c3d1689-6c3d168d 2924->2932 2925->2867 2926->2886 2937 6c3d15e6-6c3d15ea 2926->2937 2928->2893 2929->2909 2930->2886 2936 6c3d153e-6c3d1543 2930->2936 2932->2915 2938 6c3d168f-6c3d169c call 6c3d5f11 2932->2938 2933->2886 2939 6c3d157b-6c3d1582 2933->2939 2942 6c3d1545-6c3d154b call 6c3d5f11 2936->2942 2937->2886 2943 6c3d15f0-6c3d15f8 2937->2943 2938->2915 2939->2942 2942->2886 2943->2913
                                                C-Code - Quality: 63%
                                                			E6C3C2C9B(void* __ecx, void* __edx, void* __fp0, long _a4, long _a8) {
				signed int _v8;
				void _v2054;
				short _v2056;
				void* _v2060;
				void* _v2064;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				intOrPtr _t114;
				long _t115;
				intOrPtr _t124;
				void* _t130;
				void* _t132;
				void* _t135;
				intOrPtr _t136;
				intOrPtr _t150;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t157;
				void* _t158;
				intOrPtr _t159;
				long _t161;
				intOrPtr _t165;
				void* _t184;
				signed int _t185;
				void* _t200;

				_t200 = __fp0;
				_t179 = __edx;
				_t111 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t111 ^ _t185;
				_t161 = _a8;
				_t180 = _a4;
				_t184 = __ecx;
				_v2060 = 0;
				_v2064 = 0;
				if(_t161 != 1 ||  *((intOrPtr*)(__ecx + 0x818)) != 0) {
					if( *((intOrPtr*)(_t184 + 0xc)) != 0) {
						_t114 =  *0x6c3e0088; // 0x6c3e0088
						if(_t114 != 0x6c3e0088 && ( *(_t114 + 0x1c) & 0x00000002) != 0) {
							_t59 = _t114 + 0x14; // 0x0
							_t60 = _t114 + 0x10; // 0x1
							E6C3D5F11( *_t60,  *_t59, 0x46, E6C3C27B0);
						}
						L10:
						_t115 = 0;
						goto L11;
					}
					if(_t180 != 0) {
						_v2056 = 0;
						memset( &_v2054, 0, 0x7fe);
						if(E6C3C18E5( &_v2056, 0x400, L"Local\\SqmData_%s", _t180) < 0) {
							_t165 =  *0x6c3e0088; // 0x6c3e0088
							if(_t165 != 0x6c3e0088 && ( *(_t165 + 0x1c) & 0x00000001) != 0) {
								_t64 = _t165 + 0x14; // 0x0
								_t65 = _t165 + 0x10; // 0x1
								E6C3D99F8( *_t65,  *_t64, 0x47, E6C3C27B0, _t121);
							}
							_t180 = 0x80080057;
							L59:
							if( *(_t184 + 8) == 0) {
								if(_v2060 != 0 && VirtualFree(_v2060, 0, 0x8000) == 0) {
									_t124 =  *0x6c3e0088; // 0x6c3e0088
									if(_t124 != 0x6c3e0088 && ( *(_t124 + 0x1c) & 0x00000001) != 0) {
										_t107 = _t124 + 0x14; // 0x0
										_t108 = _t124 + 0x10; // 0x1
										E6C3D5F11( *_t108,  *_t107, 0x4f, E6C3C27B0);
									}
								}
							} else {
								if(_v2060 != 0) {
									UnmapViewOfFile(_v2060);
								}
								CloseHandle( *(_t184 + 8));
								 *(_t184 + 8) =  *(_t184 + 8) & 0x00000000;
							}
							 *(_t184 + 4) =  *(_t184 + 4) & 0x00000000;
							_t115 = _t180;
							goto L11;
						}
						_t180 = 0xf001f;
						_t130 = OpenFileMappingW(0xf001f, 0,  &_v2056);
						 *(_t184 + 8) = _t130;
						if(_t130 != 0) {
							if(_t161 != 0) {
								_t152 =  *0x6c3e0088; // 0x6c3e0088
								if(_t152 != 0x6c3e0088 && ( *(_t152 + 0x1c) & 0x00000001) != 0) {
									_t69 = _t152 + 0x14; // 0x0
									_t70 = _t152 + 0x10; // 0x1
									E6C3D5F11( *_t70,  *_t69, 0x48, E6C3C27B0);
								}
							}
							L17:
							_t132 = MapViewOfFile( *(_t184 + 8), _t180, 0, 0, 0);
							_v2060 = _t132;
							if(_t132 != 0) {
								L7:
								 *(_t184 + 4) = _v2060;
								if(_v2064 == 0) {
									goto L10;
								}
								_t180 = 0x3f8;
								_t161 = E6C3C2A40(_t179, _t200, 0x3f8, 0);
								_t135 = VirtualAlloc( *(_t184 + 4), _t161, 0x1000, 4); // executed
								if(_t135 == 0) {
									_t136 =  *0x6c3e0088; // 0x6c3e0088
									if(_t136 == 0x6c3e0088 || ( *(_t136 + 0x1c) & 0x00000001) == 0) {
										L38:
										if(GetLastError() > 0) {
											_t180 = GetLastError() & 0x1000ffff | 0x80080000;
										} else {
											_t180 = GetLastError();
										}
										goto L59;
									} else {
										_push(_t161);
										_push(E6C3C27B0);
										_push(0x4e);
										L49:
										_t86 = _t136 + 0x14; // 0x0
										_push( *_t86);
										_t87 = _t136 + 0x10; // 0x1
										_push( *_t87);
										E6C3D99F8();
										goto L38;
									}
								} else {
									 *((intOrPtr*)( *(_t184 + 4) + 0x8c)) = E6C3C2DE9(_t184,  *(_t184 + 4) + 0x3f8);
									 *((intOrPtr*)( *(_t184 + 4) + 0x90)) = E6C3C2DE9(_t184,  *(_t184 + 4) + _t161);
									 *((intOrPtr*)( *(_t184 + 4) + 0x78)) = 1;
									 *((intOrPtr*)( *(_t184 + 4) + 0x80)) = 1;
									_t179 =  *(_t184 + 4);
									 *((intOrPtr*)( *(_t184 + 4) + 0x6c)) = (0 |  *((intOrPtr*)(_t184 + 0x834)) != 0x00000000) + (0 |  *((intOrPtr*)(_t184 + 0x834)) != 0x00000000) + 2;
									 *( *(_t184 + 4)) = 0x4d51534d;
									 *((intOrPtr*)( *(_t184 + 4) + 4)) = 0x78;
									 *((intOrPtr*)( *(_t184 + 4) + 0x10)) = 0;
									 *((intOrPtr*)( *(_t184 + 4) + 0x14)) = 0;
									goto L10;
								}
							}
							_t150 =  *0x6c3e0088; // 0x6c3e0088
							if(_t150 != 0x6c3e0088 && ( *(_t150 + 0x1c) & 0x00000001) != 0) {
								_push(E6C3C27B0);
								_push(0x4b);
								L37:
								_t74 = _t150 + 0x14; // 0x0
								_push( *_t74);
								_t75 = _t150 + 0x10; // 0x1
								_push( *_t75);
								E6C3D5F11();
							}
							goto L38;
						}
						if(_t161 == 0) {
							_t154 =  *0x6c3e0088; // 0x6c3e0088
							if(_t154 == 0x6c3e0088 || ( *(_t154 + 0x1c) & 0x00000001) == 0) {
								L58:
								_t180 = 0x90080106;
								goto L59;
							} else {
								_push(E6C3C27B0);
								_push(0x4a);
								L57:
								_t94 = _t154 + 0x14; // 0x0
								_push( *_t94);
								_t95 = _t154 + 0x10; // 0x1
								_push( *_t95);
								E6C3D5F11();
								goto L58;
							}
						}
						_t157 = CreateFileMappingW(0xffffffff, 0, 0x4000004, 0,  *(_t184 + 0x818),  &_v2056);
						 *(_t184 + 8) = _t157;
						if(_t157 == 0) {
							_t150 =  *0x6c3e0088; // 0x6c3e0088
							if(_t150 == 0x6c3e0088 || ( *(_t150 + 0x1c) & 0x00000001) == 0) {
								goto L38;
							} else {
								_push(E6C3C27B0);
								_push(0x49);
								goto L37;
							}
						} else {
							_v2064 = 1;
							goto L17;
						}
					}
					if(_t161 == 0) {
						_t154 =  *0x6c3e0088; // 0x6c3e0088
						if(_t154 == 0x6c3e0088 || ( *(_t154 + 0x1c) & 0x00000001) == 0) {
							goto L58;
						} else {
							_push(E6C3C27B0);
							_push(0x4d);
							goto L57;
						}
					}
					_t158 = VirtualAlloc(0,  *(_t184 + 0x818), 0x2000, 4); // executed
					_v2060 = _t158;
					if(_t158 == 0) {
						_t136 =  *0x6c3e0088; // 0x6c3e0088
						if(_t136 == 0x6c3e0088 || ( *(_t136 + 0x1c) & 0x00000001) == 0) {
							goto L38;
						} else {
							_push( *(_t184 + 0x818));
							_push(E6C3C27B0);
							_push(0x4c);
							goto L49;
						}
					} else {
						_v2064 = 1;
						goto L7;
					}
				} else {
					L19:
					_t159 =  *0x6c3e0088; // 0x6c3e0088
					if(_t159 != 0x6c3e0088 && ( *(_t159 + 0x1c) & _t161) != 0) {
						_t54 = _t159 + 0x14; // 0x0
						_t55 = _t159 + 0x10; // 0x1
						E6C3D5F11( *_t55,  *_t54, 0x45, E6C3C27B0);
					}
					_t115 = 0x80080057;
					L11:
					return E6C3C171F(_t115, _t161, _v8 ^ _t185, _t179, _t180, _t184);
				}
			}






























                                                0x6c3c2c9b
                                                0x6c3c2c9b
                                                0x6c3c2ca6
                                                0x6c3c2cad
                                                0x6c3c2cb1
                                                0x6c3c2cbb
                                                0x6c3c2cbe
                                                0x6c3c2cc0
                                                0x6c3c2cc6
                                                0x6c3c2ccc
                                                0x6c3c2cdd
                                                0x6c3d1491
                                                0x6c3d149b
                                                0x6c3d14b2
                                                0x6c3d14b5
                                                0x6c3d14b8
                                                0x6c3d14b8
                                                0x6c3c2dd1
                                                0x6c3c2dd1
                                                0x00000000
                                                0x6c3c2dd1
                                                0x6c3c2ce5
                                                0x6c3c3b2e
                                                0x6c3c3b3c
                                                0x6c3c3b5d
                                                0x6c3d14c2
                                                0x6c3d14ce
                                                0x6c3d14de
                                                0x6c3d14e1
                                                0x6c3d14e4
                                                0x6c3d14e4
                                                0x6c3d14e9
                                                0x6c3d1635
                                                0x6c3d163a
                                                0x6c3d1665
                                                0x6c3d167d
                                                0x6c3d1687
                                                0x6c3d1696
                                                0x6c3d1699
                                                0x6c3d169c
                                                0x6c3d169c
                                                0x6c3d1687
                                                0x6c3d163c
                                                0x6c3d1642
                                                0x6c3d164a
                                                0x6c3d164a
                                                0x6c3d1653
                                                0x6c3d1659
                                                0x6c3d1659
                                                0x6c3d16a1
                                                0x6c3d16a5
                                                0x00000000
                                                0x6c3d16a5
                                                0x6c3c3b6c
                                                0x6c3c3b72
                                                0x6c3c3b7a
                                                0x6c3c3b7d
                                                0x6c3d14f5
                                                0x6c3d14fb
                                                0x6c3d1505
                                                0x6c3d151c
                                                0x6c3d151f
                                                0x6c3d1522
                                                0x6c3d1522
                                                0x6c3d1505
                                                0x6c3c3bbe
                                                0x6c3c3bc7
                                                0x6c3c3bcf
                                                0x6c3c3bd5
                                                0x6c3c2d1f
                                                0x6c3c2d2c
                                                0x6c3c2d2f
                                                0x00000000
                                                0x00000000
                                                0x6c3c2d37
                                                0x6c3c2d49
                                                0x6c3c2d4f
                                                0x6c3c2d57
                                                0x6c3d15d6
                                                0x6c3d15e0
                                                0x6c3d1550
                                                0x6c3d155a
                                                0x6c3d1604
                                                0x6c3d1560
                                                0x6c3d1562
                                                0x6c3d1562
                                                0x00000000
                                                0x6c3d15f0
                                                0x6c3d15f0
                                                0x6c3d15f1
                                                0x6c3d15f6
                                                0x6c3d15c6
                                                0x6c3d15c6
                                                0x6c3d15c6
                                                0x6c3d15c9
                                                0x6c3d15c9
                                                0x6c3d15cc
                                                0x00000000
                                                0x6c3d15cc
                                                0x6c3c2d5d
                                                0x6c3c2d6d
                                                0x6c3c2d83
                                                0x6c3c2d8f
                                                0x6c3c2d95
                                                0x6c3c2d9b
                                                0x6c3c2daf
                                                0x6c3c2db5
                                                0x6c3c2dbe
                                                0x6c3c2dc8
                                                0x6c3c2dce
                                                0x00000000
                                                0x6c3c2dce
                                                0x6c3c2d57
                                                0x6c3d1569
                                                0x6c3d1573
                                                0x6c3d157b
                                                0x6c3d1580
                                                0x6c3d1545
                                                0x6c3d1545
                                                0x6c3d1545
                                                0x6c3d1548
                                                0x6c3d1548
                                                0x6c3d154b
                                                0x6c3d154b
                                                0x00000000
                                                0x6c3d1573
                                                0x6c3c3b85
                                                0x6c3d1584
                                                0x6c3d158e
                                                0x6c3d1630
                                                0x6c3d1630
                                                0x00000000
                                                0x6c3d159e
                                                0x6c3d159e
                                                0x6c3d15a3
                                                0x6c3d1625
                                                0x6c3d1625
                                                0x6c3d1625
                                                0x6c3d1628
                                                0x6c3d1628
                                                0x6c3d162b
                                                0x00000000
                                                0x6c3d162b
                                                0x6c3d158e
                                                0x6c3c3ba3
                                                0x6c3c3bab
                                                0x6c3c3bae
                                                0x6c3d152c
                                                0x6c3d1536
                                                0x00000000
                                                0x6c3d153e
                                                0x6c3d153e
                                                0x6c3d1543
                                                0x00000000
                                                0x6c3d1543
                                                0x6c3c3bb4
                                                0x6c3c3bb4
                                                0x00000000
                                                0x6c3c3bb4
                                                0x6c3c3bae
                                                0x6c3c2ced
                                                0x6c3d160c
                                                0x6c3d1616
                                                0x00000000
                                                0x6c3d161e
                                                0x6c3d161e
                                                0x6c3d1623
                                                0x00000000
                                                0x6c3d1623
                                                0x6c3d1616
                                                0x6c3c2d01
                                                0x6c3c2d09
                                                0x6c3c2d0f
                                                0x6c3d15a7
                                                0x6c3d15b1
                                                0x00000000
                                                0x6c3d15b9
                                                0x6c3d15b9
                                                0x6c3d15bf
                                                0x6c3d15c4
                                                0x00000000
                                                0x6c3d15c4
                                                0x6c3c2d15
                                                0x6c3c2d15
                                                0x00000000
                                                0x6c3c2d15
                                                0x6c3d1464
                                                0x6c3d1464
                                                0x6c3d1464
                                                0x6c3d146e
                                                0x6c3d147c
                                                0x6c3d147f
                                                0x6c3d1482
                                                0x6c3d1482
                                                0x6c3d1487
                                                0x6c3c2dd3
                                                0x6c3c2de1
                                                0x6c3c2de1

                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,6C3C27B0,00000000,6C3E0088), ref: 6C3C2D01
                                                • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6C3C27B0,00000000,6C3E0088), ref: 6C3C2D4F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID: Fm*$Local\SqmData_%s
                                                • API String ID: 4275171209-2080956502
                                                • Opcode ID: fbb32fa1ac463186bd6d03a3faf7172f3d405df22d2016fe019e439be64204c8
                                                • Instruction ID: fdce8fed4eb591ed3d2f7e1989ee3eb59c00b04713f275f734170be4c0f47cbe
                                                • Opcode Fuzzy Hash: fbb32fa1ac463186bd6d03a3faf7172f3d405df22d2016fe019e439be64204c8
                                                • Instruction Fuzzy Hash: A7B1D1712002009FDB908F24CD88F9937F9BB04358F2184A9E959DBAA1DF76FC889F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7981AC Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7981B3
                                                  • Part of subcall function 6C7ABA3B: __EH_prolog3.LIBCMT ref: 6C7ABA42
                                                • GetFileSize.KERNEL32(?,00000000,?,80000000,00000001,00000003,00000080,00000000), ref: 6C7982BD
                                                • CloseHandle.KERNEL32(?), ref: 6C7983EA
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                Strings
                                                • Signature verification failed. Trying to verify hash , xrefs: 6C798221
                                                • Hash verification succeeded but file size can not be verified for , xrefs: 6C7983AE
                                                • Hash verification failed for %s. HRESULT = 0x%x, xrefs: 6C798412
                                                • Hash verification succeeded for , xrefs: 6C7982CD, 6C798304, 6C798348
                                                • Signature verification succeeded for , xrefs: 6C7981F8
                                                • Hash verification succeeded but file size does not match for , xrefs: 6C798378
                                                • No FileHash provided. Cannot perform FileHash verification for , xrefs: 6C798434
                                                • ... , xrefs: 6C79822F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CloseFileH_prolog3_HandleSize
                                                • String ID: ... $Hash verification failed for %s. HRESULT = 0x%x$Hash verification succeeded but file size can not be verified for $Hash verification succeeded but file size does not match for $Hash verification succeeded for $No FileHash provided. Cannot perform FileHash verification for $Signature verification failed. Trying to verify hash $Signature verification succeeded for
                                                • API String ID: 2359445833-3405341789
                                                • Opcode ID: 6af8bac0b3a6aa03d97d0cee1c942f69cfafed66f6687417fec073d785017b90
                                                • Instruction ID: d7e40b85a566d3764097f12adf5375ad8165d7eaa025e3a4f0d5549c1166ffa1
                                                • Opcode Fuzzy Hash: 6af8bac0b3a6aa03d97d0cee1c942f69cfafed66f6687417fec073d785017b90
                                                • Instruction Fuzzy Hash: A4915E31A01208EFCF00DFA8DA88ACEBBB5BF05314F148696F511AB756CB70E945CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77BB3C Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77BB43
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C77BDEB
                                                Strings
                                                • Using Simultaneous Download and Install mechanism, xrefs: 6C77BE01
                                                • UserExperienceDataCollection, xrefs: 6C77BBF8
                                                • schema validation failure: there must be a valid child element for Configuration., xrefs: 6C77BD5C
                                                • DisabledCommandLineSwitches, xrefs: 6C77BB52
                                                • ParameterInfo.xml, xrefs: 6C77BD6A
                                                • DownloadInstallSetting, xrefs: 6C77BC4B
                                                • Using Serial Download and Install mechanism, xrefs: 6C77BDFA
                                                • BlockingMutex, xrefs: 6C77BC9D
                                                • FilesInUseSetting, xrefs: 6C77BCEF
                                                • AdditionalCommandLineSwitches, xrefs: 6C77BBA6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: AdditionalCommandLineSwitches$BlockingMutex$DisabledCommandLineSwitches$DownloadInstallSetting$FilesInUseSetting$ParameterInfo.xml$UserExperienceDataCollection$Using Serial Download and Install mechanism$Using Simultaneous Download and Install mechanism$schema validation failure: there must be a valid child element for Configuration.
                                                • API String ID: 2489616738-904804324
                                                • Opcode ID: e96bf5526f5cea30828827f24297234a4671c8bef37e78d490f424690a21cc3d
                                                • Instruction ID: b79666fa17d14565d308619e0570022823b188d9dfe7eb0af2a77c2adaf96d4a
                                                • Opcode Fuzzy Hash: e96bf5526f5cea30828827f24297234a4671c8bef37e78d490f424690a21cc3d
                                                • Instruction Fuzzy Hash: 62A12C71900249EFDB14DFA8CA49AEEBBB9BF09318F144559F424E7780C734EA14CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77787B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C777882
                                                • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6C77781A,?,6C7A831D,00000000), ref: 6C7778B2
                                                • RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6C7A831D,00000000), ref: 6C7778D8
                                                • RegCloseKey.ADVAPI32(?,?,6C7A831D,00000000), ref: 6C7778E4
                                                • GetFileAttributesW.KERNEL32(?,?,6C7A831D,00000000), ref: 6C7778F9
                                                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,6C7A831D,00000000), ref: 6C77790E
                                                • GetFileAttributesW.KERNEL32(?,?,6C7A831D,00000000), ref: 6C777931
                                                • GetFileAttributesW.KERNEL32(?,?,6C7A831D,00000000), ref: 6C77798A
                                                Strings
                                                • \Microsoft Shared\DW\DW20.exe, xrefs: 6C77791D
                                                • Software\Microsoft\PCHealth\ErrorReporting\DW\Installed, xrefs: 6C7778A8
                                                • DW\DW20.exe, xrefs: 6C77795E
                                                • DW0200, xrefs: 6C7778C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AttributesFile$CloseFolderH_prolog3OpenPathQueryValue
                                                • String ID: DW0200$DW\DW20.exe$Software\Microsoft\PCHealth\ErrorReporting\DW\Installed$\Microsoft Shared\DW\DW20.exe
                                                • API String ID: 2337823764-2373061612
                                                • Opcode ID: 645100a68d058f7fa8a8e6039e5c02a93517f07df024a13ae7bb22699b9d0dee
                                                • Instruction ID: aee3a35d38cabe4249276307c5f2b48ccdeb6e0e14044a113d14aed95bb20a0f
                                                • Opcode Fuzzy Hash: 645100a68d058f7fa8a8e6039e5c02a93517f07df024a13ae7bb22699b9d0dee
                                                • Instruction Fuzzy Hash: 9C31857190110EAFEF118FA4CE89ABFBAB9FF05319F500628E520E6690D7348915CFB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C785396 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 227memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78539D
                                                • SysFreeString.OLEAUT32(?), ref: 6C785420
                                                • SysAllocString.OLEAUT32(6C7AFA6E), ref: 6C785490
                                                • __EH_prolog3.LIBCMT ref: 6C7854B8
                                                • __CxxThrowException@8.LIBCMT ref: 6C785540
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                Strings
                                                • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 6C785599
                                                • Schema validation failure in file , xrefs: 6C785575
                                                • Unable to find Language element for LangID="%d" in localized data, xrefs: 6C78551A
                                                • ParameterInfo.xml, xrefs: 6C785565
                                                • //Setup/LocalizedData/Language, xrefs: 6C7853CC
                                                • W, xrefs: 6C785530
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$String$AllocException@8FreeThrow
                                                • String ID: //Setup/LocalizedData/Language$ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                • API String ID: 191698298-1863159554
                                                • Opcode ID: 81d8a9229af40ebe507f191b699acefbb6053afd7df860f6fd95810be43771a0
                                                • Instruction ID: 0ab64168ff0caec5b9846277a7dde440f4a45e61c21cf8949c61544f72bb94bb
                                                • Opcode Fuzzy Hash: 81d8a9229af40ebe507f191b699acefbb6053afd7df860f6fd95810be43771a0
                                                • Instruction Fuzzy Hash: DC915E71901249EFDF00DFE8CA48AEDBBB9BF09318F244569E515EB780CB349A05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79473C Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210commemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C794746
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8380: __EH_prolog3.LIBCMT ref: 6C7A8387
                                                  • Part of subcall function 6C77388B: __EH_prolog3.LIBCMT ref: 6C773892
                                                  • Part of subcall function 6C794464: __EH_prolog3.LIBCMT ref: 6C79446B
                                                  • Part of subcall function 6C794682: __EH_prolog3.LIBCMT ref: 6C794689
                                                • CoInitialize.OLE32(00000000), ref: 6C7947F7
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,?,?,?,6C773864,?,00000000,00000000,6C7AFA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 6C794815
                                                  • Part of subcall function 6C7B9D05: GetCommandLineW.KERNEL32(342C82DB,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6C7B9D54
                                                • CoUninitialize.OLE32(-00000960,00000000,?,?,succeeded,6C76A794,?,?,?,?,6C773864,?,00000000,00000000,6C7AFA6E,00000738), ref: 6C7948F0
                                                • SysFreeString.OLEAUT32(00000000), ref: 6C7948F9
                                                • SysAllocString.OLEAUT32(?), ref: 6C79492E
                                                • __CxxThrowException@8.LIBCMT ref: 6C7949BE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$String$AllocCommandCreateException@8FreeH_prolog3_catchInitializeInstanceLineThrowUninitialize
                                                • String ID: IronMan::EngineData::CreateEngineData$ParameterInfo.xml$succeeded$threw exception
                                                • API String ID: 1482071144-3644667230
                                                • Opcode ID: c25688f2c04bbc7f2b33e779be046ee133f7d2d315154322c7250531ea1624b5
                                                • Instruction ID: 1397e49a3f65be6a7e8e3e612dfccfb0621622b4720bbda21e7c703c18965a1e
                                                • Opcode Fuzzy Hash: c25688f2c04bbc7f2b33e779be046ee133f7d2d315154322c7250531ea1624b5
                                                • Instruction Fuzzy Hash: CE814A71900249EFCF00DFA8CA88ADE7BB9AF09318F148559F525EB741CB75DA05CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78E30E Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 365COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78E315
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C78E62B
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$File$IsPresent$ParameterInfo.xml$schema validation failure: wrong number of File child nodes!
                                                • API String ID: 3417717588-3917201069
                                                • Opcode ID: 645abd3a95228235c448df9c77936f0dc311f2140048012efacb429ef02e8d70
                                                • Instruction ID: 5a06b3046b3459f222be220ed80555704f0cd000e2d65762029661b42dcb4477
                                                • Opcode Fuzzy Hash: 645abd3a95228235c448df9c77936f0dc311f2140048012efacb429ef02e8d70
                                                • Instruction Fuzzy Hash: 37E13071A01249EFDF04DFA8CA48ADDBBB9AF09318F148159F524EB780C735EA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C794AD9 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 314COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C794AE0
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7789B7: __EH_prolog3.LIBCMT ref: 6C7789BE
                                                  • Part of subcall function 6C7789B7: __CxxThrowException@8.LIBCMT ref: 6C778A89
                                                • __CxxThrowException@8.LIBCMT ref: 6C794E3F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: Blockers$Configuration$EnterMaintenanceModeIf$Items$ParameterInfo.xml$Setup$SystemCheck$schema validation failure: wrong number of child elements under top level Setup element
                                                • API String ID: 2489616738-3586895666
                                                • Opcode ID: a9651a410ba03af5d791f86ab86151b2b59cb7a4cc971fb6b088c91e6c87f9a9
                                                • Instruction ID: 08bd7480dab9e63423c5d902e93726cbff229cf260b9472724dc0597d851eafc
                                                • Opcode Fuzzy Hash: a9651a410ba03af5d791f86ab86151b2b59cb7a4cc971fb6b088c91e6c87f9a9
                                                • Instruction Fuzzy Hash: A7C14E71901249EFCF04DFA8CA49AEEBBB9AF09318F148559F525E7780C734DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C32BC Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 303COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 65%
                                                			E6C3C32BC(void* __ebx, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8, signed char _a12) {
				signed int _v8;
				void _v2054;
				char _v2056;
				signed int _v2060;
				signed int _v2064;
				char _v2068;
				int _v2072;
				char _v2076;
				signed int _v2080;
				signed int _v2084;
				char _v2088;
				signed int _v2092;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				intOrPtr _t120;
				void* _t128;
				intOrPtr _t129;
				long _t130;
				intOrPtr _t131;
				intOrPtr _t134;
				signed int _t136;
				intOrPtr _t138;
				signed int _t141;
				intOrPtr _t143;
				intOrPtr _t146;
				intOrPtr _t151;
				intOrPtr _t152;
				void* _t162;
				void* _t165;
				signed int _t166;
				intOrPtr _t171;
				void* _t173;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t184;
				void* _t185;
				void* _t187;
				void* _t188;
				intOrPtr _t190;
				void* _t191;
				intOrPtr _t193;
				void* _t194;
				char _t195;
				intOrPtr _t196;
				signed int _t197;
				void* _t201;
				void* _t213;

				_t213 = __fp0;
				_t185 = __edx;
				_t173 = __ecx;
				_t172 = __ebx;
				_t116 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t116 ^ _t197;
				_t193 = _a4;
				_t187 = 0;
				_v2072 = 0;
				_v2068 = 0;
				_v2060 = 0x10000106;
				_v2056 = 0;
				memset( &_v2054, 0, 0x7fe);
				_t201 =  *0x6c3e009c - _t187; // 0x0
				_v2064 = 0;
				_v2076 = 0;
				if(_t201 == 0) {
					_t120 =  *0x6c3e0088; // 0x6c3e0088
					if(_t120 != 0x6c3e0088 && ( *(_t120 + 0x1c) & 0x00000001) != 0) {
						_t42 = _t120 + 0x14; // 0x0
						_t43 = _t120 + 0x10; // 0x1
						E6C3D5F11( *_t43,  *_t42, 0xe, 0x6c3d5a6c);
					}
					_v2060 = 0x1000010a;
					L12:
					LeaveCriticalSection(0x6c3e0168);
					_pop(_t188);
					_pop(_t194);
					if(_v2064 != 0) {
						LocalFree(_v2064);
						_v2064 = _v2064 & 0x00000000;
					}
					SetLastError(_v2060);
					return E6C3C171F(_v2072, _t172, _v8 ^ _t197, _t185, _t188, _t194);
				}
				_push(__ebx);
				E6C3C3679(_t173,  &_v2064); // executed
				EnterCriticalSection(0x6c3e0168);
				if(_t193 != 0) {
					_t172 = 0x400;
					if(_v2064 == 0) {
						_t128 = E6C3C173D( &_v2056, 0x400, _t193);
					} else {
						_push(_v2064);
						_t128 = E6C3C18E5( &_v2056, 0x400, L"%s_%s", _t193);
					}
					if(_t128 < _t187) {
						_v2060 = 0x57;
						_t129 =  *0x6c3e0088; // 0x6c3e0088
						if(_t129 != 0x6c3e0088 && ( *(_t129 + 0x1c) & 0x00000001) != 0) {
							_t130 = GetLastError();
							_t131 =  *0x6c3e0088; // 0x6c3e0088
							_t55 = _t131 + 0x14; // 0x0
							_t56 = _t131 + 0x10; // 0x1
							E6C3D99F8( *_t56,  *_t55, 0x10, 0x6c3d5a6c, _t130);
						}
						goto L11;
					} else {
						_v2076 =  &_v2056;
						_t134 =  *0x6c3e00a4; // 0x0
						_t136 =  ~( *(_t134 + 8));
						asm("sbb eax, eax");
						_v2080 = _t136;
						if(_t136 == _t187) {
							L3:
							if(E6C3C17EB(0x838) == 0) {
								_t195 = 0;
							} else {
								_t195 = E6C3C27C5(_t137, 0);
							}
							_v2068 = _t195;
							if(_t195 == 0) {
								_t138 =  *0x6c3e0088; // 0x6c3e0088
								if(_t138 != 0x6c3e0088 && ( *(_t138 + 0x1c) & 0x00000001) != 0) {
									_t100 = _t138 + 0x14; // 0x0
									_t101 = _t138 + 0x10; // 0x1
									E6C3D99F8( *_t101,  *_t100, 0x15, 0x6c3d5a6c, 0x838);
								}
								_v2060 = 0xe;
								goto L9;
							} else {
								_t141 = E6C3C3536(_t195, _t185, 0x838, _t213, _v2076, _a8, _a12); // executed
								if(_t141 < 0) {
									_v2060 = _t141 & 0x1000ffff;
									_t143 =  *0x6c3e0088; // 0x6c3e0088
									if(_t143 != 0x6c3e0088 && ( *(_t143 + 0x1c) & 0x00000001) != 0) {
										_t108 = _t143 + 0x14; // 0x0
										_t109 = _t143 + 0x10; // 0x1
										E6C3D99F8( *_t109,  *_t108, 0x16, 0x6c3d5a6c, _v2060);
									}
									L72:
									E6C3CABAB(_t195, 1);
									L11:
									_pop(_t172);
									goto L12;
								}
								_t146 =  *0x6c3e00a0; // 0x1
								_t180 =  *0x6c3e00a4; // 0x0
								_v2076 = _t146 + 1;
								if(E6C3C30E7(_t180,  &_v2076, _t195) < 0) {
									_t181 =  *0x6c3e0088; // 0x6c3e0088
									if(_t181 != 0x6c3e0088 && ( *(_t181 + 0x1c) & 0x00000001) != 0) {
										_t113 = _t181 + 0x14; // 0x0
										_t114 = _t181 + 0x10; // 0x1
										E6C3D99F8( *_t114,  *_t113, 0x17, 0x6c3d5a6c, _t149);
									}
									_v2060 = 0xe;
									goto L72;
								} else {
									_t151 =  *0x6c3e00a0; // 0x1
									_t152 = _t151 + 1;
									 *0x6c3e00a0 = _t152;
									_v2072 = _t152;
									 *((intOrPtr*)(_t195 + 0x81c)) = _t152;
									E6C3C343E(_t172, _t195);
									_v2060 = _v2060 & 0x00000000;
									L9:
									_t177 = _v2068;
									if(_v2068 != 0) {
										E6C3C30D2(_t177);
									}
									goto L11;
								}
							}
						}
						_t196 =  *0x6c3e0088; // 0x6c3e0088
						while(1) {
							_t184 =  *0x6c3e00a4; // 0x0
							_v2088 = _t187;
							if(E6C3D68D8(_t184,  &_v2080,  &_v2088,  &_v2068) < 0) {
								goto L48;
							}
							_t190 = _v2068;
							if(_t190 == 0) {
								if(_t196 != 0x6c3e0088 && ( *(_t196 + 0x1c) & 0x00000001) != 0) {
									_push(0x6c3d5a6c);
									_push(0x11);
									_t85 = _t196 + 0x14; // 0x0
									_push( *_t85);
									_t86 = _t196 + 0x10; // 0x1
									_push( *_t86);
									L54:
									E6C3D5F11();
								}
								goto L11;
							}
							_t191 = _t190 + 0x10;
							if(_t191 == 0) {
								L49:
								_t187 = 0;
								if(_v2080 == 0) {
									goto L3;
								}
								continue;
							}
							_v2084 = _v2084 & 0x00000000;
							_v2092 = _v2092 & 0x00000000;
							_t162 = E6C3CB133(_t191, _t172,  &_v2084);
							if(_t162 >= 0) {
								_t165 = E6C3CB133( &_v2056, _t172,  &_v2092);
								if(_t165 >= 0) {
									_t166 = _v2084;
									if(_t166 != _v2092) {
										goto L49;
									}
									_push(_t166);
									_push( &_v2056);
									_push(_t191);
									if( *0x6c3e053c() == 0) {
										_v2060 = _v2060 & 0x00000000;
										_v2072 = _v2088;
										L59:
										if(_v2072 == 0) {
											goto L3;
										}
										goto L9;
									}
									L47:
									_t196 =  *0x6c3e0088; // 0x6c3e0088
									goto L49;
								}
								if(_t196 == 0x6c3e0088 || ( *(_t196 + 0x1c) & 0x00000001) == 0) {
									goto L49;
								} else {
									_push(_t165);
									_push(0x6c3d5a6c);
									_push(0x13);
									L44:
									_t75 = _t196 + 0x14; // 0x0
									_push( *_t75);
									_t76 = _t196 + 0x10; // 0x1
									_push( *_t76);
									E6C3D99F8();
									goto L47;
								}
							}
							if(_t196 == 0x6c3e0088 || ( *(_t196 + 0x1c) & 0x00000001) == 0) {
								goto L49;
							} else {
								_push(_t162);
								_push(0x6c3d5a6c);
								_push(0x12);
								goto L44;
							}
							L48:
							if(_v2080 != _t187) {
								if(_t196 == 0x6c3e0088 || ( *(_t196 + 0x1c) & 0x00000001) == 0) {
									goto L3;
								} else {
									_t94 = _t196 + 0x14; // 0x0
									_t95 = _t196 + 0x10; // 0x1
									E6C3D5F11( *_t95,  *_t94, 0x14, 0x6c3d5a6c);
									goto L59;
								}
							}
							goto L49;
						}
					}
				}
				if((_a12 & 0x00000001) == 0) {
					_v2060 = 0x57;
					_t171 =  *0x6c3e0088; // 0x6c3e0088
					if(_t171 == 0x6c3e0088 || ( *(_t171 + 0x1c) & 0x00000002) == 0) {
						goto L11;
					} else {
						_push(0x6c3d5a6c);
						_push(0xf);
						_t49 = _t171 + 0x14; // 0x0
						_push( *_t49);
						_t50 = _t171 + 0x10; // 0x1
						_push( *_t50);
						goto L54;
					}
				}
				goto L3;
			}




















































                                                0x6c3c32bc
                                                0x6c3c32bc
                                                0x6c3c32bc
                                                0x6c3c32bc
                                                0x6c3c32c7
                                                0x6c3c32ce
                                                0x6c3c32d2
                                                0x6c3c32d6
                                                0x6c3c32e5
                                                0x6c3c32eb
                                                0x6c3c32f1
                                                0x6c3c32fb
                                                0x6c3c3302
                                                0x6c3c330a
                                                0x6c3c3310
                                                0x6c3c3316
                                                0x6c3c331c
                                                0x6c3ceb0e
                                                0x6c3ceb18
                                                0x6c3ceb27
                                                0x6c3ceb2a
                                                0x6c3ceb2d
                                                0x6c3ceb2d
                                                0x6c3ceb32
                                                0x6c3c33f0
                                                0x6c3c33f5
                                                0x6c3c3402
                                                0x6c3c3403
                                                0x6c3c3404
                                                0x6c3c340c
                                                0x6c3c3412
                                                0x6c3c3412
                                                0x6c3c341f
                                                0x6c3c3436
                                                0x6c3c3436
                                                0x6c3c3322
                                                0x6c3c332a
                                                0x6c3c3334
                                                0x6c3c333c
                                                0x6c3c3ab2
                                                0x6c3c3abd
                                                0x6c3c3b0b
                                                0x6c3c3abf
                                                0x6c3c3abf
                                                0x6c3c3acd
                                                0x6c3c3ad2
                                                0x6c3c3ad7
                                                0x6c3ceb77
                                                0x6c3ceb81
                                                0x6c3ceb8b
                                                0x6c3ceb9b
                                                0x6c3ceba2
                                                0x6c3cebae
                                                0x6c3cebb1
                                                0x6c3cebb4
                                                0x6c3cebb4
                                                0x00000000
                                                0x6c3c3add
                                                0x6c3c3ae3
                                                0x6c3c3ae9
                                                0x6c3c3af1
                                                0x6c3c3af3
                                                0x6c3c3af7
                                                0x6c3c3afd
                                                0x6c3c334c
                                                0x6c3c335a
                                                0x6c3c3b12
                                                0x6c3c3360
                                                0x6c3c3369
                                                0x6c3c3369
                                                0x6c3c336d
                                                0x6c3c3373
                                                0x6c3ced3c
                                                0x6c3ced46
                                                0x6c3ced56
                                                0x6c3ced59
                                                0x6c3ced5c
                                                0x6c3ced5c
                                                0x6c3ced61
                                                0x00000000
                                                0x6c3c3379
                                                0x6c3c3387
                                                0x6c3c338e
                                                0x6c3ced75
                                                0x6c3ced7b
                                                0x6c3ced85
                                                0x6c3ced9a
                                                0x6c3ced9d
                                                0x6c3ceda0
                                                0x6c3ceda0
                                                0x6c3cedd8
                                                0x6c3ceddc
                                                0x6c3c33ef
                                                0x6c3c33ef
                                                0x00000000
                                                0x6c3c33ef
                                                0x6c3c3394
                                                0x6c3c3399
                                                0x6c3c33a0
                                                0x6c3c33b5
                                                0x6c3ceda7
                                                0x6c3cedb3
                                                0x6c3cedc3
                                                0x6c3cedc6
                                                0x6c3cedc9
                                                0x6c3cedc9
                                                0x6c3cedce
                                                0x00000000
                                                0x6c3c33bb
                                                0x6c3c33bb
                                                0x6c3c33c0
                                                0x6c3c33c3
                                                0x6c3c33c8
                                                0x6c3c33ce
                                                0x6c3c33d4
                                                0x6c3c33d9
                                                0x6c3c33e0
                                                0x6c3c33e0
                                                0x6c3c33e8
                                                0x6c3c33ea
                                                0x6c3c33ea
                                                0x00000000
                                                0x6c3c33e8
                                                0x6c3c33b5
                                                0x6c3c3373
                                                0x6c3cebbe
                                                0x6c3cebc4
                                                0x6c3cebc4
                                                0x6c3cebdf
                                                0x6c3cebec
                                                0x00000000
                                                0x00000000
                                                0x6c3cebf2
                                                0x6c3cebfa
                                                0x6c3cecc6
                                                0x6c3cecd6
                                                0x6c3cecdb
                                                0x6c3cecdd
                                                0x6c3cecdd
                                                0x6c3cece0
                                                0x6c3cece0
                                                0x6c3cece3
                                                0x6c3cece3
                                                0x6c3cece3
                                                0x00000000
                                                0x6c3cecc6
                                                0x6c3cec00
                                                0x6c3cec03
                                                0x6c3cecad
                                                0x6c3cecad
                                                0x6c3cecb5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3cecbb
                                                0x6c3cec09
                                                0x6c3cec10
                                                0x6c3cec20
                                                0x6c3cec27
                                                0x6c3cec50
                                                0x6c3cec57
                                                0x6c3cec7c
                                                0x6c3cec88
                                                0x00000000
                                                0x00000000
                                                0x6c3cec8a
                                                0x6c3cec91
                                                0x6c3cec92
                                                0x6c3cec9b
                                                0x6c3cecf3
                                                0x6c3cecfa
                                                0x6c3ced2a
                                                0x6c3ced31
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3ced37
                                                0x6c3cec9d
                                                0x6c3cec9d
                                                0x00000000
                                                0x6c3cec9d
                                                0x6c3cec5f
                                                0x00000000
                                                0x6c3cec67
                                                0x6c3cec67
                                                0x6c3cec68
                                                0x6c3cec6d
                                                0x6c3cec6f
                                                0x6c3cec6f
                                                0x6c3cec6f
                                                0x6c3cec72
                                                0x6c3cec72
                                                0x6c3cec75
                                                0x00000000
                                                0x6c3cec75
                                                0x6c3cec5f
                                                0x6c3cec2f
                                                0x00000000
                                                0x6c3cec37
                                                0x6c3cec37
                                                0x6c3cec38
                                                0x6c3cec3d
                                                0x00000000
                                                0x6c3cec3d
                                                0x6c3ceca5
                                                0x6c3cecab
                                                0x6c3ced08
                                                0x00000000
                                                0x6c3ced18
                                                0x6c3ced1f
                                                0x6c3ced22
                                                0x6c3ced25
                                                0x00000000
                                                0x6c3ced25
                                                0x6c3ced08
                                                0x00000000
                                                0x6c3cecab
                                                0x6c3cebc4
                                                0x6c3c3ad7
                                                0x6c3c3346
                                                0x6c3ceb41
                                                0x6c3ceb4b
                                                0x6c3ceb55
                                                0x00000000
                                                0x6c3ceb65
                                                0x6c3ceb65
                                                0x6c3ceb6a
                                                0x6c3ceb6c
                                                0x6c3ceb6c
                                                0x6c3ceb6f
                                                0x6c3ceb6f
                                                0x00000000
                                                0x6c3ceb6f
                                                0x6c3ceb55
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C3302
                                                  • Part of subcall function 6C3C3679: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6C3C332F,?), ref: 6C3C3683
                                                  • Part of subcall function 6C3C3679: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6C3C332F,?), ref: 6C3C36B3
                                                  • Part of subcall function 6C3C3679: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 6C3C36D5
                                                  • Part of subcall function 6C3C3679: FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C36E0
                                                • EnterCriticalSection.KERNEL32(6C3E0168,?), ref: 6C3C3334
                                                • LeaveCriticalSection.KERNEL32(6C3E0168,00000400,?), ref: 6C3C33F5
                                                • LocalFree.KERNEL32(00000000), ref: 6C3C340C
                                                • SetLastError.KERNEL32(00000057), ref: 6C3C341F
                                                  • Part of subcall function 6C3C17EB: malloc.MSVCRT ref: 6C3C17F6
                                                • ctype.LIBCPMT ref: 6C3CEDDC
                                                  • Part of subcall function 6C3C343E: GetSystemTime.KERNEL32(00000000,00000838,00000000), ref: 6C3C347D
                                                  • Part of subcall function 6C3C343E: SystemTimeToFileTime.KERNEL32(00000000,00000000), ref: 6C3C348B
                                                  • Part of subcall function 6C3C30D2: InterlockedIncrement.KERNEL32(00000000), ref: 6C3C30D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Time$CriticalProcessSectionSystem$ChangeCloseConvertCurrentEnterErrorFileFindFreeIncrementInterlockedLastLeaveLocalNotificationOpenStringTokenctypemallocmemset
                                                • String ID: %s_%s$Fm*$W
                                                • API String ID: 1092980461-1633022603
                                                • Opcode ID: ceff1f10b96cdd12d93366e84e1904d7e8a11514ba3b162aade377d8eca56a61
                                                • Instruction ID: 1c053723acce492a7b122ef43224b0e3bb05fddb092ad03198f8ca80a08159dc
                                                • Opcode Fuzzy Hash: ceff1f10b96cdd12d93366e84e1904d7e8a11514ba3b162aade377d8eca56a61
                                                • Instruction Fuzzy Hash: 72C1CE71A012589BDBA19F14CC85BDE7AF8FF04308F118495E495A7990CF72DE889FE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C786440 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 236COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C786447
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A1FF: __EH_prolog3_catch.LIBCMT ref: 6C77A206
                                                • __CxxThrowException@8.LIBCMT ref: 6C786666
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                Strings
                                                • schema validation failure: If URL is present then there must be a DownloadSize, xrefs: 6C7865DA
                                                • schema validation failure: If HashValue is present then it must be a 64 hex-digit string, xrefs: 6C78667A
                                                • URL, xrefs: 6C786453
                                                • ParameterInfo.xml, xrefs: 6C7865E8, 6C786688
                                                • CompressedHashValue, xrefs: 6C78652C
                                                • HashValue, xrefs: 6C78649E
                                                • DownloadSize, xrefs: 6C7864E3
                                                • CompressedDownloadSize, xrefs: 6C786571
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8H_prolog3_catchThrow
                                                • String ID: CompressedDownloadSize$CompressedHashValue$DownloadSize$HashValue$ParameterInfo.xml$URL$schema validation failure: If HashValue is present then it must be a 64 hex-digit string$schema validation failure: If URL is present then there must be a DownloadSize
                                                • API String ID: 24280941-3047338099
                                                • Opcode ID: 30769535f88cbbc08091ceedd95577e90a07237ba5b35c7683355d30f9834eb8
                                                • Instruction ID: da5ad49bfd45d3043a842c69728f2a4438bf7d9b9fa6a4fecba0a8c89345b806
                                                • Opcode Fuzzy Hash: 30769535f88cbbc08091ceedd95577e90a07237ba5b35c7683355d30f9834eb8
                                                • Instruction Fuzzy Hash: 88A15371901249EFCB14DFA8CA48AEEB7B9BF15318F144659E525EB780C730EB09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B6782 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 235comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B6789
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B988C: __EH_prolog3.LIBCMT ref: 6C7B9893
                                                  • Part of subcall function 6C7B988C: GetCommandLineW.KERNEL32(0000002C,6C7BD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B98B4
                                                  • Part of subcall function 6C7B988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B996E
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • CoInitialize.OLE32(00000000), ref: 6C7B67DD
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,6C7AFA6E,?,?,?,UiInfo.xml,?,00000000,00000044,6C7B36D8,-00000960,?,00000000), ref: 6C7B67FB
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B6A24
                                                • CoUninitialize.OLE32(?,6C7EBE00,?,?,?,UiInfo.xml,?,00000000,00000044,6C7B36D8,-00000960,?,00000000,?), ref: 6C7B6A3A
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B6A43
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8PathRelativeThrow$CommandCreateFileFreeInitializeInstanceLineModuleNameStringUninitialize
                                                • String ID: LCIDHints$ParameterInfo.xml$UiInfo.xml$Xml Document load failure
                                                • API String ID: 2432735026-2443555527
                                                • Opcode ID: 5f3f40d4403f04c237d5887d1df6ca730828e6f5a72920b39765cbe9588e578d
                                                • Instruction ID: 2f63effef196274570afc96f74563009b072b9cadb406d643eb2e45bd78b95cc
                                                • Opcode Fuzzy Hash: 5f3f40d4403f04c237d5887d1df6ca730828e6f5a72920b39765cbe9588e578d
                                                • Instruction Fuzzy Hash: DE917D71900148EFCF01DFE8CA88AEDBBB9AF49318F248199E115EB741CB319E05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C779F34 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C779F3B
                                                • VariantInit.OLEAUT32(00000003), ref: 6C779F49
                                                • SysFreeString.OLEAUT32(?), ref: 6C779F83
                                                  • Part of subcall function 6C7B964C: __get_errno.LIBCMT ref: 6C7B966C
                                                  • Part of subcall function 6C7B964C: __wcstoui64.LIBCMT ref: 6C7B968F
                                                  • Part of subcall function 6C7B964C: __get_errno.LIBCMT ref: 6C7B96A1
                                                • __ui64tow_s.LIBCMT ref: 6C779FEF
                                                • __CxxThrowException@8.LIBCMT ref: 6C77A0BC
                                                • SysAllocString.OLEAUT32(00000000), ref: 6C77A0C2
                                                • VariantClear.OLEAUT32(?), ref: 6C77A0E9
                                                Strings
                                                • Name, xrefs: 6C77A121
                                                • schema validation failure: %s is invalid, a non-negitive numeric value is required for %s, xrefs: 6C77A03C
                                                • schema validation failure: attribute %s missing for %s %s, xrefs: 6C77A17B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: StringVariant__get_errno$AllocClearException@8FreeH_prolog3InitThrow__ui64tow_s__wcstoui64
                                                • String ID: Name$schema validation failure: %s is invalid, a non-negitive numeric value is required for %s$schema validation failure: attribute %s missing for %s %s
                                                • API String ID: 1723289333-1070666262
                                                • Opcode ID: 3477a42b8ad1cd54925bdefc4cbddec91021dc049192096c685eb8d38a41482a
                                                • Instruction ID: 7a8a833464753c32985d02c12bdb05c62d7ccb72a22dbe894dd414da0f0b8264
                                                • Opcode Fuzzy Hash: 3477a42b8ad1cd54925bdefc4cbddec91021dc049192096c685eb8d38a41482a
                                                • Instruction Fuzzy Hash: A2914B71900249EFDF01DFA8CA48ADEBBB9BF09318F144565E425EB791DB70DA08CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77A8CC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210filememoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                • GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                • __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • SetFilePointer.KERNEL32(?,00000000,6C76A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6C77AA49
                                                • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77AA97
                                                • SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C77AAAC
                                                • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77AB2C
                                                Strings
                                                • ReadXML failed to open XML file %s, with error %d, xrefs: 6C77AA07
                                                • Could not find mandatory data file %s. This is a bad package., xrefs: 6C77AAE5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$H_prolog3$AllocChangeCloseException@8FindModuleNameNotificationPathPointerReadRelativeStringThrow
                                                • String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
                                                • API String ID: 956789720-4172873023
                                                • Opcode ID: e3108aa6387bd02b7387ae330b97e9dfd455eccf0b3d78793e62bcad85522a9a
                                                • Instruction ID: 92313dd20dfad7f2d3b7c70bdc79139f2d3abfd6b0360ffa91157089a482962f
                                                • Opcode Fuzzy Hash: e3108aa6387bd02b7387ae330b97e9dfd455eccf0b3d78793e62bcad85522a9a
                                                • Instruction Fuzzy Hash: C6814D7190010DEFDF10DFA4CA889EEBBB9BF49318F154529E511B7790C7349A15CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AA78F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AA796
                                                  • Part of subcall function 6C77C5D4: __EH_prolog3.LIBCMT ref: 6C77C5DB
                                                  • Part of subcall function 6C77C5D4: GetLastError.KERNEL32 ref: 6C77C609
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                • GetLastError.KERNEL32 ref: 6C7AA83B
                                                • GetLastError.KERNEL32 ref: 6C7AA8F4
                                                • GetLastError.KERNEL32 ref: 6C7AA95B
                                                Strings
                                                • Failed to record PackageName, xrefs: 6C7AA7B8
                                                • Failed to record PackageVersion, xrefs: 6C7AA7F7
                                                • Failed to record DisplayedLcidId, xrefs: 6C7AA855
                                                • Failed to record PatchType, xrefs: 6C7AA90E
                                                • Failed to record InstallerVersion, xrefs: 6C7AA8B0
                                                • Failed to record IsRetailBuild, xrefs: 6C7AA975
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3Last
                                                • String ID: Failed to record DisplayedLcidId$Failed to record InstallerVersion$Failed to record IsRetailBuild$Failed to record PackageName$Failed to record PackageVersion$Failed to record PatchType
                                                • API String ID: 685212868-335235891
                                                • Opcode ID: b2bf53fb6e2ba9c5651d67a62d2b3d647d747656a07e4f9f45ca159b74323ac2
                                                • Instruction ID: 91aac57427856da4f46a0d4778aee9751f2d94d58b592b03b142da45fe65b80a
                                                • Opcode Fuzzy Hash: b2bf53fb6e2ba9c5651d67a62d2b3d647d747656a07e4f9f45ca159b74323ac2
                                                • Instruction Fuzzy Hash: 4E514172600209AFDB10DFA5CB4CACE7BBABF45358F108629B914DBB90C774D606DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AA2DD Relevance: 16.8, APIs: 5, Strings: 6, Instructions: 271COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C77C53D: GetLastError.KERNEL32(?,6C7AA320,342C82DB,?,?), ref: 6C77C55E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                • GetLastError.KERNEL32 ref: 6C7AA393
                                                • GetLastError.KERNEL32 ref: 6C7AA434
                                                • GetLastError.KERNEL32 ref: 6C7AA4A7
                                                • GetLastError.KERNEL32 ref: 6C7AA511
                                                • GetLastError.KERNEL32 ref: 6C7AA5A5
                                                Strings
                                                • Failed to record SetUserId, xrefs: 6C7AA3C0
                                                • Failed to record current state name, xrefs: 6C7AA52B
                                                • Failed to record StartupAppid, xrefs: 6C7AA4C1
                                                • Failed to record SetMachineId, xrefs: 6C7AA461
                                                • Failed to record StartSession, xrefs: 6C7AA322
                                                • Failed to record MPC, xrefs: 6C7AA5BB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$H_prolog3
                                                • String ID: Failed to record MPC$Failed to record SetMachineId$Failed to record SetUserId$Failed to record StartSession$Failed to record StartupAppid$Failed to record current state name
                                                • API String ID: 3502553090-2804495384
                                                • Opcode ID: ebdf7744bb853c6b4b5f9e7525527cc079a625d9d4235164d8b8f2d9b4c9d04c
                                                • Instruction ID: 294b5f91523558a264fae6985d2ca7372c7c455b221d2455108872285f9a17fd
                                                • Opcode Fuzzy Hash: ebdf7744bb853c6b4b5f9e7525527cc079a625d9d4235164d8b8f2d9b4c9d04c
                                                • Instruction Fuzzy Hash: 5AA1A1712042429FD720DF65CA4CA9B7BE9FF44364F100A2CF461D7AA1DB34D909CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C792127 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 317COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79212E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C792484
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: CopyPackageFilesToDownloadLocation$DelayBetweenRetries$DownloadRetries$Items$No items found. The package must contain at least one item.$ParameterInfo.xml$true
                                                • API String ID: 2489616738-2573507987
                                                • Opcode ID: 7927b90d6de1b693bb14042c9c555b49d2af21955d54b58b73f120541e54f72f
                                                • Instruction ID: bbcfdf2b59f4abcb9ed3ca6dd34c72a1ad7e66af556a9a584090096e25bb754d
                                                • Opcode Fuzzy Hash: 7927b90d6de1b693bb14042c9c555b49d2af21955d54b58b73f120541e54f72f
                                                • Instruction Fuzzy Hash: C5D15070900249DFCF05DFA8DA88AEEBBB5BF49318F148199E414EB791C734DA05CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7774ED Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • SysStringLen.OLEAUT32(?), ref: 6C777558
                                                • __time64.LIBCMT ref: 6C77760A
                                                  • Part of subcall function 6C775349: __EH_prolog3.LIBCMT ref: 6C775350
                                                  • Part of subcall function 6C775349: OutputDebugStringW.KERNEL32(?,?,?,00000008,6C7A63AF,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6C754A4C), ref: 6C775371
                                                • SysFreeString.OLEAUT32(?), ref: 6C7775E8
                                                Strings
                                                • Final Result: Installation aborted, xrefs: 6C777582
                                                • Final Result: Installation completed successfully with success code: (0x%08lX), "%s", xrefs: 6C777573
                                                • Final Result: Installation completed successfully with success code: (0x%08lX), xrefs: 6C777567
                                                • Final Result: Installation failed with error code: (0x%08lX), xrefs: 6C7775BD
                                                • Final Result: Installation failed with error code: (0x%08lX), "%s", xrefs: 6C7775D2
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$DebugFreeH_prolog3Output__time64
                                                • String ID: Final Result: Installation aborted$Final Result: Installation completed successfully with success code: (0x%08lX)$Final Result: Installation completed successfully with success code: (0x%08lX), "%s"$Final Result: Installation failed with error code: (0x%08lX)$Final Result: Installation failed with error code: (0x%08lX), "%s"
                                                • API String ID: 1943088043-1330816492
                                                • Opcode ID: 217c278a950afe810a44337fb456d1df09a5226ce1cef65be336a70e08cee91e
                                                • Instruction ID: b9d8ffe3206afd51285ac65a584f0cf5d5b89dabc8c9acaa3cd10328b1e9850c
                                                • Opcode Fuzzy Hash: 217c278a950afe810a44337fb456d1df09a5226ce1cef65be336a70e08cee91e
                                                • Instruction Fuzzy Hash: 585170711083459FC751DF68DA88A4BBBE5EF85714F400A2DF4A097791DB30D518CBA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C2B01 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 345COMMON
                                                Download Yara Rule
                                                Strings
                                                • File %s (%s), failed authentication. (Error = %d). It is recommended that you delete this file and retry setup again., xrefs: 6C7C2CF1
                                                • File lock postponed for %s., xrefs: 6C7C2D73
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: File %s (%s), failed authentication. (Error = %d). It is recommended that you delete this file and retry setup again.$File lock postponed for %s.
                                                • API String ID: 0-2368451233
                                                • Opcode ID: 59e0ede867b1de840637c079ef950b11cc02d1868e400a3099c5b2260f0173d7
                                                • Instruction ID: 662f2eeb9094825174e3c11556efb9785713c920fb66e5c676ecea1571b44ea7
                                                • Opcode Fuzzy Hash: 59e0ede867b1de840637c079ef950b11cc02d1868e400a3099c5b2260f0173d7
                                                • Instruction Fuzzy Hash: 0CC151712086429FC710DF68CA4CA9BBBE4BF95728F040B19F4A497B91D770D909CB63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77AC58 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77AC5F
                                                • SysFreeString.OLEAUT32(?), ref: 6C77AD66
                                                • SysAllocString.OLEAUT32(-00000010), ref: 6C77AE70
                                                • __CxxThrowException@8.LIBCMT ref: 6C77AF3F
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                Strings
                                                • //*[@Id='%s'], xrefs: 6C77AD26
                                                • schema validation failure: ExpressionAlias's Id not defined or defined too many times: , xrefs: 6C77AEBF
                                                • schema validation failure: Invalid ExpressionAlias or Id not found: , xrefs: 6C77AF84
                                                • ExpressionAlias, xrefs: 6C77ACAC, 6C77ADEA
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$String$AllocException@8FreeThrow
                                                • String ID: //*[@Id='%s']$ExpressionAlias$schema validation failure: ExpressionAlias's Id not defined or defined too many times: $schema validation failure: Invalid ExpressionAlias or Id not found:
                                                • API String ID: 191698298-1025498756
                                                • Opcode ID: c1cb7db285b7236c3fc523718591ccb38cf7346201609f56b2792587b20489ef
                                                • Instruction ID: a4e6a6460568e32a4f5ae68d40a65006d34b935f873d975aa4b6860ce6017473
                                                • Opcode Fuzzy Hash: c1cb7db285b7236c3fc523718591ccb38cf7346201609f56b2792587b20489ef
                                                • Instruction Fuzzy Hash: 43C13A71900249EFDF00DFE8CA88AEEBBB9AF45318F244569E411EB741D734DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C779C3A Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C779C41
                                                • __CxxThrowException@8.LIBCMT ref: 6C779D24
                                                • __fassign.LIBCMT ref: 6C779D58
                                                • _wcstoul.LIBCMT ref: 6C779D65
                                                  • Part of subcall function 6C7CB6D0: wcstoxl.LIBCMT ref: 6C7CB6E0
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                • __get_errno.LIBCMT ref: 6C779D74
                                                Strings
                                                • schema validation failure: non-numeric value, %s, for %s, xrefs: 6C779DB1
                                                • ", xrefs: 6C779D88
                                                • schema validation failure: empty value, %s, for %s, xrefs: 6C779CA1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw__fassign__get_errno_wcstoulwcstoxl
                                                • String ID: "$schema validation failure: empty value, %s, for %s$schema validation failure: non-numeric value, %s, for %s
                                                • API String ID: 2631245360-326575430
                                                • Opcode ID: f85d7d7cd77952ce98eaf6295e4e425688872bf6ee4addee292f99436733ca0c
                                                • Instruction ID: 08bbc6080672bef13232e663aefe2dbd60a50397fd804df9f93e1c5a0dc1f381
                                                • Opcode Fuzzy Hash: f85d7d7cd77952ce98eaf6295e4e425688872bf6ee4addee292f99436733ca0c
                                                • Instruction Fuzzy Hash: B661607190014DEFCF10DFE8CA899EEBBB9BF15318F14856AE121E7641DB349A09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C794509 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C794510
                                                • __EH_prolog3.LIBCMT ref: 6C794689
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3H_prolog3__memcpy_s_wcsnlen
                                                • String ID: #(loc.$&amp;$&apos;$&gt;$&lt;$&quot;
                                                • API String ID: 1381108809-1774302600
                                                • Opcode ID: 1d7c81dea5fe61d78c3c02a44fa5d99ca5ef36196f495be2571fe57982862a41
                                                • Instruction ID: 8d53145bca7a92a1db26ec7e7d8ad1e3d98d890c35b6ce29634ec1a2c2a05f91
                                                • Opcode Fuzzy Hash: 1d7c81dea5fe61d78c3c02a44fa5d99ca5ef36196f495be2571fe57982862a41
                                                • Instruction Fuzzy Hash: F8516071A002499FDF00DFE8DA4DBEDB7B5BF48318F104656E420EBB50DB359A099B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A51C0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7A51C7
                                                • CoInitialize.OLE32(00000000), ref: 6C7A51DC
                                                  • Part of subcall function 6C7C8859: SysStringByteLen.OLEAUT32(00000000), ref: 6C7C8860
                                                  • Part of subcall function 6C7C8859: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 6C7C8869
                                                  • Part of subcall function 6C77B00D: __EH_prolog3.LIBCMT ref: 6C77B014
                                                  • Part of subcall function 6C77B00D: SysFreeString.OLEAUT32(?), ref: 6C77B044
                                                • CoUninitialize.OLE32(?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?), ref: 6C7A538C
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A6DB: __EH_prolog3.LIBCMT ref: 6C77A6E2
                                                  • Part of subcall function 6C77A6DB: SysFreeString.OLEAUT32(?), ref: 6C77A72B
                                                  • Part of subcall function 6C77A7C3: __EH_prolog3.LIBCMT ref: 6C77A7CA
                                                • __CxxThrowException@8.LIBCMT ref: 6C7A5343
                                                Strings
                                                • ParameterInfo.xml, xrefs: 6C7A52FE
                                                • #(loc., xrefs: 6C7A52B7
                                                • BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID=", xrefs: 6C7A52CB
                                                • //BlockIf[@ID], xrefs: 6C7A5218
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3String$ByteFree$AllocException@8H_prolog3_catchInitializeThrowUninitialize
                                                • String ID: #(loc.$//BlockIf[@ID]$BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID="$ParameterInfo.xml
                                                • API String ID: 3727013976-3244902561
                                                • Opcode ID: a1aa267e762f6c4dc4f2cf3bd8abcd67fd2730dbf099a3803b1e7df09a766913
                                                • Instruction ID: 00b2f0202bef50ef0471663dbf84c3c70958b4d81efad7d9cf629657c913f874
                                                • Opcode Fuzzy Hash: a1aa267e762f6c4dc4f2cf3bd8abcd67fd2730dbf099a3803b1e7df09a766913
                                                • Instruction Fuzzy Hash: 92516571D0014DEFDF00DBE8CA4CADEBBB5AF55318F244259E125E7680CB349A4ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7850D5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7850DC
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8380: __EH_prolog3.LIBCMT ref: 6C7A8387
                                                  • Part of subcall function 6C77388B: __EH_prolog3.LIBCMT ref: 6C773892
                                                • CoInitialize.OLE32(00000000), ref: 6C78512A
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,00000738,?,?,?,00000000,?,?,?,342C82DB,?,?,?), ref: 6C785148
                                                • __CxxThrowException@8.LIBCMT ref: 6C785270
                                                  • Part of subcall function 6C7854B1: __EH_prolog3.LIBCMT ref: 6C7854B8
                                                  • Part of subcall function 6C7854B1: __CxxThrowException@8.LIBCMT ref: 6C785540
                                                • CoUninitialize.OLE32(-00000960,?,succeeded,?,?,?,00000000,?,?,?,342C82DB,?,?,?), ref: 6C7851E6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw$CreateH_prolog3_catchInitializeInstanceUninitialize
                                                • String ID: IronMan::LocalizedData::CreateLocalizedData$succeeded$threw exception
                                                • API String ID: 4097945976-352736096
                                                • Opcode ID: b931a797083b68104e5ff3d56088b9f4bfd2c1a8f860bea057452144b8cb6318
                                                • Instruction ID: 32a88d10ce05abd2b9604c6a2bc0c423f8a8f676ae8fb1c135af3dea47226423
                                                • Opcode Fuzzy Hash: b931a797083b68104e5ff3d56088b9f4bfd2c1a8f860bea057452144b8cb6318
                                                • Instruction Fuzzy Hash: 3C514C7190120DEFDF00CFE4DA88ADEBBB9AF09318F248565F515EB650CB34AA45CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C59F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C59FF
                                                • GetCommandLineW.KERNEL32(?), ref: 6C7C5A64
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                Strings
                                                • - available but not verified yet, xrefs: 6C7C5ADC
                                                • - to be downloaded, xrefs: 6C7C5B05
                                                • not locally available, but no URL to bedownloaded - error!, xrefs: 6C7C5B13
                                                • - available locally, xrefs: 6C7C5AEC
                                                • - payload not required for this item to perform action., xrefs: 6C7C5A2C
                                                • - available locally and verified., xrefs: 6C7C5AC2
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CommandH_prolog3Line_memcpy_s_wcsnlen
                                                • String ID: - available but not verified yet$ - available locally$ - available locally and verified.$ - payload not required for this item to perform action.$ - to be downloaded$ not locally available, but no URL to bedownloaded - error!
                                                • API String ID: 969748958-1544932709
                                                • Opcode ID: 17c393029b940a97a05e0919e727fd4851814d71d05f4df9cf356a63cee1fb6d
                                                • Instruction ID: 248e6c1f2ef40a0a0d0b0b31c56033813bbd60f7f7b5ece78362a6936e746029
                                                • Opcode Fuzzy Hash: 17c393029b940a97a05e0919e727fd4851814d71d05f4df9cf356a63cee1fb6d
                                                • Instruction Fuzzy Hash: B341E47164020AAFDF10DFA8CF8DEDE3F68AF16348F004955F910A7A91C731DA58A762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7777AF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00020019,?,?,6C7A831D,00000000), ref: 6C7777E8
                                                • RegCreateKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00000000,00000000,00020006,00000000,?,00000000,?,6C7A831D,00000000), ref: 6C777805
                                                  • Part of subcall function 6C77787B: __EH_prolog3.LIBCMT ref: 6C777882
                                                  • Part of subcall function 6C77787B: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6C77781A,?,6C7A831D,00000000), ref: 6C7778B2
                                                  • Part of subcall function 6C77787B: RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6C7A831D,00000000), ref: 6C7778D8
                                                  • Part of subcall function 6C77787B: RegCloseKey.ADVAPI32(?,?,6C7A831D,00000000), ref: 6C7778E4
                                                  • Part of subcall function 6C77787B: GetFileAttributesW.KERNEL32(?,?,6C7A831D,00000000), ref: 6C7778F9
                                                • RegSetValueExW.KERNEL32(?,EventMessageFile,00000000,00000002,?,00000208,?,6C7A831D,00000000), ref: 6C777836
                                                • RegSetValueExW.KERNEL32(?,TypesSupported,00000000,00000004,?,00000004,?,6C7A831D,00000000), ref: 6C777859
                                                • RegCloseKey.KERNEL32(?,?,6C7A831D,00000000), ref: 6C777861
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Value$CloseOpen$AttributesCreateFileH_prolog3Query
                                                • String ID: EventMessageFile$System\CurrentControlSet\Services\Eventlog\Application\VSSetup$TypesSupported
                                                • API String ID: 4021642227-369282485
                                                • Opcode ID: bcb11f041044ffb2010d3e5c421d4c98f9c89b010104da4658274ba405b584a0
                                                • Instruction ID: 0da5e668514e8518b7d07660d52380c667f0928dc6829a691baaae3978f85c51
                                                • Opcode Fuzzy Hash: bcb11f041044ffb2010d3e5c421d4c98f9c89b010104da4658274ba405b584a0
                                                • Instruction Fuzzy Hash: C1118E7164122CBBDB309B529D8DFEBBF7DEB52755F8004A5B51CA2140CA709E44CAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77B31F Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77B326
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77B25F: __EH_prolog3.LIBCMT ref: 6C77B266
                                                • __CxxThrowException@8.LIBCMT ref: 6C77B5A8
                                                Strings
                                                • DisabledCommandLineSwitches, xrefs: 6C77B353
                                                • No DisabledCommandLineSwitches block was specified, xrefs: 6C77B5C8
                                                • ParameterInfo.xml, xrefs: 6C77B554
                                                • Disabled CommandLineSwitch added: , xrefs: 6C77B406, 6C77B4C5
                                                • The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit, xrefs: 6C77B546
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: Disabled CommandLineSwitch added: $DisabledCommandLineSwitches$No DisabledCommandLineSwitches block was specified$ParameterInfo.xml$The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit
                                                • API String ID: 2489616738-1449725936
                                                • Opcode ID: e065534e78ce40f5622ff9223bc866521048b43cde67df45f01a45270299665a
                                                • Instruction ID: 6184f1ecc33cc169ffeff70b9df738eb48acb983d70b02a6c409f837e8704a05
                                                • Opcode Fuzzy Hash: e065534e78ce40f5622ff9223bc866521048b43cde67df45f01a45270299665a
                                                • Instruction Fuzzy Hash: 47A15E71A00249DFCF01CFA8CA88AEDBBB5BF85318F244559E521EB790C735EA45CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7849CE Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7849D5
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                • __CxxThrowException@8.LIBCMT ref: 6C784A3C
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                  • Part of subcall function 6C7795C1: __EH_prolog3.LIBCMT ref: 6C7795C8
                                                  • Part of subcall function 6C7795C1: VariantInit.OLEAUT32(?), ref: 6C7795DB
                                                  • Part of subcall function 6C7795C1: SysFreeString.OLEAUT32(?), ref: 6C77960E
                                                  • Part of subcall function 6C7795C1: VariantClear.OLEAUT32(00000008), ref: 6C77962E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Variant$ClearDispatcherExceptionException@8FreeInitStringThrowUser
                                                • String ID: Language$LocalizedText$Text$Unable to find Language element for LangID="%d" in localized data$W
                                                • API String ID: 452683132-1012890799
                                                • Opcode ID: 0ef101e4639861503a0c8ce69e1fdc8b0847f3e2d4351940eacc627c5be662e4
                                                • Instruction ID: 1ee1927e558257a58d787883a7d2bed8f8a80868705598e9603babf0da6f6a13
                                                • Opcode Fuzzy Hash: 0ef101e4639861503a0c8ce69e1fdc8b0847f3e2d4351940eacc627c5be662e4
                                                • Instruction Fuzzy Hash: E1916C71901259EFCF01CFA8CA48ADEBBB9AF49718F248559F420EB741C774DA05CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C537A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5381
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7D68B5: PMDtoOffset.LIBCMT ref: 6C7D6989
                                                  • Part of subcall function 6C7D68B5: std::bad_exception::bad_exception.LIBCMT ref: 6C7D69B3
                                                  • Part of subcall function 6C7D68B5: __CxxThrowException@8.LIBCMT ref: 6C7D69C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8OffsetThrowstd::bad_exception::bad_exception
                                                • String ID: - authored action for this item is NoOp$ - no products affected by this item. Not Applicable. $ - not applicable $ of $Determining state$nameless item
                                                • API String ID: 3118957153-195430493
                                                • Opcode ID: 9102e89758fe4470c31ee0d592422d2a6130a55274cf466afb1e3c9d9a4bd512
                                                • Instruction ID: de066b405fa424b2ef19b4fa8e8c67d03650cbb7fc0baf700c799296f781cd2a
                                                • Opcode Fuzzy Hash: 9102e89758fe4470c31ee0d592422d2a6130a55274cf466afb1e3c9d9a4bd512
                                                • Instruction Fuzzy Hash: E161CE72A0111AAFCF10DBE8DE0CAEE7B79AF05358F144911F424B7B91C7359B0997A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C799048 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 175COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C782E48: __EH_prolog3.LIBCMT ref: 6C782E4F
                                                • __CxxThrowException@8.LIBCMT ref: 6C7991B1
                                                Strings
                                                • : SuccessBlockers evaluated to true., xrefs: 6C7991E8
                                                • no blocking conditions found, xrefs: 6C799078
                                                • : StopBlockers evaluated to true., xrefs: 6C799209
                                                • Global Block Checks, xrefs: 6C799087, 6C7990B7
                                                • : WarnBlockers evaluated to true., xrefs: 6C79921D
                                                • Checking for global blockers, xrefs: 6C7990A8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: no blocking conditions found$: StopBlockers evaluated to true.$: SuccessBlockers evaluated to true.$: WarnBlockers evaluated to true.$Checking for global blockers$Global Block Checks
                                                • API String ID: 2489616738-2937627051
                                                • Opcode ID: b6fe95953bff886aee220aa98ded348806eef6b711c1d9c8863a689589189e5d
                                                • Instruction ID: 8f239c6249eb5f5f801701c26bcc11a6a69869f7b10327943f54200ca63790f8
                                                • Opcode Fuzzy Hash: b6fe95953bff886aee220aa98ded348806eef6b711c1d9c8863a689589189e5d
                                                • Instruction Fuzzy Hash: 617155B1408345AFC710CF59CA88A4BBBF9FF99318F404A2EF18983A50D771E949CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77B00D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77B014
                                                  • Part of subcall function 6C7A91AF: CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,6C77B029,?,0000002C,6C7BD55B,?,?,?,?,00000001), ref: 6C7A91C5
                                                • SysFreeString.OLEAUT32(?), ref: 6C77B044
                                                • __CxxThrowException@8.LIBCMT ref: 6C77B128
                                                • SysFreeString.OLEAUT32(?), ref: 6C77B163
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                Strings
                                                • m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6C77B1CB
                                                • m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6C77B0F6
                                                • CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6C77B033
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FreeH_prolog3String$CreateException@8InstanceThrow
                                                • String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
                                                • API String ID: 1763430278-2525052916
                                                • Opcode ID: 2cd2d38892cf7a7b4795ed9db4ff597ad30eded0efa524b92a2de1722499a42d
                                                • Instruction ID: 6b538a3c3c9ba755f8fcdc49064c3a619f09fcb239a62d9372e01f2a459c9711
                                                • Opcode Fuzzy Hash: 2cd2d38892cf7a7b4795ed9db4ff597ad30eded0efa524b92a2de1722499a42d
                                                • Instruction Fuzzy Hash: 7A516E72900149EFCF10DFE8CA8C9EEBBB8AF15318F144569E121A7741DB34AA49CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B2C16 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C778168: GetFileSize.KERNEL32(?,?,?,?,?,6C7A3B9F,?,?,00000000,?,?,?,?,00000008,6C7AEC79,?), ref: 6C778178
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 6C7B2CA8
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B2CE7
                                                • CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 6C7B2D19
                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 6C7B2D32
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C778329: __EH_prolog3.LIBCMT ref: 6C778330
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$H_prolog3$AttributesCopyException@8ExistsPathSizeThrow
                                                • String ID: Copy of Header File failed$DHTML Header File doesn't exist$DHTMLLogger
                                                • API String ID: 1055460099-1824744887
                                                • Opcode ID: 2a7e75eb513cf4f3c81b254d68894ebc5db8b2de812e9d539c44383aa2077141
                                                • Instruction ID: fdf56f0e909659205708efa2b644cecb880269924bd2932d807c493172799306
                                                • Opcode Fuzzy Hash: 2a7e75eb513cf4f3c81b254d68894ebc5db8b2de812e9d539c44383aa2077141
                                                • Instruction Fuzzy Hash: 6F5173711093459FC710DFA5CA48E9FBBE8BF89358F440A2EF1A4A7A50DB34D6098B53
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4E70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A4E77
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C775FCE: __EH_prolog3.LIBCMT ref: 6C775FD5
                                                  • Part of subcall function 6C775FCE: PathIsRelativeW.SHLWAPI(?,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C776018
                                                • __CxxThrowException@8.LIBCMT ref: 6C7A4F68
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6C7A4F7E
                                                • FindCloseChangeNotification.KERNEL32(?), ref: 6C7A4FA1
                                                  • Part of subcall function 6C778329: __EH_prolog3.LIBCMT ref: 6C778330
                                                  • Part of subcall function 6C77A3BC: __EH_prolog3.LIBCMT ref: 6C77A3C3
                                                Strings
                                                • ParameterInfo.xml, xrefs: 6C7A4FE5
                                                • File %s could not be opened for read, xrefs: 6C7A4F0F
                                                • File %s is not UTF-16 with Byte Order Marks (BOM), xrefs: 6C7A4FCC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ChangeCloseDispatcherExceptionException@8FileFindNotificationPathReadRelativeThrowUser
                                                • String ID: File %s could not be opened for read$File %s is not UTF-16 with Byte Order Marks (BOM)$ParameterInfo.xml
                                                • API String ID: 2138378564-652212332
                                                • Opcode ID: 57a4feb2cf2f5c4e6a30028252f419832a9795057e9652d21dff6f892189723f
                                                • Instruction ID: 45ca4705c4b914a7d39d6d19947108f8cc63c1eaf90d7cc3593edc8815e12d66
                                                • Opcode Fuzzy Hash: 57a4feb2cf2f5c4e6a30028252f419832a9795057e9652d21dff6f892189723f
                                                • Instruction Fuzzy Hash: 75514D72900149EFDF11DFE8CA88ADEBBB9AF09318F144566E114B7690DB309A09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7854B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7854B8
                                                • __CxxThrowException@8.LIBCMT ref: 6C785540
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                Strings
                                                • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 6C785599
                                                • Schema validation failure in file , xrefs: 6C785575
                                                • Unable to find Language element for LangID="%d" in localized data, xrefs: 6C78551A
                                                • ParameterInfo.xml, xrefs: 6C785565
                                                • W, xrefs: 6C785530
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                • API String ID: 2489616738-3464115581
                                                • Opcode ID: 00114b391c05bb65aadd5d0aa27865ad5b434e8547c012eca4f33617aa42ce19
                                                • Instruction ID: d410fba71a2c40b4b2fc44bf612a2bf8dec22010833ed2c6cf089b02d0904bd8
                                                • Opcode Fuzzy Hash: 00114b391c05bb65aadd5d0aa27865ad5b434e8547c012eca4f33617aa42ce19
                                                • Instruction Fuzzy Hash: 0D416F71901109EFDB10DBE8CA48ADDBBB9AF09318F244265E115EB780DB35DA09CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B166E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 6C7B16B8
                                                • GetLastError.KERNEL32 ref: 6C7B1740
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000001,Possible transient lock. WinVerifyTrust), ref: 6C7B1772
                                                • Sleep.KERNEL32(000003E8), ref: 6C7B1782
                                                • CloseHandle.KERNEL32(00000000), ref: 6C7B1791
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseCreateErrorFileH_prolog3HandleLastSleep_memset
                                                • String ID: 0$Possible transient lock. WinVerifyTrust
                                                • API String ID: 3818960743-2497998438
                                                • Opcode ID: 43cd61f465c6af6cb60f80e2e302d3eab6f7b5a6bc9dd0f9c4ba113e7d3c2963
                                                • Instruction ID: 681e8ea79f7005ee1e7de28bae149bcecaf7cd03866a070b2bdf879a05457cfc
                                                • Opcode Fuzzy Hash: 43cd61f465c6af6cb60f80e2e302d3eab6f7b5a6bc9dd0f9c4ba113e7d3c2963
                                                • Instruction Fuzzy Hash: A6416C71E00209AFDB00CFA8C999BDEBBF4EF49314F10412AE515FB280DB749A49CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7F6A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7A7F74
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • _memset.LIBCMT ref: 6C7A7FD4
                                                • GetVersionExW.KERNEL32 ref: 6C7A7FED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3H_prolog3_Version_memset
                                                • String ID: Could not determine OS version$OS Description = %s$OS Version = %d.%d.%d, Platform %d$OS Version Information
                                                • API String ID: 3727276431-2914782974
                                                • Opcode ID: 44111447ec9cba785e990f086651889f69e4e8c168097c0b8bc28ad2a85010dc
                                                • Instruction ID: fa41d934d64e21fc22cdb87d6b230a47bdb970e039d09bacdb81f614238e1345
                                                • Opcode Fuzzy Hash: 44111447ec9cba785e990f086651889f69e4e8c168097c0b8bc28ad2a85010dc
                                                • Instruction Fuzzy Hash: 7E414B319001199BCB21DBA4CE49BCDB7B8AF09308F0445E6E548E7A91DB70AB99CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7795C1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7795C8
                                                • VariantInit.OLEAUT32(?), ref: 6C7795DB
                                                • VariantClear.OLEAUT32(00000008), ref: 6C77962E
                                                • SysFreeString.OLEAUT32(?), ref: 6C77960E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • SysAllocString.OLEAUT32(00000000), ref: 6C779651
                                                • __CxxThrowException@8.LIBCMT ref: 6C7796F8
                                                Strings
                                                • schema validation error: attribute not found - , xrefs: 6C779676
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3StringVariant$AllocClearException@8FreeInitThrow
                                                • String ID: schema validation error: attribute not found -
                                                • API String ID: 8365360-3489740836
                                                • Opcode ID: 554ce1b7ba03a4d6187c3147b288597258cf32a9d6645b009fc704fa0b45bb96
                                                • Instruction ID: f73cd012c0cef2936319d664d66eeb7853fc9818b75d5af3636f6ec3d0a7bd4f
                                                • Opcode Fuzzy Hash: 554ce1b7ba03a4d6187c3147b288597258cf32a9d6645b009fc704fa0b45bb96
                                                • Instruction Fuzzy Hash: A1414C71901249EFCF00EFA4CA8CADE7BB9BF05318F144669E525E7640DB34DA48CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795531 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C795538
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7AB6DD: _free.LIBCMT ref: 6C7AB70C
                                                • EnumWindows.USER32(6C7957AE,?), ref: 6C795596
                                                  • Part of subcall function 6C795740: _calloc.LIBCMT ref: 6C795761
                                                  • Part of subcall function 6C79565A: __EH_prolog3.LIBCMT ref: 6C795661
                                                  • Part of subcall function 6C7C78C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6C7B139B,?,00000010,6C785A14,?,?,?,0000004C,6C7BB498,?,?,?), ref: 6C7C78D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$EnumExceptionRaiseWindows_calloc_free
                                                • String ID: complete$Action$Blocking Processes$Enumerating incompatible processes$No Blocking Processes
                                                • API String ID: 3369859988-1677130810
                                                • Opcode ID: 9280b91852f72387ae80659a8e636969228319acd19345281ff04f8d45deefba
                                                • Instruction ID: 09dc84d608052ae3f2123433cd4b5d4ab0fba04e45abea012c5b2f43f8cb3f4a
                                                • Opcode Fuzzy Hash: 9280b91852f72387ae80659a8e636969228319acd19345281ff04f8d45deefba
                                                • Instruction Fuzzy Hash: 64319D71A00219EFCB00DFA8DA8CBDDBBB9BF48305F108559E415AB751DB30EA06CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B374B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3752
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C77C259: __EH_prolog3.LIBCMT ref: 6C77C260
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                • PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,6C7AFA6E,0000000C,6C7B3A05,?,6C76A794,?), ref: 6C7B37B7
                                                • PathFileExistsW.SHLWAPI(00000000,LocalizedData.xml,00000000,00000738,00000000), ref: 6C7B3846
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                Strings
                                                • LocalizedData.xml, xrefs: 6C7B3835
                                                • SetupResources.dll missing from %d directory, xrefs: 6C7B37BE
                                                • LocalizedData.xml missing from %d directory, xrefs: 6C7B384D
                                                • SetupResources.dll, xrefs: 6C7B37A0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$FilePath$Exists$AppendModuleName
                                                • String ID: LocalizedData.xml$LocalizedData.xml missing from %d directory$SetupResources.dll$SetupResources.dll missing from %d directory
                                                • API String ID: 3590062302-1245617268
                                                • Opcode ID: f123de767debdf28953f23d69ce325ecac82263012078c175ed647295e5245c7
                                                • Instruction ID: 44a39befe7d42c611ec9d10774234c6971d4c9a2e3c65c563208f5de370285a5
                                                • Opcode Fuzzy Hash: f123de767debdf28953f23d69ce325ecac82263012078c175ed647295e5245c7
                                                • Instruction Fuzzy Hash: E731637290010ADFDF10DBB8CE4DADE7BB8AF01328F144651E524EB795D730DA488B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B8337 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B833E
                                                  • Part of subcall function 6C7B9104: lstrcmpA.KERNEL32(00000001,1.2.840.113549.1.9.6), ref: 6C7B9127
                                                • LocalAlloc.KERNEL32(00000040,00000044,0000001C,6C7B6BB8,?,00000000,?,?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960), ref: 6C7B836A
                                                • lstrcmpA.KERNEL32(1.2.840.113549.1.9.5,?), ref: 6C7B83AA
                                                • LocalFree.KERNEL32(?,0000001C,6C7B6BB8,?,00000000,?,?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E), ref: 6C7B83C8
                                                • GetLastError.KERNEL32(?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?,00000000,?,-00000960,?,?), ref: 6C7B8422
                                                • LocalFree.KERNEL32(00000000,?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?,00000000,?,-00000960), ref: 6C7B8441
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Local$Freelstrcmp$AllocErrorH_prolog3Last
                                                • String ID: 1.2.840.113549.1.9.5
                                                • API String ID: 1880752025-925610549
                                                • Opcode ID: 687b48a7fd24a007943bc22fd5092bd371acf12d885924887b442251996cc857
                                                • Instruction ID: 59e54bc2afe693c3324a70f458bfebb19fc6fa5f33bb277d88aed5456e5f4783
                                                • Opcode Fuzzy Hash: 687b48a7fd24a007943bc22fd5092bd371acf12d885924887b442251996cc857
                                                • Instruction Fuzzy Hash: 18318D71A4021ADFCB01CF94C688EADBBB4FF09354F15856AE825BB650DB70D905CF20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B101A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B1021
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77C406: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C77C426
                                                  • Part of subcall function 6C77C406: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,6C7B0F4A,00000004,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C77C43F
                                                  • Part of subcall function 6C77C406: RegCloseKey.KERNEL32(?,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,-00000960,00000004,6C7B0F4A,?), ref: 6C77C44E
                                                • GetLastError.KERNEL32(?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6C7AA58E,?,6C76A794,?,-00000960,?,00000000,?), ref: 6C7B1092
                                                • GetLastError.KERNEL32(?,00000000,?,Failed to record IsInternal,?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6C7AA58E,?,6C76A794,?), ref: 6C7B10F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3Last$CloseOpenQueryValue
                                                • String ID: Failed to record IsAdmin$Failed to record IsInternal$PerfLab$Software\Microsoft\DevDiv
                                                • API String ID: 716194244-1174128248
                                                • Opcode ID: f9ffff92fb57d57f76a46b12632f3fcb0300c9d65e0be8e12172d1e356ce2984
                                                • Instruction ID: 0ca5bbf02cf45da58836a1f39746bfd68641e2ba518277708454cedc1d316c93
                                                • Opcode Fuzzy Hash: f9ffff92fb57d57f76a46b12632f3fcb0300c9d65e0be8e12172d1e356ce2984
                                                • Instruction Fuzzy Hash: 85319071A00246AFD710DFA5CF4DAAE7BB9FF45358F204669E420E7B80C734DA09D662
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7776AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7776B3
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 6C777711
                                                • GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 6C77772A
                                                • GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 6C777745
                                                • VerQueryValueW.VERSION(00000000,6C75496C,?,?), ref: 6C77775D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$H_prolog3InfoVersion$ModuleNameQuerySizeValue
                                                • String ID: %d.%d.%d.%d$0.0.0.0
                                                • API String ID: 1538924429-464342551
                                                • Opcode ID: 97ea227360770c131581df612aa6ded06ff3a024cb2051001d716e6fad09ab5d
                                                • Instruction ID: 9d94808bd2e5b198b0422857b97876bd2c042f7b0828881c9fbb3591ed1692b3
                                                • Opcode Fuzzy Hash: 97ea227360770c131581df612aa6ded06ff3a024cb2051001d716e6fad09ab5d
                                                • Instruction Fuzzy Hash: 11317FB1A0011AAFDB00DF74CE88CBEB7B9FF44315B50452AF411A7680DB349A16CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7E78 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 76COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A7E7F
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8380: __EH_prolog3.LIBCMT ref: 6C7A8387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: AlwaysUploaded$Disabled$Unknown$User Experience Data Collection Policy$User Experience Data Collection Policy: %s$UserControlled
                                                • API String ID: 431132790-3357067047
                                                • Opcode ID: 413009e68c704c85e41c68ffa0ac5e3f388e575a5791e32f7befa3cb5d666881
                                                • Instruction ID: 758178a60a5ac0ad08732efb940d7e26563a57acf4b2ed4837fe39dcb3a9189b
                                                • Opcode Fuzzy Hash: 413009e68c704c85e41c68ffa0ac5e3f388e575a5791e32f7befa3cb5d666881
                                                • Instruction Fuzzy Hash: 6E2119719001499FDF00DBE8CA4DADEBBB9AF19308F144556E510E7B81D735DB0ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7975C2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7975C9
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • OpenFileMappingW.KERNEL32(00000002,00000000,00000000,?,6C76AB18,00000008,6C7976FE,?,?,00000004,6C7BC454,?,6C7695D4,00000000,00000001,?), ref: 6C7975F2
                                                • GetLastError.KERNEL32(?,?,?,?,00000001), ref: 6C7975FF
                                                  • Part of subcall function 6C77C338: __EH_prolog3.LIBCMT ref: 6C77C33F
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000424,?,?,?,?,00000001), ref: 6C797654
                                                • UnmapViewOfFile.KERNEL32(00000000,?,0000021A,?,?,?,?,00000001), ref: 6C797670
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 6C797679
                                                Strings
                                                • OpenFileMapping fails with last error: , xrefs: 6C79760F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$File$View$CloseErrorHandleLastMappingOpenUnmap
                                                • String ID: OpenFileMapping fails with last error:
                                                • API String ID: 2964829354-1738344248
                                                • Opcode ID: 6f2a39449d18e1a9c91a393cfff4e38d972b213213fc9feb8715a42374fd3924
                                                • Instruction ID: 3e41804f32e90f2e395064f7b696b8d6c426e540162b5ad35144b6987bda6549
                                                • Opcode Fuzzy Hash: 6f2a39449d18e1a9c91a393cfff4e38d972b213213fc9feb8715a42374fd3924
                                                • Instruction Fuzzy Hash: 9F214A71A00119AFCB10AFA9CA4DEDE7BB5FF45354F508655F515AB640CB308A05CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B3B52 Relevance: 12.1, APIs: 8, Instructions: 118encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3B59
                                                  • Part of subcall function 6C7B6B28: GetLastError.KERNEL32(?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?,00000000,?,-00000960,?,?), ref: 6C7B6B50
                                                • CertGetCertificateChain.CRYPT32(00000000,6C7AFA6E,00000000,?,?,00000000,00000000,6C76A794,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?), ref: 6C7B3BB8
                                                • GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B3BBF
                                                • CertFreeCertificateChain.CRYPT32(6C76A794), ref: 6C7B3BDD
                                                • SetLastError.KERNEL32(00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054), ref: 6C7B3C09
                                                • GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B3C36
                                                • GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B3C3C
                                                • CertFreeCertificateChain.CRYPT32(6C76A794), ref: 6C7B3C7F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CertCertificateChain$Free$H_prolog3
                                                • String ID:
                                                • API String ID: 3406622880-0
                                                • Opcode ID: 7e9427a7fc38a4ef58036555153af4ab132434be6b0110e8af131b47b14bbf83
                                                • Instruction ID: f3ae58de132c63dee64d3cf83de2eeac212315919bc11ffbdbffa9ba20ac34ee
                                                • Opcode Fuzzy Hash: 7e9427a7fc38a4ef58036555153af4ab132434be6b0110e8af131b47b14bbf83
                                                • Instruction Fuzzy Hash: 0D415E75640109EFDB04CFA9CA85DDEB7B5FF08314B118939E619EB650DB30EA48CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BACD8 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7BACDF
                                                • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000000,00000000,00000009,0000000C,6C7A49C0,6C76A5D8,6C76A54C), ref: 6C7BAD06
                                                • GetLastError.KERNEL32 ref: 6C7BAD08
                                                • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000008,00000400,00000400,80070216), ref: 6C7BAD81
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: InformationToken$ErrorH_prolog3_Last
                                                • String ID:
                                                • API String ID: 654496852-0
                                                • Opcode ID: 9455e58f46e9ab1858547cf32502d1b4464ca3799912b3f3c679d89f1b219aae
                                                • Instruction ID: 8df0d52b3a5bd6e607fd2c870e3ae980cf49c3af5aa17da9ed435306b5ce27b0
                                                • Opcode Fuzzy Hash: 9455e58f46e9ab1858547cf32502d1b4464ca3799912b3f3c679d89f1b219aae
                                                • Instruction Fuzzy Hash: 2F3125319405169BCF11AF68CB4AADE77B8AF05B35F214525F900BBA54C730EE45CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C785E2B Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 169COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C785B82: __EH_prolog3_GS.LIBCMT ref: 6C785B8C
                                                  • Part of subcall function 6C785B82: _memset.LIBCMT ref: 6C785BBB
                                                  • Part of subcall function 6C785B82: FindFirstFileW.KERNEL32(?,?,????), ref: 6C785BDA
                                                  • Part of subcall function 6C785B82: FindClose.KERNEL32(?), ref: 6C785CC1
                                                • __CxxThrowException@8.LIBCMT ref: 6C785FF0
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                • PathFileExistsW.SHLWAPI(?,LocalizedData.xml,?,?,?,342C82DB,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C785EF1
                                                  • Part of subcall function 6C785CE1: __EH_prolog3.LIBCMT ref: 6C785CE8
                                                  • Part of subcall function 6C785CE1: CoInitialize.OLE32(00000000), ref: 6C785D1A
                                                  • Part of subcall function 6C785CE1: CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,?,00000014,6C785F14,?,?,?,?,342C82DB,ParameterInfo.xml,00000000), ref: 6C785D38
                                                  • Part of subcall function 6C785CE1: CoUninitialize.OLE32(?,?,00000014,6C785F14,?,?,?,?,342C82DB,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6C785DE8
                                                  • Part of subcall function 6C785CE1: SysFreeString.OLEAUT32(00000738), ref: 6C785DF1
                                                Strings
                                                • LocalizedData.xml, xrefs: 6C785EDF
                                                • ParameterInfo.xml, xrefs: 6C785E45, 6C785FA2
                                                • LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml, xrefs: 6C786026
                                                • LocalizedData.xml in resource folder %s, does not have a Language element, xrefs: 6C785F87
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$FindH_prolog3Path$AppendCloseCreateException@8ExistsFirstFreeH_prolog3_InitializeInstanceModuleNameStringThrowUninitialize_memcpy_s_memset
                                                • String ID: LocalizedData.xml$LocalizedData.xml in resource folder %s, does not have a Language element$LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml$ParameterInfo.xml
                                                • API String ID: 2922719316-412676173
                                                • Opcode ID: 8bc11613da68b73924bdaf13a1545eb05075da770ba5a38afe420cc3c7a68bc8
                                                • Instruction ID: 64d4504ae487ff5c78a2e09d5bd81aac5ed6bdace0853fe50ffd00f42b0154cb
                                                • Opcode Fuzzy Hash: 8bc11613da68b73924bdaf13a1545eb05075da770ba5a38afe420cc3c7a68bc8
                                                • Instruction Fuzzy Hash: 80617D725083859FD740DF68DA88A8EBBE8BF85318F440A2DF1A597A51DB30E509CB53
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BA4AF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BA4B6
                                                • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,6C7BA210,?,00000000,?,?,6C7A4B23), ref: 6C7BA523
                                                • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000008,00000008,00000008,?,?,6C7BA210,?,00000000,?,?,6C7A4B23), ref: 6C7BA566
                                                • LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000008,00000010,00000008,6C7A4614,00000008,00000104,?,?,6C7BA210,?,00000000), ref: 6C7BA59C
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                • FindCloseChangeNotification.KERNEL32(?,?,?,6C7BA210,?,00000000,?,?,6C7A4B23), ref: 6C7BA5CF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: InformationToken$AccountChangeCloseFindH_prolog3LookupNotification_wcsnlen
                                                • String ID: #Kzl
                                                • API String ID: 385857651-2128085474
                                                • Opcode ID: 85d793af8c9ad82138709b2b816710fd024e29e721cf210ebdad8a08184760f3
                                                • Instruction ID: 29e897ac4edb9f5db4d6dc8b21a8049d99a9dbbd50c411ee6e306c0de84524b9
                                                • Opcode Fuzzy Hash: 85d793af8c9ad82138709b2b816710fd024e29e721cf210ebdad8a08184760f3
                                                • Instruction Fuzzy Hash: 68616F7190014AAFDF01DFA8CE49AEE7BB5BF04328F144619F920A7790DB74DA15CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7ABA3B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7ABA42
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C77391D: __EH_prolog3.LIBCMT ref: 6C773924
                                                  • Part of subcall function 6C7B166E: _memset.LIBCMT ref: 6C7B16B8
                                                  • Part of subcall function 6C7B166E: GetLastError.KERNEL32 ref: 6C7B1740
                                                  • Part of subcall function 6C7B166E: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000001,Possible transient lock. WinVerifyTrust), ref: 6C7B1772
                                                  • Part of subcall function 6C7B166E: Sleep.KERNEL32(000003E8), ref: 6C7B1782
                                                  • Part of subcall function 6C7B17D1: __EH_prolog3.LIBCMT ref: 6C7B17D8
                                                  • Part of subcall function 6C7B17D1: CryptQueryObject.CRYPT32(00000001,00000000,00000400,0000000E,00000000,00000000,00000000,00000000,?,6C7AFA6E,00000000,00000034,6C7ABAB6,?,-00000960), ref: 6C7B1820
                                                  • Part of subcall function 6C7B17D1: GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6C7981F1,?,00000054,6C7C2CE1), ref: 6C7B182B
                                                  • Part of subcall function 6C7A8C7A: __EH_prolog3.LIBCMT ref: 6C7A8C81
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                Strings
                                                • - , xrefs: 6C7ABAE6, 6C7ABB8A
                                                • Signature could not be verified for , xrefs: 6C7ABA4C
                                                • Signature verified successfully for , xrefs: 6C7ABABD
                                                • Verifying signature for , xrefs: 6C7ABA5E
                                                • Signature verification for file %s (%s) failed with error 0x%x (%s), xrefs: 6C7ABB6D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorLast$CreateCryptFileObjectQuerySleep_memset
                                                • String ID: - $ Signature could not be verified for $ Signature verified successfully for $Signature verification for file %s (%s) failed with error 0x%x (%s)$Verifying signature for
                                                • API String ID: 482089242-2727503808
                                                • Opcode ID: fdf2c9950fd25090e11774170dc3870cc21c65f320164c8644711d75169c6a80
                                                • Instruction ID: 33bde64b717f8d5ddcb25503532b8363628cddc6464b2a97e43a4af6eac60fd8
                                                • Opcode Fuzzy Hash: fdf2c9950fd25090e11774170dc3870cc21c65f320164c8644711d75169c6a80
                                                • Instruction Fuzzy Hash: DB517372900149EFDB00DBE8CA4CBDE7BB5AF04318F144655E524EB781D734EA498B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7819AD Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7819B4
                                                  • Part of subcall function 6C778B9F: __EH_prolog3.LIBCMT ref: 6C778BA6
                                                • __CxxThrowException@8.LIBCMT ref: 6C781ADE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: can only have one logical or arithmietic expression for a child node$+Byl$ParameterInfo.xml$schema validation failure:
                                                • API String ID: 2489616738-441522359
                                                • Opcode ID: c33adb58e57061b0436a6db0fccafce5d26b51d49eddea7ec58c47e1af117e74
                                                • Instruction ID: 223c3942ec2e05e1e03a992f40e3672b55bcbceca4552873c66510023eacf24c
                                                • Opcode Fuzzy Hash: c33adb58e57061b0436a6db0fccafce5d26b51d49eddea7ec58c47e1af117e74
                                                • Instruction Fuzzy Hash: C8412F71901109AFDB10DFA8CA4DBEDBBB8BF05328F148655E524EB780CB31DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B401F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B4026
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6C7B4041
                                                • GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104), ref: 6C7B40B3
                                                • PathFileExistsW.SHLWAPI(?,00000014,00000000), ref: 6C7B4101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FileH_prolog3$ExistsLocaleModuleNamePathThread
                                                • String ID: %04d\%s$DHTMLHeader.html
                                                • API String ID: 3575165106-1224721414
                                                • Opcode ID: 67ad71365e92ffb1e5f1a55bef9e0a74541c4ebf113f4b31ab47f9f692035712
                                                • Instruction ID: 320598b6529d7d9c8da9ec5efe2ce5365e244618cf9b441f628b82891d490199
                                                • Opcode Fuzzy Hash: 67ad71365e92ffb1e5f1a55bef9e0a74541c4ebf113f4b31ab47f9f692035712
                                                • Instruction Fuzzy Hash: 5B413D71A1010ADFDF00DFA4CA8CAEEBBB5BF05318F044569E525EB751DB349A0ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775485 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77548C
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6C777DAF,?,?,?,?,?,00000000,?,?,6C76AB18,00000008,6C777CD9), ref: 6C77549C
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6C7754B9
                                                • GetNativeSystemInfo.KERNEL32(?), ref: 6C7754E0
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$AddressHandleInfoModuleNativeProcSystem
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2427612476-192647395
                                                • Opcode ID: 185f4f1e6bf2c42399ce89f17ce2dbc8e025c72adafc5dc526ec7683115d9dd5
                                                • Instruction ID: 574b368be17108523d88a71e29d334d2ba0e04d1e4cb710ac6719e9b962c9700
                                                • Opcode Fuzzy Hash: 185f4f1e6bf2c42399ce89f17ce2dbc8e025c72adafc5dc526ec7683115d9dd5
                                                • Instruction Fuzzy Hash: 02F0C231B10209ABDF00EBA1DB0DBCD327AAB4031AF618824F000E6E00DF7896058761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A3A10 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSecurityDescriptorLength.ADVAPI32(?,6C76A5CC,?), ref: 6C7A3A1F
                                                • _malloc.LIBCMT ref: 6C7A3A29
                                                  • Part of subcall function 6C7CBFB3: __FF_MSGBANNER.LIBCMT ref: 6C7CBFCC
                                                  • Part of subcall function 6C7CBFB3: __NMSG_WRITE.LIBCMT ref: 6C7CBFD3
                                                  • Part of subcall function 6C7CBFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,6C7A831D,00000000,?,6C7CC0C9,6C7AF845,00000C00,00000020,6C7AF845,?), ref: 6C7CBFF8
                                                • GetSecurityDescriptorControl.ADVAPI32(?,00000002,?), ref: 6C7A3A49
                                                • _free.LIBCMT ref: 6C7A3A5D
                                                • _memcpy_s.LIBCMT ref: 6C7A3A80
                                                • MakeSelfRelativeSD.ADVAPI32(?,?,?), ref: 6C7A3A97
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DescriptorSecurity$AllocateControlHeapLengthMakeRelativeSelf_free_malloc_memcpy_s
                                                • String ID:
                                                • API String ID: 2479111529-0
                                                • Opcode ID: b059cb2370f0cc63314c51506cb0d559287408de0c30aad071e528531225964f
                                                • Instruction ID: 7397aa95f089d0a71600414c4fd70ad3f5a9189e770a5367eeadd961e37c97ee
                                                • Opcode Fuzzy Hash: b059cb2370f0cc63314c51506cb0d559287408de0c30aad071e528531225964f
                                                • Instruction Fuzzy Hash: 3111A576A00215BFDB109FA58A08BAFBBBCFF45715B10412AF519E3A00EB70D505D762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4513 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBCMT ref: 6C7A45A2
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C778329: __EH_prolog3.LIBCMT ref: 6C778330
                                                  • Part of subcall function 6C778129: SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,6C77AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6C778149
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8FilePointerThrow
                                                • String ID: .htm$Cannot create file or delete file in Temp directory $Cannot get valid temp folder$|tzl
                                                • API String ID: 1975055723-4110976036
                                                • Opcode ID: 91e6e40715c8314d9adfc3343fe6956a6642643db7272d4ec44a8030d26d2185
                                                • Instruction ID: e52288c1d6af3fbeb24f9ce0b9dd4101ab5b478dcc50e1b127ba766eb12112da
                                                • Opcode Fuzzy Hash: 91e6e40715c8314d9adfc3343fe6956a6642643db7272d4ec44a8030d26d2185
                                                • Instruction Fuzzy Hash: C8A14C711083859FD700DFA9CA49B8ABBE8AF85328F044B1EF4A497B91DB74D5098B53
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AF8D1 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7AF8D8
                                                • GetCommandLineW.KERNEL32(00000044,6C7A8323,00000000), ref: 6C7AF8EA
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                • __time64.LIBCMT ref: 6C7AFA7B
                                                  • Part of subcall function 6C7A72E4: __EH_prolog3_catch.LIBCMT ref: 6C7A72EB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_catch$CommandH_prolog3Line__time64
                                                • String ID: %TEMP%\$Setup
                                                • API String ID: 3716462386-3413213476
                                                • Opcode ID: 2b7f5538b8c285476f7745eece829171cff74a56d43330f965d25fe6324aba22
                                                • Instruction ID: b2a297b0d9db77816c29d7b4f5da3d133707b47cb8fdb742942f5e18cb34afe1
                                                • Opcode Fuzzy Hash: 2b7f5538b8c285476f7745eece829171cff74a56d43330f965d25fe6324aba22
                                                • Instruction Fuzzy Hash: 8F713E71900249DFCF10DFE8CA88AEDBBB5BF49318F24425AE511B7790DB349A49CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C793EB2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C793EB9
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: ProcessBlocks$ProductDriveHints$ServiceBlocks$SystemCheck
                                                • API String ID: 431132790-3784926136
                                                • Opcode ID: 99e06a097ef1a79ff2fd88e8e07d5f4318ac84c7c15de0689e696cfbc3d438b4
                                                • Instruction ID: d3b7495f108e3961c7ebaa9a3c717c195261f97ca2f8ee1929b20c94cb3aceab
                                                • Opcode Fuzzy Hash: 99e06a097ef1a79ff2fd88e8e07d5f4318ac84c7c15de0689e696cfbc3d438b4
                                                • Instruction Fuzzy Hash: 07516E71900249EFDF10DFA8DA89AEE7BB9AF09318F144559F824EB781C734DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A5691 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A5698
                                                • PathIsRelativeW.SHLWAPI(00000000,?), ref: 6C7A5735
                                                • PathFileExistsW.SHLWAPI(00000001,?), ref: 6C7A57C3
                                                Strings
                                                • pLocalPath is NULL!!!!!!, xrefs: 6C7A585B
                                                • Package authoring error. The Url for this item is not authored and the item does not exist locally: , xrefs: 6C7A57FB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Path$ExistsFileH_prolog3Relative
                                                • String ID: Package authoring error. The Url for this item is not authored and the item does not exist locally: $pLocalPath is NULL!!!!!!
                                                • API String ID: 1035510722-3253188715
                                                • Opcode ID: 587b0761329d73ecadeeb26916931eaec00ee480f676e8b3362ab4c2068012ae
                                                • Instruction ID: b610960482be003e99e41b0d45bcd184af0611f8bf854520ef41a6a969b8f770
                                                • Opcode Fuzzy Hash: 587b0761329d73ecadeeb26916931eaec00ee480f676e8b3362ab4c2068012ae
                                                • Instruction Fuzzy Hash: E851B471901149EFDB10DFE8CA4C9DE7BB8AF01318F144665E520EBB51C7309A4ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C778F47 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • schema validation failure: child element not found - , xrefs: 6C779020
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$AllocException@8FreeH_prolog3Throw
                                                • String ID: schema validation failure: child element not found -
                                                • API String ID: 3394977177-3859288074
                                                • Opcode ID: cc356dd14e8d386b52bf35e2cdad3b5bd6c4c14a1157bd5bdaf1c38f2a2f7bb6
                                                • Instruction ID: ed70124f3f84f23b6b4bcfaf81b7cdf86fb5b7111602c51399c2db6d35c12941
                                                • Opcode Fuzzy Hash: cc356dd14e8d386b52bf35e2cdad3b5bd6c4c14a1157bd5bdaf1c38f2a2f7bb6
                                                • Instruction Fuzzy Hash: 89412A7190024AEFCB10DFA8CA889DEBBB9BF09314F6445A9F511E7741DB31DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7856A3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B988C: __EH_prolog3.LIBCMT ref: 6C7B9893
                                                  • Part of subcall function 6C7B988C: GetCommandLineW.KERNEL32(0000002C,6C7BD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B98B4
                                                  • Part of subcall function 6C7B988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B996E
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                  • Part of subcall function 6C7857E5: __EH_prolog3.LIBCMT ref: 6C7857EC
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C77A8CC: SetFilePointer.KERNEL32(?,00000000,6C76A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6C77AA49
                                                  • Part of subcall function 6C77A8CC: ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77AA97
                                                  • Part of subcall function 6C77A8CC: SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C77AAAC
                                                • SysFreeString.OLEAUT32(?), ref: 6C78578A
                                                • SysFreeString.OLEAUT32(?), ref: 6C785799
                                                • SysFreeString.OLEAUT32(?), ref: 6C7857C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3String$FileFree$PathRelative$AllocCommandException@8LineModuleNamePointerReadThrow_memcpy_s
                                                • String ID: ParameterInfo.xml$UiInfo.xml
                                                • API String ID: 3873923459-386449131
                                                • Opcode ID: 6ac5d2ceba1073b1f15966620f33c69b9a2cd129ce69047bb02d890434eda498
                                                • Instruction ID: 18d5c4d60ba55f913760eba2ede751259410de9f122868d175b4196689b3e3b4
                                                • Opcode Fuzzy Hash: 6ac5d2ceba1073b1f15966620f33c69b9a2cd129ce69047bb02d890434eda498
                                                • Instruction Fuzzy Hash: 5D3172B2508345AFDB10DF68CA48A8BBBE8EF95728F440E1DF49497750D735D9088BA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B972F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C785044: __EH_prolog3.LIBCMT ref: 6C78504B
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • GetCommandLineW.KERNEL32(?,?,?,?,342C82DB,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C7AFA6E,?,6C76A794), ref: 6C7B97B2
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B985E
                                                  • Part of subcall function 6C784798: __EH_prolog3.LIBCMT ref: 6C78479F
                                                  • Part of subcall function 6C7850D5: __EH_prolog3_catch.LIBCMT ref: 6C7850DC
                                                  • Part of subcall function 6C7850D5: CoInitialize.OLE32(00000000), ref: 6C78512A
                                                  • Part of subcall function 6C7850D5: CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,00000738,?,?,?,00000000,?,?,?,342C82DB,?,?,?), ref: 6C785148
                                                  • Part of subcall function 6C7850D5: CoUninitialize.OLE32(-00000960,?,succeeded,?,?,?,00000000,?,?,?,342C82DB,?,?,?), ref: 6C7851E6
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B9818
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B9833
                                                Strings
                                                • Loading localized engine data for language %d from %s, xrefs: 6C7B977B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrowUninitialize
                                                • String ID: Loading localized engine data for language %d from %s
                                                • API String ID: 509998568-3315213612
                                                • Opcode ID: 77680aaf8c56fb0b55799a93fec9d45bc6d9cf7249b70aa5799d5a8ae706d592
                                                • Instruction ID: 3063ee781480c5811e422475541882925a073316b8c58070ad6b9d9ad48da186
                                                • Opcode Fuzzy Hash: 77680aaf8c56fb0b55799a93fec9d45bc6d9cf7249b70aa5799d5a8ae706d592
                                                • Instruction Fuzzy Hash: 48413172108345AFD711DF64CD49B9BBBECAF95328F000A2DF5A592691DB34D508CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795D96 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Launching Download operation. Install operation will follow after download is complete., xrefs: 6C795E3B
                                                • Item(s) availability state is "Error". Exiting setup., xrefs: 6C795DD7
                                                • Launching Download and Install operations simultaneously., xrefs: 6C795E4F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick
                                                • String ID: Item(s) availability state is "Error". Exiting setup.$Launching Download and Install operations simultaneously.$Launching Download operation. Install operation will follow after download is complete.
                                                • API String ID: 536389180-143185584
                                                • Opcode ID: 936fe99b29aaa107b60e5f858c90b8a460d10f57a3d2f1b3f73b6edefdf89a46
                                                • Instruction ID: cb356f39b3dcbdee5ee1b68dca72e4cfd3f297b4b16ee22fea962ddf2bca38a9
                                                • Opcode Fuzzy Hash: 936fe99b29aaa107b60e5f858c90b8a460d10f57a3d2f1b3f73b6edefdf89a46
                                                • Instruction Fuzzy Hash: A8316F352087109FC714DF28E58CE1ABBB5BF49706B044A9CF9968BB61CB31E905CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AB820 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AB827
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7B1602: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,6C7AFA6E,?,?,?,?,?,?,6C7B34F1,6C7AFA6E,000000FF), ref: 6C7B1637
                                                  • Part of subcall function 6C7B1602: GetLastError.KERNEL32(?,6C7AFA6E,?,?,?,?,?,?,6C7B34F1,6C7AFA6E,000000FF,?,?,00000738,6C7AFA6E,?), ref: 6C7B1647
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DiskErrorFreeLastSpace
                                                • String ID: complete$Action$Disk space check for items being downloaded$Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u]
                                                • API String ID: 2933164920-3673225344
                                                • Opcode ID: 3faaadf8c9a7fc3473ac3fa38c5687140f940cf4e5a5240c598fc679f2f43d75
                                                • Instruction ID: b69a3f88119479c3cd45820d9bb4e9de96a361b1a9220ebc0dd564e96175595b
                                                • Opcode Fuzzy Hash: 3faaadf8c9a7fc3473ac3fa38c5687140f940cf4e5a5240c598fc679f2f43d75
                                                • Instruction Fuzzy Hash: 60216D71900249AFCF00DFA8CA4DBDEBBB9BF05318F144555E464A7751C7349A15CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C781C2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C781C35
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7819AD: __EH_prolog3.LIBCMT ref: 6C7819B4
                                                  • Part of subcall function 6C7819AD: __CxxThrowException@8.LIBCMT ref: 6C781ADE
                                                  • Part of subcall function 6C778AAC: __EH_prolog3.LIBCMT ref: 6C778AB3
                                                  • Part of subcall function 6C778AAC: __CxxThrowException@8.LIBCMT ref: 6C778B39
                                                  • Part of subcall function 6C7792D1: __EH_prolog3.LIBCMT ref: 6C7792D8
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C781D02
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                • String ID: IsPresent$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
                                                • API String ID: 2724732616-4158871691
                                                • Opcode ID: 77622f786b1d071c85e1d9d988ba543aa16a1a4e466d5f20fd34c35f265fb1df
                                                • Instruction ID: 42f806745ea3ee989317e6833a9930a7971472a35f5ec3d804142e95a1fad9f5
                                                • Opcode Fuzzy Hash: 77622f786b1d071c85e1d9d988ba543aa16a1a4e466d5f20fd34c35f265fb1df
                                                • Instruction Fuzzy Hash: D1213E72911149ABCF10DBE8CA4DADD7BB8AF15328F148555F164ABB80CB31DB098772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B360F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 6C7B365F
                                                • GetLastError.KERNEL32 ref: 6C7B3669
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                • GetLastError.KERNEL32 ref: 6C7B368B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CheckH_prolog3MembershipToken
                                                • String ID: AllocateAndInitializeSid$CheckTokenMembership
                                                • API String ID: 3752544998-2579124284
                                                • Opcode ID: 7575f912d1cd50ac68a555623d98f76195a571f800b42d1dc646d005bb51dd85
                                                • Instruction ID: 0bc2b7cff8da366cb73541069fb3bb1bda653903519b288e3de60f7c0136813b
                                                • Opcode Fuzzy Hash: 7575f912d1cd50ac68a555623d98f76195a571f800b42d1dc646d005bb51dd85
                                                • Instruction Fuzzy Hash: E4118E74B0020AAFCF04DFA5CA99C6EB7B5FF48314B11482DE456A3741DB70AA008B60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7858F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7858FC
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • StrPBrkW.SHLWAPI(00000000,) <>",#(loc.,?,6C7AFA6E,6C7AFA6E,00000718,-00000960,?,00000000,00000010,6C786171,00000000,00000748,?,ParameterInfo.xml), ref: 6C785972
                                                • SysFreeString.OLEAUT32(6C7AFA6E), ref: 6C7859A3
                                                  • Part of subcall function 6C7C8C9E: _memcpy_s.LIBCMT ref: 6C7C8CE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8FileFreeModuleNamePathRelativeStringThrow_memcpy_s
                                                • String ID: #(loc.$) <>"
                                                • API String ID: 3035459583-3905424865
                                                • Opcode ID: b8a2d28648c45874be26f18ae289f58f40b2bc940d7b0b13abd4c95fdf62aa89
                                                • Instruction ID: 11b0b7e8a6af2c2c994aa780cfdb22169e4058a6ba05dd318090c77c6fcd2874
                                                • Opcode Fuzzy Hash: b8a2d28648c45874be26f18ae289f58f40b2bc940d7b0b13abd4c95fdf62aa89
                                                • Instruction Fuzzy Hash: AB117F71D0111A9FDF00DBE4CE0C9EEBB79BF00368B450A25E521A7B90DB34DD198BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A586D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A5874
                                                • OpenMutexW.KERNEL32(00100000,00000000,00000030,?,Global\,00000000,6C7BBDA7,?,00000000,?,?,?,?,?,Command-line option error: ,?), ref: 6C7A58FB
                                                • CreateMutexW.KERNEL32(00000000,00000000,00000030), ref: 6C7A590B
                                                • GetLastError.KERNEL32 ref: 6C7A5913
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3Mutex$CreateErrorLastOpen
                                                • String ID: Global\
                                                • API String ID: 2685780869-188423391
                                                • Opcode ID: da114cdcb9d735f2aea77e1f8cbab3366b9b79a6453521ea19845d9ceb0cf3be
                                                • Instruction ID: 9484a8e57c2c0bbdd32e0c3984e9cb0287ee56447c3f5537abc577fa6079f30b
                                                • Opcode Fuzzy Hash: da114cdcb9d735f2aea77e1f8cbab3366b9b79a6453521ea19845d9ceb0cf3be
                                                • Instruction Fuzzy Hash: 3C21CD71601244EFDB01DF64C68CB8A3BF1AF45328F2085A9E864CF741CB74D945CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C794A3F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C794A46
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: evaluates to 'in maintenance mode'$ evaluates to 'not in maintenance mode'$MaintenanceMode determination$evaluating EnterMaintenanceModeIf
                                                • API String ID: 431132790-4185790000
                                                • Opcode ID: e3eaaa5b79a70cadcdc5fe1964a42bd71ca3e86fbb78748275934b1dbf2eb2fe
                                                • Instruction ID: 545efcdfb73cdf8c5706696d2bcd35858139a4c0321d83e25ac95eb69a580df5
                                                • Opcode Fuzzy Hash: e3eaaa5b79a70cadcdc5fe1964a42bd71ca3e86fbb78748275934b1dbf2eb2fe
                                                • Instruction Fuzzy Hash: 43117071900149AFDF00DBA4CA4CBEDBBB8AF05308F148456E550ABB41C7719B49CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BFF5C Relevance: 8.2, APIs: 2, Strings: 3, Instructions: 651COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,342C82DB), ref: 6C7BFF9B
                                                • LeaveCriticalSection.KERNEL32(?), ref: 6C7C0900
                                                  • Part of subcall function 6C774CB2: __EH_prolog3.LIBCMT ref: 6C774CB9
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C77391D: __EH_prolog3.LIBCMT ref: 6C773924
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7924CD: __EH_prolog3.LIBCMT ref: 6C7924D4
                                                  • Part of subcall function 6C7924CD: __CxxThrowException@8.LIBCMT ref: 6C79255B
                                                  • Part of subcall function 6C7C2306: __EH_prolog3.LIBCMT ref: 6C7C230D
                                                  • Part of subcall function 6C7C4C0C: __EH_prolog3.LIBCMT ref: 6C7C4C13
                                                  • Part of subcall function 6C7ABC09: __EH_prolog3.LIBCMT ref: 6C7ABC10
                                                  • Part of subcall function 6C7C4EE6: __EH_prolog3.LIBCMT ref: 6C7C4EED
                                                  • Part of subcall function 6C7C4EE6: __recalloc.LIBCMT ref: 6C7C4EFB
                                                  • Part of subcall function 6C7C4EE6: __recalloc.LIBCMT ref: 6C7C4F17
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CriticalSection__recalloc$EnterException@8LeaveThrow_malloc
                                                • String ID: determination is complete$Applicability for $evaluating each item
                                                • API String ID: 283897231-3228949585
                                                • Opcode ID: 47db67fbda29425f08e00ff3496a7d7816463a28ae7ba72335b61545b440e9c3
                                                • Instruction ID: 7388f069857e4b94a35e09ed4d08ee37ec50007aa31e3af5c1bccea04f66783b
                                                • Opcode Fuzzy Hash: 47db67fbda29425f08e00ff3496a7d7816463a28ae7ba72335b61545b440e9c3
                                                • Instruction Fuzzy Hash: B0521AB16083829FC721CF64C688A9BBBE4BF88318F05492DF59597751D730E949CBA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4880 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7A488A
                                                  • Part of subcall function 6C7A31D3: __EH_prolog3_catch.LIBCMT ref: 6C7A31DA
                                                  • Part of subcall function 6C7A31D3: _free.LIBCMT ref: 6C7A3269
                                                • GetCurrentThread.KERNEL32 ref: 6C7A495F
                                                • OpenThreadToken.ADVAPI32(00000000,00000008,00000001,?), ref: 6C7A4971
                                                • GetCurrentProcess.KERNEL32 ref: 6C7A497B
                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C7A498B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CurrentOpenProcessThreadToken$H_prolog3_H_prolog3_catch_free
                                                • String ID:
                                                • API String ID: 4058884840-0
                                                • Opcode ID: 361bcf37e592caa7c1de0e09bceec6e087f383f7c585fe6528435f83cd64e38a
                                                • Instruction ID: e9f4791b30473d5b7b919298b77c007ff55673a289ca46997ca6653a07217513
                                                • Opcode Fuzzy Hash: 361bcf37e592caa7c1de0e09bceec6e087f383f7c585fe6528435f83cd64e38a
                                                • Instruction Fuzzy Hash: CD514B719002698BCB24CFA5CA89BDDB7B4BF14304F5045E9D50AB7640DB30AF89DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7957C7 Relevance: 7.6, APIs: 5, Instructions: 136threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7957CE
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 6C7957E0
                                                • GetCurrentProcessId.KERNEL32 ref: 6C7957E6
                                                • GetWindowTextW.USER32(?,00000010,?), ref: 6C795865
                                                • IsWindowVisible.USER32(?), ref: 6C79588C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Window$Process$CurrentH_prolog3TextThreadVisible
                                                • String ID:
                                                • API String ID: 1711305133-0
                                                • Opcode ID: ee317d2049e360978672fe40fc13e871f068a90dec2bdee3ba6fd0ca79c39429
                                                • Instruction ID: 1b970a403c5eb0538ee725ba97cfd33122024d1286bcd28afbb863948d3492cc
                                                • Opcode Fuzzy Hash: ee317d2049e360978672fe40fc13e871f068a90dec2bdee3ba6fd0ca79c39429
                                                • Instruction Fuzzy Hash: AF51923190012ADFDF00DFA4EA8C9DDBB74FF0435AF158665E924AB610D730DA49CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B9BB9 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B9BC3
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A8CC: __EH_prolog3.LIBCMT ref: 6C77A8D3
                                                  • Part of subcall function 6C77A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A90B
                                                  • Part of subcall function 6C77A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C77A964
                                                  • Part of subcall function 6C77A8CC: __CxxThrowException@8.LIBCMT ref: 6C77AA28
                                                • GetCommandLineW.KERNEL32(?,?,6C76A794,?,?,00000164,6C794730,-00000960,6C76A794,?,?,?,6C7BB57F,?,00000000,?), ref: 6C7B9BEF
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B9C42
                                                • SysFreeString.OLEAUT32(6C7AFA6E), ref: 6C7B9CCC
                                                • SysFreeString.OLEAUT32(?), ref: 6C7B9CF3
                                                  • Part of subcall function 6C79473C: __EH_prolog3_catch.LIBCMT ref: 6C794746
                                                  • Part of subcall function 6C79473C: CoInitialize.OLE32(00000000), ref: 6C7947F7
                                                  • Part of subcall function 6C79473C: CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,?,?,?,6C773864,?,00000000,00000000,6C7AFA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 6C794815
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrow
                                                • String ID:
                                                • API String ID: 3727545618-0
                                                • Opcode ID: 3809ea26fb4f03abd4562ee885d176044955adcd7c363da6e0d475bc0d52e919
                                                • Instruction ID: 2959b8a1581affd1203d85be8f42f65232e39a83dcd996c77c13628731946936
                                                • Opcode Fuzzy Hash: 3809ea26fb4f03abd4562ee885d176044955adcd7c363da6e0d475bc0d52e919
                                                • Instruction Fuzzy Hash: 0541257290024DEFCF01EFA4CE4CAEEBBB8AF05318F104155E520A7690DB34AA199B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C3D03 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 85COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 52%
                                                			E6C3C3D03(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void _v86;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t25;
				long _t30;
				intOrPtr _t31;
				int _t35;
				void* _t37;
				intOrPtr _t40;
				long _t41;
				signed int _t43;

				_t40 = __edx;
				_t37 = __ecx;
				_t21 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t21 ^ _t43;
				_t42 = _a4;
				_t35 = 0;
				_v88 = 0;
				memset( &_v86, 0, 0x4c);
				if(_a4 == 0) {
					_t25 =  *0x6c3e0088; // 0x6c3e0088
					if(_t25 != 0x6c3e0088 && ( *(_t25 + 0x1c) & 0x00000001) != 0) {
						_t11 = _t25 + 0x14; // 0x0
						_t12 = _t25 + 0x10; // 0x1
						E6C3D5F11( *_t12,  *_t11, 0x69, 0x6c3d5a6c);
					}
					_t41 = 0x57;
					L4:
					SetLastError(_t41);
					return E6C3C171F(_t35, _t35, _v8 ^ _t43, _t40, _t41, _t42);
				}
				_t30 = E6C3C182C(_t37, _t42, 0x80000001, L"Software\\Microsoft\\SQMClient", L"UserId",  &_v88, 0x27); // executed
				_t41 = _t30;
				if(_t41 != 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 != 0x6c3e0088 && ( *(_t31 + 0x1c) & 0x00000001) != 0) {
						_push(_t41);
						_push(0x6c3d5a6c);
						_push(0x6a);
						L15:
						_t19 = _t31 + 0x14; // 0x0
						_push( *_t19);
						_t20 = _t31 + 0x10; // 0x1
						_push( *_t20);
						E6C3D99F8();
					}
					goto L4;
				}
				_t41 = E6C3C2E9E(0,  &_v88, _t42);
				if(_t41 != 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 == 0x6c3e0088 || ( *(_t31 + 0x1c) & 0x00000001) == 0) {
						goto L4;
					} else {
						_push(_t41);
						_push(0x6c3d5a6c);
						_push(0x6b);
						goto L15;
					}
				}
				_t35 = 1;
				goto L4;
			}


















                                                0x6c3c3d03
                                                0x6c3c3d03
                                                0x6c3c3d0b
                                                0x6c3c3d12
                                                0x6c3c3d17
                                                0x6c3c3d1b
                                                0x6c3c3d24
                                                0x6c3c3d28
                                                0x6c3c3d32
                                                0x6c3ce8ea
                                                0x6c3ce8f4
                                                0x6c3ce903
                                                0x6c3ce906
                                                0x6c3ce909
                                                0x6c3ce909
                                                0x6c3ce910
                                                0x6c3c3d73
                                                0x6c3c3d74
                                                0x6c3c3d8a
                                                0x6c3c3d8a
                                                0x6c3c3d4d
                                                0x6c3c3d52
                                                0x6c3c3d56
                                                0x6c3ce916
                                                0x6c3ce920
                                                0x6c3ce930
                                                0x6c3ce931
                                                0x6c3ce936
                                                0x6c3ce95c
                                                0x6c3ce95c
                                                0x6c3ce95c
                                                0x6c3ce95f
                                                0x6c3ce95f
                                                0x6c3ce962
                                                0x6c3ce962
                                                0x00000000
                                                0x6c3ce920
                                                0x6c3c3d66
                                                0x6c3c3d6a
                                                0x6c3ce93a
                                                0x6c3ce944
                                                0x00000000
                                                0x6c3ce954
                                                0x6c3ce954
                                                0x6c3ce955
                                                0x6c3ce95a
                                                0x00000000
                                                0x6c3ce95a
                                                0x6c3ce944
                                                0x6c3c3d72
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C3D28
                                                  • Part of subcall function 6C3C182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C3C2E5E,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C1897
                                                  • Part of subcall function 6C3C182C: RegQueryValueExW.KERNEL32(6C3C2E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C18B3
                                                  • Part of subcall function 6C3C182C: RegCloseKey.KERNEL32(6C3C2E5E,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C3C18D1
                                                • SetLastError.KERNEL32(00000000,80000001,Software\Microsoft\SQMClient,UserId,?,00000027), ref: 6C3C3D74
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseErrorLastOpenQueryValuememset
                                                • String ID: Fm*$Software\Microsoft\SQMClient$UserId
                                                • API String ID: 895213837-2710965330
                                                • Opcode ID: cc00369c96ef815fa16952f063b2e51c586ae45295a4e6d420f577d584cb20fc
                                                • Instruction ID: e4bf735a38364ca12dd1720f23250dd82b9aedd468a283472f4ca7784551620c
                                                • Opcode Fuzzy Hash: cc00369c96ef815fa16952f063b2e51c586ae45295a4e6d420f577d584cb20fc
                                                • Instruction Fuzzy Hash: 19210876700344AFD780EEA4CCC9FDE7769AB46348F110065E501AB951CB76DD489F93
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2E0F Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 85COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 52%
                                                			E6C3C2E0F(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void _v86;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t25;
				long _t30;
				intOrPtr _t31;
				int _t35;
				void* _t37;
				intOrPtr _t40;
				long _t41;
				signed int _t43;

				_t40 = __edx;
				_t37 = __ecx;
				_t21 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t21 ^ _t43;
				_t42 = _a4;
				_t35 = 0;
				_v88 = 0;
				memset( &_v86, 0, 0x4c);
				if(_a4 == 0) {
					_t25 =  *0x6c3e0088; // 0x6c3e0088
					if(_t25 != 0x6c3e0088 && ( *(_t25 + 0x1c) & 0x00000001) != 0) {
						_t11 = _t25 + 0x14; // 0x0
						_t12 = _t25 + 0x10; // 0x1
						E6C3D5F11( *_t12,  *_t11, 0x66, 0x6c3d5a6c);
					}
					_t41 = 0x57;
					L4:
					SetLastError(_t41);
					return E6C3C171F(_t35, _t35, _v8 ^ _t43, _t40, _t41, _t42);
				}
				_t30 = E6C3C182C(_t37, _t42, 0x80000002, L"Software\\Microsoft\\SQMClient", L"MachineId",  &_v88, 0x27); // executed
				_t41 = _t30;
				if(_t41 != 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 != 0x6c3e0088 && ( *(_t31 + 0x1c) & 0x00000001) != 0) {
						_push(_t41);
						_push(0x6c3d5a6c);
						_push(0x67);
						L15:
						_t19 = _t31 + 0x14; // 0x0
						_push( *_t19);
						_t20 = _t31 + 0x10; // 0x1
						_push( *_t20);
						E6C3D99F8();
					}
					goto L4;
				}
				_t41 = E6C3C2E9E(0,  &_v88, _t42);
				if(_t41 != 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 == 0x6c3e0088 || ( *(_t31 + 0x1c) & 0x00000001) == 0) {
						goto L4;
					} else {
						_push(_t41);
						_push(0x6c3d5a6c);
						_push(0x68);
						goto L15;
					}
				}
				_t35 = 1;
				goto L4;
			}


















                                                0x6c3c2e0f
                                                0x6c3c2e0f
                                                0x6c3c2e17
                                                0x6c3c2e1e
                                                0x6c3c2e23
                                                0x6c3c2e27
                                                0x6c3c2e30
                                                0x6c3c2e34
                                                0x6c3c2e3e
                                                0x6c3ce868
                                                0x6c3ce872
                                                0x6c3ce881
                                                0x6c3ce884
                                                0x6c3ce887
                                                0x6c3ce887
                                                0x6c3ce88e
                                                0x6c3c2e7f
                                                0x6c3c2e80
                                                0x6c3c2e96
                                                0x6c3c2e96
                                                0x6c3c2e59
                                                0x6c3c2e5e
                                                0x6c3c2e62
                                                0x6c3ce894
                                                0x6c3ce89e
                                                0x6c3ce8ae
                                                0x6c3ce8af
                                                0x6c3ce8b4
                                                0x6c3ce8da
                                                0x6c3ce8da
                                                0x6c3ce8da
                                                0x6c3ce8dd
                                                0x6c3ce8dd
                                                0x6c3ce8e0
                                                0x6c3ce8e0
                                                0x00000000
                                                0x6c3ce89e
                                                0x6c3c2e72
                                                0x6c3c2e76
                                                0x6c3ce8b8
                                                0x6c3ce8c2
                                                0x00000000
                                                0x6c3ce8d2
                                                0x6c3ce8d2
                                                0x6c3ce8d3
                                                0x6c3ce8d8
                                                0x00000000
                                                0x6c3ce8d8
                                                0x6c3ce8c2
                                                0x6c3c2e7e
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C2E34
                                                  • Part of subcall function 6C3C182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C3C2E5E,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C1897
                                                  • Part of subcall function 6C3C182C: RegQueryValueExW.KERNEL32(6C3C2E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C18B3
                                                  • Part of subcall function 6C3C182C: RegCloseKey.KERNEL32(6C3C2E5E,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C3C18D1
                                                • SetLastError.KERNEL32(00000000,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C3C2E80
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseErrorLastOpenQueryValuememset
                                                • String ID: Fm*$MachineId$Software\Microsoft\SQMClient
                                                • API String ID: 895213837-452112526
                                                • Opcode ID: 190f141701f38ada40bf0c6692764011ec1c92e105e6f6dd9ba8fa99f596f9a2
                                                • Instruction ID: 7d547af24def0285665d064d6967577fec27895268e57314a5ca697d0b836043
                                                • Opcode Fuzzy Hash: 190f141701f38ada40bf0c6692764011ec1c92e105e6f6dd9ba8fa99f596f9a2
                                                • Instruction Fuzzy Hash: 3A212472300344AAD740EEA48CC5FDE3769EB45B48F110069EA05AB991CB67DD48DF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B9104 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 79memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcmpA.KERNEL32(00000001,1.2.840.113549.1.9.6), ref: 6C7B9127
                                                • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,6C7B8360,0000001C,6C7B6BB8,?,00000000,?,?,?,6C7B3B79,-00000960,6C76A794), ref: 6C7B917E
                                                • LocalFree.KERNEL32(?,?,?,?,6C7B8360,0000001C,6C7B6BB8,?,00000000,?,?,?,6C7B3B79,-00000960,6C76A794,00000000), ref: 6C7B91C1
                                                • GetLastError.KERNEL32(?,?,?,6C7B8360,0000001C,6C7B6BB8,?,00000000,?,?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C), ref: 6C7B91C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Local$AllocErrorFreeLastlstrcmp
                                                • String ID: 1.2.840.113549.1.9.6
                                                • API String ID: 1399977297-2921522063
                                                • Opcode ID: ebc8b6c103f506bf65731b7fa91a76a128dece462c17f2707c1674d9ea614a47
                                                • Instruction ID: 79bdb05f8ff1a542b56b616ede6222f861a8b69dd319eecf882cb950eda54041
                                                • Opcode Fuzzy Hash: ebc8b6c103f506bf65731b7fa91a76a128dece462c17f2707c1674d9ea614a47
                                                • Instruction Fuzzy Hash: E221BF31640109EFDB108F65CD89F96BBB5FF24744F1180A8F929AF565E670E940DB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795EFB Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,74AD3130), ref: 6C795F12
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,74AD3130), ref: 6C795F1C
                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000001,000000FF,?,74AD3130), ref: 6C795F5B
                                                • CloseHandle.KERNEL32(?,?,74AD3130), ref: 6C795F6A
                                                • CloseHandle.KERNEL32(?,?,74AD3130), ref: 6C795F6F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseCreateEventHandle$MultipleObjectsWait
                                                • String ID:
                                                • API String ID: 3314610268-0
                                                • Opcode ID: c7aaef6e3137cf6ebe43da8121f8d21993f5e1b8f4c7dacd37fc778e3145c5c1
                                                • Instruction ID: ea1deea5d53b4d96b6a3b458ffaa1762f0c88c87b46ef5f83066a907519db3c6
                                                • Opcode Fuzzy Hash: c7aaef6e3137cf6ebe43da8121f8d21993f5e1b8f4c7dacd37fc778e3145c5c1
                                                • Instruction Fuzzy Hash: 6E215075E00219AFDF04CFA9D8C49EEBBBAEF49315F10816AF515A7240D7709D40CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D0F64 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 6C7D0F72
                                                  • Part of subcall function 6C7CBFB3: __FF_MSGBANNER.LIBCMT ref: 6C7CBFCC
                                                  • Part of subcall function 6C7CBFB3: __NMSG_WRITE.LIBCMT ref: 6C7CBFD3
                                                  • Part of subcall function 6C7CBFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,6C7A831D,00000000,?,6C7CC0C9,6C7AF845,00000C00,00000020,6C7AF845,?), ref: 6C7CBFF8
                                                • _free.LIBCMT ref: 6C7D0F85
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free_malloc
                                                • String ID:
                                                • API String ID: 1020059152-0
                                                • Opcode ID: 6116756d37cc4a379ca5903bb74e077a2ea887a0438a0cc9770fff3526afd79f
                                                • Instruction ID: 8ee2a79d71dbd9a92cac917dab2fc54964d81467ef5d1ff36dcadecd44d58ddd
                                                • Opcode Fuzzy Hash: 6116756d37cc4a379ca5903bb74e077a2ea887a0438a0cc9770fff3526afd79f
                                                • Instruction Fuzzy Hash: 04110832608292EFCB111A75AB0C68A3BA49F41374F365535F8489AA40DF34F84486A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775349 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C775350
                                                  • Part of subcall function 6C774D35: __EH_prolog3.LIBCMT ref: 6C774D3C
                                                • OutputDebugStringW.KERNEL32(?,?,?,00000008,6C7A63AF,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6C754A4C), ref: 6C775371
                                                  • Part of subcall function 6C7C8B3A: SysFreeString.OLEAUT32(00000000), ref: 6C7C8B47
                                                  • Part of subcall function 6C7C8B3A: SysAllocString.OLEAUT32(00000000), ref: 6C7C8B56
                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,000013EC,00000000,00000000,?,?,00000008,6C7A63AF,000013EC,?,00000000,?,?), ref: 6C775398
                                                • OutputDebugStringW.KERNEL32(000013EC,?,-0000000D,?,?,6C754A4C,?,?,00000000,?,?,FilesToKeep,?,?,?,00000000), ref: 6C7753A5
                                                • LocalFree.KERNEL32(000013EC,000013EC,?,-0000000D,?,?,6C754A4C,?,?,00000000,?,?,FilesToKeep,?,?,?), ref: 6C7753B6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$DebugFreeH_prolog3Output$AllocFormatLocalMessage
                                                • String ID:
                                                • API String ID: 3239379132-0
                                                • Opcode ID: 3863257124078e7f48d105a445c7b47cfd9f23120c2dbc2b5e97744af3434884
                                                • Instruction ID: 6bd4cb3ad3c1a7263a88d31d7505b19ce778414d32273920cc37698b70a09c61
                                                • Opcode Fuzzy Hash: 3863257124078e7f48d105a445c7b47cfd9f23120c2dbc2b5e97744af3434884
                                                • Instruction Fuzzy Hash: 1E011671A1010EEFDF11AFA0CE099FE7A79BF0534AB104539B520A6AA0DB719914DB25
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C782E48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C782E4F
                                                  • Part of subcall function 6C7A9653: _free.LIBCMT ref: 6C7A9698
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_free
                                                • String ID: evaluated to false$ evaluated to true$BlockIf
                                                • API String ID: 2248394366-2909538125
                                                • Opcode ID: a0303b82c0cc981ae7c395966ebb1c8872f54bddccac6db201fc3612a41124ff
                                                • Instruction ID: 43aa8f8f45df2a1113f8e50afb21455f1e6b37674338aa7fb6e7bb47769889e5
                                                • Opcode Fuzzy Hash: a0303b82c0cc981ae7c395966ebb1c8872f54bddccac6db201fc3612a41124ff
                                                • Instruction Fuzzy Hash: 52A15E71901209DFCF10DFA8CA88ADEBBB5FF08318F1445A9E514AB751D731EA0ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C792E7C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C792E83
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C792DBC: __EH_prolog3.LIBCMT ref: 6C792DC3
                                                  • Part of subcall function 6C7A91D4: __EH_prolog3.LIBCMT ref: 6C7A91DB
                                                  • Part of subcall function 6C7A91D4: __recalloc.LIBCMT ref: 6C7A921D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$__recalloc
                                                • String ID: No ProcessBlock element$ProcessBlock added$ProcessBlocks
                                                • API String ID: 1900422986-3251087430
                                                • Opcode ID: 4bc2dbfdca51597ad0b43f100d5ab01d80d0ec127a672638380365451fef54f5
                                                • Instruction ID: eb623d963fb68b262fc9daeda7c3c1ad039b44ba512b8d299f8d135bb04c6580
                                                • Opcode Fuzzy Hash: 4bc2dbfdca51597ad0b43f100d5ab01d80d0ec127a672638380365451fef54f5
                                                • Instruction Fuzzy Hash: E2718370A0024ADFCF00DFE8CA88AADBBB5BF49308F244469E515EB790C7359E05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7931C4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7931CB
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C793104: __EH_prolog3.LIBCMT ref: 6C79310B
                                                  • Part of subcall function 6C7A91D4: __EH_prolog3.LIBCMT ref: 6C7A91DB
                                                  • Part of subcall function 6C7A91D4: __recalloc.LIBCMT ref: 6C7A921D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$__recalloc
                                                • String ID: No ServiceBlock element$ServiceBlock added$ServiceBlocks
                                                • API String ID: 1900422986-3373415214
                                                • Opcode ID: 31179bd5b7106eed86c19773857620d4a2bc86097173a1bd54e60890bfbb2f65
                                                • Instruction ID: 920faf6d8d8bd5817921a891c9abf0b3db276029bf5cb44bdb24cc1cc2165a59
                                                • Opcode Fuzzy Hash: 31179bd5b7106eed86c19773857620d4a2bc86097173a1bd54e60890bfbb2f65
                                                • Instruction Fuzzy Hash: D7715570A00249DFDF00DFE8CA88AADBBB5BF49308F248569E515EB751CB359E44CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A72E4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch.LIBCMT ref: 6C7A72EB
                                                  • Part of subcall function 6C7743C4: __EH_prolog3.LIBCMT ref: 6C7743CB
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8ED0: __EH_prolog3.LIBCMT ref: 6C7A8ED7
                                                  • Part of subcall function 6C7A8ED0: PathFindExtensionW.SHLWAPI(?,00000004,6C7A7362,?,?,?,00000000,?,?), ref: 6C7A8F01
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7A3B2B: __EH_prolog3.LIBCMT ref: 6C7A3B32
                                                  • Part of subcall function 6C7A3B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C7AEC79,?,?), ref: 6C7A3BC9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CriticalExtensionFindH_prolog3_catchInitializePathSection_malloc
                                                • String ID: .htm$.html$.txt
                                                • API String ID: 2678321574-1806469533
                                                • Opcode ID: 806a2482baf3cb5deceafb571622b5ef6b12b512c12d1ee9672b0fabe26e6600
                                                • Instruction ID: c8c29f02712efce3e2db77c07b4bf1e761d722bfd2153e646889245c0943d6cd
                                                • Opcode Fuzzy Hash: 806a2482baf3cb5deceafb571622b5ef6b12b512c12d1ee9672b0fabe26e6600
                                                • Instruction Fuzzy Hash: 1B519331A04249DFDB00DBE8CA4DBDE7BE9AF05318F104655D424EBB85DB749A09CB72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B1A88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B1A8F
                                                  • Part of subcall function 6C7A8F73: PathRemoveFileSpecW.SHLWAPI(00000000,2806C750,00000010,80004005,6C775DB8,6C7AF845,00000010,?,6C7A831D,00000000), ref: 6C7A8F84
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8F9E: PathStripPathW.SHLWAPI(00000000,?,?,6C7BF516), ref: 6C7A8FAE
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                  • Part of subcall function 6C775E41: __EH_prolog3.LIBCMT ref: 6C775E48
                                                  • Part of subcall function 6C775E41: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,6C775E13,?,6C7A831D,?,0000000C,6C777D3D,?,00000000,?,?,6C76AB18,00000008), ref: 6C775E83
                                                  • Part of subcall function 6C775E41: PathFindExtensionW.SHLWAPI(?), ref: 6C775EA0
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                  • Part of subcall function 6C7A8C7A: __EH_prolog3.LIBCMT ref: 6C7A8C81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3Path$FileFind_memcpy_s$ExtensionNameRemoveSpecStrip_wcsnlen
                                                • String ID: -MSI_$.txt$MsiEnableLog failed!!!
                                                • API String ID: 346814366-1014978939
                                                • Opcode ID: 4572953e3bf3fc10e7020cc6924b25da10513f9a79b3cdfa268f3b7ad778286d
                                                • Instruction ID: c3bae118f122679e00d8ed083ba4c7e35d46065e5fc239b9de547ddd694f373f
                                                • Opcode Fuzzy Hash: 4572953e3bf3fc10e7020cc6924b25da10513f9a79b3cdfa268f3b7ad778286d
                                                • Instruction Fuzzy Hash: E4515271900149EFDB10DBF8CA48AEDBBB5BF45328F144645F520AB785C734EA098B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AA622 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3Last
                                                • String ID: DW\DW20.exe$Failed to record SetupFlags
                                                • API String ID: 685212868-3543485478
                                                • Opcode ID: c8a736e47aae66d8984b41343773f5dfe295d3ae3e3cf983bf3bc801641cec62
                                                • Instruction ID: 419fffac5ec7e3f57e43226ada9e3ffc5fd0bce7ac539f655af3526bd4909a84
                                                • Opcode Fuzzy Hash: c8a736e47aae66d8984b41343773f5dfe295d3ae3e3cf983bf3bc801641cec62
                                                • Instruction Fuzzy Hash: C0418371A00149DFCB10DBB8CA8DADEBBB9BF45318F144655E420EB791C774DA0ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B3439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3440
                                                • PathStripToRootW.SHLWAPI(00000000,C600000B,6C7AFA6E,00000010,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7B34D8
                                                • GetLastError.KERNEL32(?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7B350D
                                                Strings
                                                • Failed to record SystemMemory, xrefs: 6C7B3527
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3LastPathRootStrip
                                                • String ID: Failed to record SystemMemory
                                                • API String ID: 1831876552-335854511
                                                • Opcode ID: d2991a1a59850869db19da65864a2855efd25453ae414ddbe1c49692014e1650
                                                • Instruction ID: d7d755e094140edd028485d3ecae8e136f93edec6dba399fd36034109af18701
                                                • Opcode Fuzzy Hash: d2991a1a59850869db19da65864a2855efd25453ae414ddbe1c49692014e1650
                                                • Instruction Fuzzy Hash: 10315A71A001169FCB00DFB4CA8DAEEBB79BF05328F100665E521E7B90CB34D949CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7C9E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A7CA5
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77391D: __EH_prolog3.LIBCMT ref: 6C773924
                                                  • Part of subcall function 6C77395E: __EH_prolog3.LIBCMT ref: 6C773965
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Package Name = %s$Package Version = %s$Package details
                                                • API String ID: 431132790-2412997842
                                                • Opcode ID: d43ccf44e8a783ee6620b26430482bf78066ae7ce434cbf5d26ee6dd91470bb8
                                                • Instruction ID: 83f00c7cd5f192b71dab141f70856e85c45ba6d34431b2022ddf341f16911eee
                                                • Opcode Fuzzy Hash: d43ccf44e8a783ee6620b26430482bf78066ae7ce434cbf5d26ee6dd91470bb8
                                                • Instruction Fuzzy Hash: 0C316971A0014AEFDF00DBA8CA4DBEDBBB5AF05308F144555E520AB7A0C771EB09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77712B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C777132
                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,00000010), ref: 6C777191
                                                • #195.MSI(00000010,00000000,00000104,00000000,00000000,00000104,00000010,MSI.dll), ref: 6C777200
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #195FolderH_prolog3Path
                                                • String ID: MSI.dll
                                                • API String ID: 2462876523-3845536143
                                                • Opcode ID: 38bf22e02af6293a934c6b2a57a37740f9b1f9a6aab32ecd51c40819e4b59a0e
                                                • Instruction ID: cc69071480429c364feec465a89f65e4ef5ed7ea748ef34e65d72a1b904bd5a8
                                                • Opcode Fuzzy Hash: 38bf22e02af6293a934c6b2a57a37740f9b1f9a6aab32ecd51c40819e4b59a0e
                                                • Instruction Fuzzy Hash: ED319570A1020ADFDF00DF64C98DAFEBBB9BF04318F054569E420AB790C7749A09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AF821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7A76A7: __EH_prolog3.LIBCMT ref: 6C7A76AE
                                                  • Part of subcall function 6C7A76A7: GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6C7AF845,?), ref: 6C7A7748
                                                  • Part of subcall function 6C7A76A7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C7A7758
                                                  • Part of subcall function 6C7A76A7: SetThreadStackGuarantee.KERNEL32(00020000), ref: 6C7A776D
                                                  • Part of subcall function 6C7A76A7: SetUnhandledExceptionFilter.KERNEL32(6C7B416A), ref: 6C7A7774
                                                  • Part of subcall function 6C7A76A7: GetCommandLineW.KERNEL32 ref: 6C7A777A
                                                • _memset.LIBCMT ref: 6C7AF85B
                                                • GetEnvironmentVariableW.KERNEL32(DebugIronMan,?,000000FF,?,?,?), ref: 6C7AF874
                                                • DebugBreak.KERNEL32(?,?,?), ref: 6C7AF8B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressBreakCommandDebugEnvironmentExceptionFilterGuaranteeH_prolog3HandleLineModuleProcStackThreadUnhandledVariable_memset
                                                • String ID: DebugIronMan
                                                • API String ID: 12115070-628588297
                                                • Opcode ID: 7b2cb4c25a9662f96cd8dc1fddd054f525ae8b0fd7af88b445456b52816650ad
                                                • Instruction ID: 98d9b5d47f9b59fe8fc389966220aa28ae9888d7efebc9eca0946222058f01eb
                                                • Opcode Fuzzy Hash: 7b2cb4c25a9662f96cd8dc1fddd054f525ae8b0fd7af88b445456b52816650ad
                                                • Instruction Fuzzy Hash: 8E11C47170120AABDB14AFB68B09B9BB3F4EF04B18F848670D416D7A41FB30DA468751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2815 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E6C3C2815(void* _a4, union _TOKEN_INFORMATION_CLASS _a8) {
				long _v8;
				void* __esi;
				void* __ebp;
				int _t12;
				void* _t13;
				int _t17;
				void* _t20;

				_v8 = _v8 & 0x00000000;
				_t4 =  &_a8; // 0x6c3c332f
				_t12 = GetTokenInformation(_a4,  *_t4, 0, 0,  &_v8); // executed
				if(_t12 != 0 || GetLastError() != 0x7a) {
					L7:
					_t13 = 0;
				} else {
					_t20 = E6C3C1967(GetTokenInformation, _v8);
					if(_t20 == 0) {
						L6:
						_push(_t20);
						E6C3C4994();
						goto L7;
					} else {
						_t17 = GetTokenInformation(_a4, _a8, _t20, _v8,  &_v8); // executed
						if(_t17 == 0) {
							goto L6;
						} else {
							_t13 = _t20;
						}
					}
				}
				return _t13;
			}










                                                0x6c3c281b
                                                0x6c3c282f
                                                0x6c3c2835
                                                0x6c3c2839
                                                0x6c3c287c
                                                0x6c3c287c
                                                0x6c3c2846
                                                0x6c3c284e
                                                0x6c3c2853
                                                0x6c3c2871
                                                0x6c3c2871
                                                0x6c3c2872
                                                0x00000000
                                                0x6c3c2855
                                                0x6c3c2863
                                                0x6c3c2867
                                                0x00000000
                                                0x6c3c2869
                                                0x6c3c2869
                                                0x6c3c2869
                                                0x6c3c2867
                                                0x6c3c2853
                                                0x6c3c286e

                                                APIs
                                                • GetTokenInformation.KERNELBASE(?,/3<l,00000000,00000000,00000000,00000000,00000000,?,?,6C3C36C7,?,00000001), ref: 6C3C2835
                                                • GetLastError.KERNEL32(?,?,6C3C36C7,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C283B
                                                  • Part of subcall function 6C3C1967: malloc.MSVCRT(?,6C3E0554), ref: 6C3C1979
                                                • GetTokenInformation.KERNELBASE(?,?,00000000,?,?,?,?,6C3C36C7,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C2863
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: InformationToken$ErrorLastmalloc
                                                • String ID: /3<l
                                                • API String ID: 3066823155-3369037617
                                                • Opcode ID: 71d22d3fb12a3712f40e13e26a23241fc7a961225e975f1c98cd16ec04b8e2a6
                                                • Instruction ID: f57df3813b39cb820d93bd772330426faf348b76c355011e73118b1b5f1abc06
                                                • Opcode Fuzzy Hash: 71d22d3fb12a3712f40e13e26a23241fc7a961225e975f1c98cd16ec04b8e2a6
                                                • Instruction Fuzzy Hash: 3C01D631701319FAEF004A94CE84F9E7B7CEB05B5CF201021F900A1450D732EE04AF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795A71 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C795A78
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7BA8E5: __EH_prolog3.LIBCMT ref: 6C7BA8EC
                                                  • Part of subcall function 6C77395E: __EH_prolog3.LIBCMT ref: 6C773965
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: complete$Action$Enumerating incompatible services
                                                • API String ID: 431132790-2452571594
                                                • Opcode ID: b487cabb22db90c81fccbd52e5a705490cd3e349719782915219a57fc3072d25
                                                • Instruction ID: 955a4cbe370893dc78e445c080e5fc1ba601f6e5737945a426d30162d075d2f3
                                                • Opcode Fuzzy Hash: b487cabb22db90c81fccbd52e5a705490cd3e349719782915219a57fc3072d25
                                                • Instruction Fuzzy Hash: B011AD72A00148EFCF01EFE4CA08BEE7BB8BF09315F408556E114A7650CB359A19EBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79F544 Relevance: 6.1, APIs: 4, Instructions: 66sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick$ErrorLastSleep
                                                • String ID:
                                                • API String ID: 1403765585-0
                                                • Opcode ID: 04eebacef5b497eeea6e7490c7e3aa5535ab415d2b0722b20e6566ce377abc2b
                                                • Instruction ID: 7882c63af4dfb46cca1def477bfa6a3a849128ea95fc3834a8acc5008563c924
                                                • Opcode Fuzzy Hash: 04eebacef5b497eeea6e7490c7e3aa5535ab415d2b0722b20e6566ce377abc2b
                                                • Instruction Fuzzy Hash: 45218470A04344AFDB14DF58E549B8EBBF1AF46306F1084E9F055D7A41CB74E949CB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C3679 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 66%
                                                			E6C3C3679(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				void* _v12;
				void* _t16;
				intOrPtr _t17;
				intOrPtr* _t23;
				signed int _t28;
				intOrPtr* _t32;
				void* _t35;
				intOrPtr* _t37;

				_t16 = GetCurrentProcess();
				_t32 = _a4;
				_t35 = _t16;
				_v8 = 0;
				_v12 = 0;
				if(_t32 == 0) {
					_t17 =  *0x6c3e0088; // 0x6c3e0088
					if(_t17 != 0x6c3e0088 && ( *(_t17 + 0x1c) & 0x00000001) != 0) {
						_t14 = _t17 + 0x14; // 0x0
						_t15 = _t17 + 0x10; // 0x1
						E6C3D5F11( *_t15,  *_t14, 0x2e, 0x6c3d5ab8);
					}
					L7:
					return _v12;
				}
				_push(7);
				 *_t32 = 0;
				if( *0x6c3e04dc() != 0 && OpenProcessToken(_t35, 8,  &_v8) != 0) {
					_t23 = E6C3C2815(_v8, 1); // executed
					_t37 = _t23;
					_t28 = 0 | _t37 != 0x00000000;
					if(_t37 != 0) {
						_push(_t32);
						_push( *_t37);
						L6C3C3700();
						_v12 = _t23;
					}
					FindCloseChangeNotification(_v8); // executed
					if(_t28 != 0) {
						_push(_t37);
						E6C3C1816();
					}
				}
			}












                                                0x6c3c3683
                                                0x6c3c3689
                                                0x6c3c3690
                                                0x6c3c3692
                                                0x6c3c3695
                                                0x6c3c3698
                                                0x6c3cfd29
                                                0x6c3cfd33
                                                0x6c3cfd4a
                                                0x6c3cfd4d
                                                0x6c3cfd50
                                                0x6c3cfd50
                                                0x6c3c36f1
                                                0x6c3c36f8
                                                0x6c3c36f8
                                                0x6c3c369e
                                                0x6c3c36a0
                                                0x6c3c36aa
                                                0x6c3c36c2
                                                0x6c3c36c7
                                                0x6c3c36cb
                                                0x6c3c36d0
                                                0x6c3c36d2
                                                0x6c3c36d3
                                                0x6c3c36d5
                                                0x6c3c36da
                                                0x6c3c36da
                                                0x6c3c36e0
                                                0x6c3c36e8
                                                0x6c3c36ea
                                                0x6c3c36eb
                                                0x6c3c36f0
                                                0x6c3c36e8

                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6C3C332F,?), ref: 6C3C3683
                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6C3C332F,?), ref: 6C3C36B3
                                                  • Part of subcall function 6C3C2815: GetTokenInformation.KERNELBASE(?,/3<l,00000000,00000000,00000000,00000000,00000000,?,?,6C3C36C7,?,00000001), ref: 6C3C2835
                                                  • Part of subcall function 6C3C2815: GetLastError.KERNEL32(?,?,6C3C36C7,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C283B
                                                  • Part of subcall function 6C3C2815: GetTokenInformation.KERNELBASE(?,?,00000000,?,?,?,?,6C3C36C7,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C2863
                                                • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 6C3C36D5
                                                • FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C36E0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Token$InformationProcess$ChangeCloseConvertCurrentErrorFindLastNotificationOpenString
                                                • String ID:
                                                • API String ID: 3562588798-0
                                                • Opcode ID: 71ad4e96bc47b13466293240d2481ab20f029bab5daa0516110ed5334d0f7e25
                                                • Instruction ID: b30bc8ac66ef49209369249c549654e28a21ae62e43a35e05c16b92397af8ffc
                                                • Opcode Fuzzy Hash: 71ad4e96bc47b13466293240d2481ab20f029bab5daa0516110ed5334d0f7e25
                                                • Instruction Fuzzy Hash: 98119071701254ABDB519F65CCC5FDD7A78EB093A8F214064F400AB650CB72DD64AF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BA8E5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BA8EC
                                                  • Part of subcall function 6C7BCE09: _free.LIBCMT ref: 6C7BCE3D
                                                  • Part of subcall function 6C7BD179: __EH_prolog3.LIBCMT ref: 6C7BD180
                                                  • Part of subcall function 6C7BD179: GetLastError.KERNEL32 ref: 6C7BD19C
                                                  • Part of subcall function 6C7A8608: __wcsicoll.LIBCMT ref: 6C7A8626
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorLast__wcsicoll_free
                                                • String ID: Blocking Services$No Blocking Services
                                                • API String ID: 3921677135-2473106011
                                                • Opcode ID: 4a9c5d6b71cb674563b7b29231436d2460d6755c3cc880a05916a50549e83ed2
                                                • Instruction ID: b41fc47f742bde8ede51739eafae0cb06bdc8cd54df9c27965bc06461b0e4939
                                                • Opcode Fuzzy Hash: 4a9c5d6b71cb674563b7b29231436d2460d6755c3cc880a05916a50549e83ed2
                                                • Instruction Fuzzy Hash: DE918071A0160ADFDF10DF68CA89ADEBBB1FF04324F118259E865AB790D730E914CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7754FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemInfo.KERNEL32(?), ref: 6C775562
                                                  • Part of subcall function 6C774FAC: _memset.LIBCMT ref: 6C774FB4
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3InfoSystem_memset
                                                • String ID: %s - %s %s %s$Unknown OS
                                                • API String ID: 3853411852-1218788732
                                                • Opcode ID: bea0f6cde9451f444ece5b2e258f45d09b6777c1de5fd270d38c3d2eed9818c0
                                                • Instruction ID: a774f6f9e99fa9113ad24ce56aa89e53d857ce9f86b5d65558ddcc80a2977cd0
                                                • Opcode Fuzzy Hash: bea0f6cde9451f444ece5b2e258f45d09b6777c1de5fd270d38c3d2eed9818c0
                                                • Instruction Fuzzy Hash: D04150722083459FD720CF68D948ACBBBE5AF89718F140A2EF49497751DB30A6498B93
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C784397 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78439E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A5D0: __EH_prolog3.LIBCMT ref: 6C77A5D7
                                                  • Part of subcall function 6C77A5D0: SysFreeString.OLEAUT32(?), ref: 6C77A62B
                                                  • Part of subcall function 6C7A8863: _wcschr.LIBCMT ref: 6C7A887A
                                                  • Part of subcall function 6C7844EA: __EH_prolog3.LIBCMT ref: 6C7844F1
                                                  • Part of subcall function 6C7844EA: __CxxThrowException@8.LIBCMT ref: 6C7845E9
                                                  • Part of subcall function 6C784613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C7842F8,6C76A794,-00000960), ref: 6C78468D
                                                  • Part of subcall function 6C784613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C7842F8,6C76A794,-00000960), ref: 6C78469E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Close$Exception@8FreeStringThrow_wcschr
                                                • String ID: RegKey$RegValueName
                                                • API String ID: 3842226755-3571311812
                                                • Opcode ID: 57824eb1c5ba7a7c7f9fd75a12d30cf90ba5e2ea263d087712cba4204efcd962
                                                • Instruction ID: 1c1857d8f8804083ee2ae3c1e719923904d1365d57efd991d8ab5c31ad8c4cc5
                                                • Opcode Fuzzy Hash: 57824eb1c5ba7a7c7f9fd75a12d30cf90ba5e2ea263d087712cba4204efcd962
                                                • Instruction Fuzzy Hash: 17415C31A0124A9FDF10DBE8CA4CBDEB7B8AF04328F144255E524E7781DB74DA09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C784265 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78426C
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77A63E: __EH_prolog3.LIBCMT ref: 6C77A645
                                                  • Part of subcall function 6C77A63E: SysFreeString.OLEAUT32(?), ref: 6C77A69B
                                                  • Part of subcall function 6C784397: __EH_prolog3.LIBCMT ref: 6C78439E
                                                • GetUserDefaultUILanguage.KERNEL32(6C76A794,-00000960), ref: 6C784302
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DefaultFreeLanguageStringUser
                                                • String ID: LCIDHint
                                                • API String ID: 188276182-1583853939
                                                • Opcode ID: 62185a3075191dd490fd66dd04556e42a642ba77261812eda1489ffed427e966
                                                • Instruction ID: 59cea75a276f2efcac5b1ee24f094293b0f3ba446904dbcee984978c0c8d852f
                                                • Opcode Fuzzy Hash: 62185a3075191dd490fd66dd04556e42a642ba77261812eda1489ffed427e966
                                                • Instruction Fuzzy Hash: CC417171A01209DFDB00CFA8CA58ADD77B9BF44318F204669E515EBA80CB71DE05DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AEA74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AEA7B
                                                • GetComputerObjectNameW.SECUR32(00000007,00000000,6C7AFA6E), ref: 6C7AEAC0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ComputerH_prolog3NameObject
                                                • String ID: microsoft.com
                                                • API String ID: 4212761916-499418652
                                                • Opcode ID: 3620ab1caf0dbbf10e8f53d5fb5d5389c1b3eb1e867074c3f32b5af187dcf09b
                                                • Instruction ID: 36ed8be120d012f424133e3a122120f7f049b302fac34d859225c4d6faf0f0a0
                                                • Opcode Fuzzy Hash: 3620ab1caf0dbbf10e8f53d5fb5d5389c1b3eb1e867074c3f32b5af187dcf09b
                                                • Instruction Fuzzy Hash: 61218031A102598BCB04DFF8CA4C9EDB7727F41318F10476AD031A7BD0DB70AA0A8652
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B2329 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • GetAction returned an invalid action type; creating DoNothingPerformer, xrefs: 6C7B236A
                                                • Creating new Performer for ServiceControl item, xrefs: 6C7B233C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Creating new Performer for ServiceControl item$GetAction returned an invalid action type; creating DoNothingPerformer
                                                • API String ID: 431132790-300339860
                                                • Opcode ID: 6f78fb660dd7d1a05f5755b41420d2ff58719ec42ba57c734c201da3028efe12
                                                • Instruction ID: 98ce23c81dc4751b2a32772b48f711d61137921e2a0e8e9c4e554d3c6fc0748d
                                                • Opcode Fuzzy Hash: 6f78fb660dd7d1a05f5755b41420d2ff58719ec42ba57c734c201da3028efe12
                                                • Instruction Fuzzy Hash: A0118E75646202EFEB089FA9DB1DB98B6A0BF45318F108055E614EBED0CBB4D5C4CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A7DB7
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C774CB2: __EH_prolog3.LIBCMT ref: 6C774CB9
                                                  • Part of subcall function 6C77395E: __EH_prolog3.LIBCMT ref: 6C773965
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Operation Type$Operation: %s
                                                • API String ID: 431132790-3288381836
                                                • Opcode ID: 63fe7e5d797e929e5d82f00b93220331c725ffce905b274a0aca6db0ce604956
                                                • Instruction ID: c9beead46fbdd35f5735536990caf156bd65aabdc44992072d0d11870637f88d
                                                • Opcode Fuzzy Hash: 63fe7e5d797e929e5d82f00b93220331c725ffce905b274a0aca6db0ce604956
                                                • Instruction Fuzzy Hash: 01213871A0014A9FDB00DBE8CA4DADEBBB9BF05308F144556E150EBB81C7349A09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AFF21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _wcsnlen.LIBCMT ref: 6C7AFF54
                                                • _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8Throw_memcpy_s_wcsnlen
                                                • String ID: OS Version Information
                                                • API String ID: 31407445-551053750
                                                • Opcode ID: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                • Instruction ID: 7de2d04e3a345b11fec43b634322f46ad1ca49a361f8afdc402b9005c6ff4c5f
                                                • Opcode Fuzzy Hash: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                • Instruction Fuzzy Hash: 7001C432600108AF8B04DFA8CD4CC9E77A9EB893A4711822EF5189B650EA30EA058F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79531E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C795325
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                • DeleteFileW.KERNEL32(?,00000010,HFI,00000000,?,6C76AB18,00000004,6C7BA448,342C82DB,342C82DB,?,?,6C7A4B23), ref: 6C795399
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DeleteFileH_prolog3_wcsnlen
                                                • String ID: HFI
                                                • API String ID: 1332513528-686494941
                                                • Opcode ID: e232a1ef0c9f9ad6902df7bd71b509724ba97908f7adfdbcda0a05d40172512c
                                                • Instruction ID: d0601725e5fa62bcaf3452386379b3c75af36928f184a2e7f4f02b45b17deb2d
                                                • Opcode Fuzzy Hash: e232a1ef0c9f9ad6902df7bd71b509724ba97908f7adfdbcda0a05d40172512c
                                                • Instruction Fuzzy Hash: 6411E1313001159FC7449F78DB4CAAEB7A5BF5531DF10476AE5209BB90DB70DA088752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B356C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3573
                                                  • Part of subcall function 6C77579B: _memset.LIBCMT ref: 6C7757CA
                                                  • Part of subcall function 6C77579B: GetVersionExW.KERNEL32 ref: 6C7757DF
                                                  • Part of subcall function 6C77579B: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 6C7757F5
                                                  • Part of subcall function 6C77579B: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 6C7757FD
                                                  • Part of subcall function 6C77579B: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,00000001,00000001), ref: 6C775805
                                                  • Part of subcall function 6C77579B: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000001,?,00000020,00000001,?,00000001,00000001), ref: 6C77580D
                                                  • Part of subcall function 6C77579B: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C775818
                                                Strings
                                                • CSDReleaseType, xrefs: 6C7B35CC
                                                • SYSTEM\CurrentControlSet\Control\Windows, xrefs: 6C7B35E1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ConditionMask$Version$H_prolog3InfoVerify_memset
                                                • String ID: CSDReleaseType$SYSTEM\CurrentControlSet\Control\Windows
                                                • API String ID: 3830908078-406884543
                                                • Opcode ID: e592d1a4a5780d69ef744e726a7ab71140e78debf80d1622726a516e25c29d85
                                                • Instruction ID: 3c6f3bc8baa5e76cfd44dac07528c2992ac398ee9afd45e21714877526959b7c
                                                • Opcode Fuzzy Hash: e592d1a4a5780d69ef744e726a7ab71140e78debf80d1622726a516e25c29d85
                                                • Instruction Fuzzy Hash: 3E01E5B3D101286BDB149F68CA196E83A90AB10358F0A4266FD69EF740C735DA44DAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AEC5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AEC61
                                                  • Part of subcall function 6C7A3B2B: __EH_prolog3.LIBCMT ref: 6C7A3B32
                                                  • Part of subcall function 6C7A3B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C7AEC79,?,?), ref: 6C7A3BC9
                                                  • Part of subcall function 6C7B2C16: PathFileExistsW.SHLWAPI(00000000), ref: 6C7B2CA8
                                                  • Part of subcall function 6C7B2C16: __CxxThrowException@8.LIBCMT ref: 6C7B2CE7
                                                  • Part of subcall function 6C7B2C16: CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 6C7B2D19
                                                  • Part of subcall function 6C7B2C16: SetFileAttributesW.KERNEL32(?,00000080), ref: 6C7B2D32
                                                • InitializeCriticalSection.KERNEL32(?,?,?,.html,00000001,00000000,6C7A747C,00000000,00000000,?,?,?,?,?,?,?), ref: 6C7AECBB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$CriticalH_prolog3InitializeSection$AttributesCopyException@8ExistsPathThrow
                                                • String ID: .html
                                                • API String ID: 4277916732-2179875201
                                                • Opcode ID: ddf42e64997b90c50ed43c3ad64dd3776a007217da07d19ff191a6246ee41b8e
                                                • Instruction ID: 3862ea02fa24884cef0b49eeeb2967e795820c0fa7ed9b6a02489604932e9c19
                                                • Opcode Fuzzy Hash: ddf42e64997b90c50ed43c3ad64dd3776a007217da07d19ff191a6246ee41b8e
                                                • Instruction Fuzzy Hash: C7F0A931600242EBDB00DBA4878D7DCBBAA7F18309F4044589504ABB40CB74AA0DA7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C798704 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,6C7AFA6E,?,?,6C7C2D44,6C7AFA6E,?,?,?,?), ref: 6C798722
                                                Strings
                                                • File %s, locked for install. , xrefs: 6C79873B
                                                • Failed to lock file %s., xrefs: 6C798734
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: Failed to lock file %s.$File %s, locked for install.
                                                • API String ID: 823142352-2267527102
                                                • Opcode ID: 29eb32fc28a375617327c9f33b42fec8b47fd35d7f2010ff5531767aae6bfd1a
                                                • Instruction ID: d38f3e88b07b73c0eef2a0e47d0bfa2df01ca05078ae88a995b8bb2b7ea20c89
                                                • Opcode Fuzzy Hash: 29eb32fc28a375617327c9f33b42fec8b47fd35d7f2010ff5531767aae6bfd1a
                                                • Instruction Fuzzy Hash: 87E0683378030037D23009AAAD0AF813A58C7D4774F250632FB58FB2C0C8B1A950C2A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B6B28 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?,00000000,?,-00000960,?,?), ref: 6C7B6B50
                                                • LocalAlloc.KERNEL32(00000040,00000000,00000000,?,?,6C7B3B79,-00000960,6C76A794,00000000,0000003C,6C7B1985,-00000960,6C7AFA6E,?,00000000), ref: 6C7B6B6C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocErrorLastLocal
                                                • String ID:
                                                • API String ID: 3128366072-0
                                                • Opcode ID: 5ca2b5bc184e57d1b71cc42f48ba71173a55c5baecf80f3246a2cb51c9f88b64
                                                • Instruction ID: 6af17496f6e7e4608dfd9893c70044158da1d00f766498b2fe1dda0804d53681
                                                • Opcode Fuzzy Hash: 5ca2b5bc184e57d1b71cc42f48ba71173a55c5baecf80f3246a2cb51c9f88b64
                                                • Instruction Fuzzy Hash: 9611603264020AEFEB148F55CD45F5B7778EF113A9F208128F605E6690D674EB049B54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BA1E6 Relevance: 4.7, APIs: 3, Instructions: 225COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BA1ED
                                                • GetCurrentProcessId.KERNEL32(00000020,6C7953D9,00000000,?,?,6C7A4B23), ref: 6C7BA1FD
                                                  • Part of subcall function 6C795238: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C795254
                                                  • Part of subcall function 6C795238: _memset.LIBCMT ref: 6C79526E
                                                  • Part of subcall function 6C795238: Process32FirstW.KERNEL32(00000000,?), ref: 6C795288
                                                  • Part of subcall function 6C795238: FindCloseChangeNotification.KERNEL32(00000000), ref: 6C7952B7
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C7A8608: __wcsicoll.LIBCMT ref: 6C7A8626
                                                • GetTempPathW.KERNEL32(00000104,00000000,6C7A4B23,6C7A4614,6C7A4B23,00000000,00000010,00000010,?,00000000,6C7A4614,?,?,6C7A4B23), ref: 6C7BA415
                                                  • Part of subcall function 6C795238: Process32NextW.KERNEL32(00000000,0000022C), ref: 6C7952A3
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                  • Part of subcall function 6C79531E: __EH_prolog3.LIBCMT ref: 6C795325
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset_wcsnlen
                                                • String ID:
                                                • API String ID: 3672672585-0
                                                • Opcode ID: 75de0b360aa295be7217f4c588eb4281c933dfc119c4b4abd9f6f22e8162fde5
                                                • Instruction ID: 595d71047f12431683a00d95ad31ecd35374b9e48064ca40df0b2ce6398d6031
                                                • Opcode Fuzzy Hash: 75de0b360aa295be7217f4c588eb4281c933dfc119c4b4abd9f6f22e8162fde5
                                                • Instruction Fuzzy Hash: 18918271A00249DFDB10DFF8CA4D6DDBBB4BF05328F144659E460AB791DB349909CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B988C Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B9893
                                                • GetCommandLineW.KERNEL32(0000002C,6C7BD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B98B4
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C774412: __EH_prolog3.LIBCMT ref: 6C774419
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7753D4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000105,00000010,6C7FEE70,?,?,?,?,6C7B995C,00000000,?,UiInfo.xml,?,?,00000000), ref: 6C775412
                                                  • Part of subcall function 6C7753D4: ExpandEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,6C7B995C,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C775440
                                                • PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C7B996E
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$EnvironmentExpandPathStrings$AppendCommandFileLineModuleNameRelative
                                                • String ID:
                                                • API String ID: 168041992-0
                                                • Opcode ID: dd20f89bcd2994fe347876d6681ca75ada81ce5c5d53324f96e86429276753e3
                                                • Instruction ID: 3f3caf80f09b5eb6445a943f33bf617e3feb3cd5d434796c1e93c855ae168690
                                                • Opcode Fuzzy Hash: dd20f89bcd2994fe347876d6681ca75ada81ce5c5d53324f96e86429276753e3
                                                • Instruction Fuzzy Hash: 6E411C72A0014DDFDF11DBF8CA4CADDBBB9BF05318F144656E020AB791DB349A099B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C182C Relevance: 4.6, APIs: 3, Instructions: 109registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 56%
                                                			E6C3C182C(void* __ecx, void* __esi, void* _a4, short* _a8, short* _a12, char* _a16, void* _a20) {
				int _v8;
				int _v12;
				short* _t36;
				intOrPtr _t37;
				long _t38;
				long _t40;
				long _t44;
				intOrPtr _t45;
				signed int _t52;
				short* _t58;
				long _t60;

				_v12 = _a20 + _a20;
				_t36 = _a8;
				_v8 = 0;
				_a20 = 0;
				if(_t36 == 0 ||  *_t36 == 0) {
					_t37 =  *0x6c3e0088; // 0x6c3e0088
					if(_t37 == 0x6c3e0088 || ( *(_t37 + 0x1c) & 0x00000001) == 0) {
						goto L25;
					} else {
						_push(0x6c3d5ab8);
						_push(0xa);
						goto L24;
					}
				} else {
					_t58 = _a12;
					if(_t58 == 0 ||  *_t58 == 0) {
						_t37 =  *0x6c3e0088; // 0x6c3e0088
						if(_t37 == 0x6c3e0088 || ( *(_t37 + 0x1c) & 0x00000001) == 0) {
							goto L25;
						} else {
							_push(0x6c3d5ab8);
							_push(0xb);
							goto L24;
						}
					} else {
						if(_a16 == 0) {
							_t37 =  *0x6c3e0088; // 0x6c3e0088
							if(_t37 == 0x6c3e0088 || ( *(_t37 + 0x1c) & 0x00000001) == 0) {
								L25:
								_t38 = 0x57;
								L11:
								return _t38;
							} else {
								_push(0x6c3d5ab8);
								_push(0xc);
								L24:
								_t32 = _t37 + 0x14; // 0x0
								_push( *_t32);
								_t33 = _t37 + 0x10; // 0x1
								_push( *_t33);
								E6C3D5F11();
								goto L25;
							}
						}
						_t52 =  *0x6c3e04d4; // 0x1
						asm("sbb ecx, ecx");
						_t40 = RegOpenKeyExW(_a4, _t36, 0, ( ~_t52 & 0x00000100) + 0x20019,  &_a20); // executed
						_t60 = _t40;
						if(_t60 == 0) {
							_t44 = RegQueryValueExW(_a20, _t58, 0,  &_v8, _a16,  &_v12); // executed
							_t60 = _t44;
							if(_t60 == 0 && _v8 != 1) {
								_t45 =  *0x6c3e0088; // 0x6c3e0088
								_t60 = 0xd;
								if(_t45 != 0x6c3e0088 && ( *(_t45 + 0x1c) & 0x00000001) != 0) {
									_t24 = _t45 + 0x14; // 0x0
									_t25 = _t45 + 0x10; // 0x1
									E6C3D77B8( *_t25,  *_t24, _t60, 0x6c3d5ab8, _t58, _v8);
								}
							}
						}
						if(_a20 != 0) {
							RegCloseKey(_a20); // executed
						}
						_t38 = _t60;
						goto L11;
					}
				}
			}














                                                0x6c3c183b
                                                0x6c3c183e
                                                0x6c3c1844
                                                0x6c3c1847
                                                0x6c3c184a
                                                0x6c3cf630
                                                0x6c3cf63a
                                                0x00000000
                                                0x6c3cf642
                                                0x6c3cf642
                                                0x6c3cf647
                                                0x00000000
                                                0x6c3cf647
                                                0x6c3c1859
                                                0x6c3c1859
                                                0x6c3c185e
                                                0x6c3cf615
                                                0x6c3cf61f
                                                0x00000000
                                                0x6c3cf627
                                                0x6c3cf627
                                                0x6c3cf62c
                                                0x00000000
                                                0x6c3cf62c
                                                0x6c3c186d
                                                0x6c3c1870
                                                0x6c3cf5bf
                                                0x6c3cf5c9
                                                0x6c3cf654
                                                0x6c3cf656
                                                0x6c3c18da
                                                0x6c3c18dd
                                                0x6c3cf5d5
                                                0x6c3cf5d5
                                                0x6c3cf5da
                                                0x6c3cf649
                                                0x6c3cf649
                                                0x6c3cf649
                                                0x6c3cf64c
                                                0x6c3cf64c
                                                0x6c3cf64f
                                                0x00000000
                                                0x6c3cf64f
                                                0x6c3cf5c9
                                                0x6c3c187b
                                                0x6c3c1883
                                                0x6c3c1897
                                                0x6c3c189d
                                                0x6c3c18a1
                                                0x6c3c18b3
                                                0x6c3c18b9
                                                0x6c3c18bd
                                                0x6c3cf5de
                                                0x6c3cf5ea
                                                0x6c3cf5eb
                                                0x6c3cf605
                                                0x6c3cf608
                                                0x6c3cf60b
                                                0x6c3cf60b
                                                0x6c3cf5eb
                                                0x6c3c18bd
                                                0x6c3c18cc
                                                0x6c3c18d1
                                                0x6c3c18d1
                                                0x6c3c18d7
                                                0x00000000
                                                0x6c3c18d9
                                                0x6c3c185e

                                                APIs
                                                • RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C3C2E5E,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C1897
                                                • RegQueryValueExW.KERNEL32(6C3C2E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C3C18B3
                                                • RegCloseKey.KERNEL32(6C3C2E5E,?,00000000,?,?,?,6C3C2E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C3C18D1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 1bf75277122b9869d461be174281d2c9f5f4c6bb22519f45296695fa402c08d2
                                                • Instruction ID: 3d3e7633e8e1d3310001d8f0b6d130bc24dc8f422c8c1ea005e82339779c6d45
                                                • Opcode Fuzzy Hash: 1bf75277122b9869d461be174281d2c9f5f4c6bb22519f45296695fa402c08d2
                                                • Instruction Fuzzy Hash: 1731D572705295AFDB01DE54C8D0EEE3BB8EB0934CF1100A6FA1196960C732DD94EFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7976BB Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7976C2
                                                  • Part of subcall function 6C7975C2: __EH_prolog3.LIBCMT ref: 6C7975C9
                                                  • Part of subcall function 6C7975C2: OpenFileMappingW.KERNEL32(00000002,00000000,00000000,?,6C76AB18,00000008,6C7976FE,?,?,00000004,6C7BC454,?,6C7695D4,00000000,00000001,?), ref: 6C7975F2
                                                  • Part of subcall function 6C7975C2: GetLastError.KERNEL32(?,?,?,?,00000001), ref: 6C7975FF
                                                • OpenEventW.KERNEL32(00100002,00000000,00000000,?,?,00000004,6C7BC454,?,6C7695D4,00000000,00000001,?,6C76A794,?,00000001,?), ref: 6C79770B
                                                • OpenFileMappingW.KERNEL32(00000002,00000000,00000000,?,?,?,?,00000001), ref: 6C79771B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Open$FileH_prolog3Mapping$ErrorEventLast
                                                • String ID:
                                                • API String ID: 1631330826-0
                                                • Opcode ID: ad33861170ea8ca42714899828cb5a4b9e56e69cbde1b7eb1727dea2c10f73cd
                                                • Instruction ID: f9e3ad160db2a3b1257a00c2568c263a6b9333767306cefd4d40038145137464
                                                • Opcode Fuzzy Hash: ad33861170ea8ca42714899828cb5a4b9e56e69cbde1b7eb1727dea2c10f73cd
                                                • Instruction Fuzzy Hash: 81113AB2600346EFCB00CF65CA4AB99BBB0BF48314F108559F8589BB91C770E964CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77C406 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C77C426
                                                • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,6C7B0F4A,00000004,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C77C43F
                                                • RegCloseKey.KERNEL32(?,?,?,?,6C7B35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,-00000960,00000004,6C7B0F4A,?), ref: 6C77C44E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 9d728006ee8f0fa54a3403c38c7b0ad92133b6561e3f85c2da391a7252e53339
                                                • Instruction ID: 423c32d09bfb9e9727b4763dfcf01a30733fb98ec47ef354a24571e5b7f53404
                                                • Opcode Fuzzy Hash: 9d728006ee8f0fa54a3403c38c7b0ad92133b6561e3f85c2da391a7252e53339
                                                • Instruction Fuzzy Hash: 33F03C72200108BFEF109FA4CD89EAE7B7DEF053A9F504225F92496290E771DE54AB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C777CE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C777CEF
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C777EE4: __EH_prolog3.LIBCMT ref: 6C777EEB
                                                  • Part of subcall function 6C775DD0: __EH_prolog3.LIBCMT ref: 6C775DD7
                                                  • Part of subcall function 6C775485: __EH_prolog3.LIBCMT ref: 6C77548C
                                                  • Part of subcall function 6C775485: GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6C777DAF,?,?,?,?,?,00000000,?,?,6C76AB18,00000008,6C777CD9), ref: 6C77549C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$HandleModule
                                                • String ID: Unknown
                                                • API String ID: 1530205010-1654365787
                                                • Opcode ID: 59fb9bdd25c46741a63de8fb59d26a905dafa67c8bf9a97a55f367ba9d2c9977
                                                • Instruction ID: df82bb35dac3b7f8bf846a08ab8d1cb14caa2477c2cdde12692ac322192f62ce
                                                • Opcode Fuzzy Hash: 59fb9bdd25c46741a63de8fb59d26a905dafa67c8bf9a97a55f367ba9d2c9977
                                                • Instruction Fuzzy Hash: F2314F71610B059EDB24DFB4CA49BEFB3A8BF05314F504E1EA179CBAC0DB70A9488716
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4AD6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A4ADD
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$AppendPath_memcpy_s
                                                • String ID: %TEMP%
                                                • API String ID: 3727483831-235365282
                                                • Opcode ID: 755dda5dc1f3c587882951fae8e9649fe85087be4ee0e5433f7178b9d64dc366
                                                • Instruction ID: 971ec29b810ecc5d58c08e95899ba2ac1ffda24c02fee37f534a6e6a389f605c
                                                • Opcode Fuzzy Hash: 755dda5dc1f3c587882951fae8e9649fe85087be4ee0e5433f7178b9d64dc366
                                                • Instruction Fuzzy Hash: 12213D3290014A8FDB10DBF8CA4D7EEB7B4AF01328F144755E160EBB95DB749A098752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C782677 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78267E
                                                  • Part of subcall function 6C7789B7: __EH_prolog3.LIBCMT ref: 6C7789BE
                                                  • Part of subcall function 6C7789B7: __CxxThrowException@8.LIBCMT ref: 6C778A89
                                                  • Part of subcall function 6C782811: __EH_prolog3.LIBCMT ref: 6C782818
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: ReturnCode
                                                • API String ID: 2489616738-1214168914
                                                • Opcode ID: 03fca8f18cdf396937f329170c2e79517f75058887f53a97c2332e3547322155
                                                • Instruction ID: 60cc37a9afa63a5c3809c2e9a7a493c20f00bf31baa80792d1f1a76ab32f3f9f
                                                • Opcode Fuzzy Hash: 03fca8f18cdf396937f329170c2e79517f75058887f53a97c2332e3547322155
                                                • Instruction Fuzzy Hash: 6F216FB15012159FCF00CFACCA89A9E7BA8FF09718B14855AF824DF785CB70D904CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BA11D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: %TEMP%
                                                • API String ID: 431132790-235365282
                                                • Opcode ID: 994ff63d5f1206d2f88523ce66ea48c484078f3be53f9c2c087e87f8ec3bb55e
                                                • Instruction ID: fca51810987de86c9c18f4733e5446b8618086a86874792f0a3c047ea78ff2f5
                                                • Opcode Fuzzy Hash: 994ff63d5f1206d2f88523ce66ea48c484078f3be53f9c2c087e87f8ec3bb55e
                                                • Instruction Fuzzy Hash: 15213E7161021AAFDF00EFA0CE8DAEE7775FF04359F004525F925AA690DB70DA15CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C794682 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C794689
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: #(loc.
                                                • API String ID: 431132790-1630946291
                                                • Opcode ID: 99eff680d33c9f6c7438154598c7665ad94bf4428ce844afe3a5d40a063a682c
                                                • Instruction ID: 01b5e2584f2d6ad2ce9fabafd35af9be1910ed29d3c5950238f60faf846d7b08
                                                • Opcode Fuzzy Hash: 99eff680d33c9f6c7438154598c7665ad94bf4428ce844afe3a5d40a063a682c
                                                • Instruction Fuzzy Hash: 6011BA75900249DFCF00DFA8CA49AEDB7B4BF14328F104656F920AB785C774EA598B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77388B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Entering Function
                                                • API String ID: 431132790-2002471330
                                                • Opcode ID: 90892dc7baf4812768b9cafe11ecfae4e19719d8a6aa0ebcb2e748122eb88770
                                                • Instruction ID: 9ae47ad7c890fbd4335889221a37d371ad439cdcace8753e271e9d41147a7aef
                                                • Opcode Fuzzy Hash: 90892dc7baf4812768b9cafe11ecfae4e19719d8a6aa0ebcb2e748122eb88770
                                                • Instruction Fuzzy Hash: 84F032756002029FCB10DF68CA48B9DBBE0FF44714F00C809E884CBB10CB34EA50CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7738D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • exiting function/method, xrefs: 6C7738EF
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: exiting function/method
                                                • API String ID: 431132790-2452647166
                                                • Opcode ID: 0c15b66177a5e387cc774b071d3fa16941326e2aae5c2a40f23926f19d36b48a
                                                • Instruction ID: 58c4e2823fb112d49c2816efa1571e2023e6bab8c85f7b5dd43a58660214dd27
                                                • Opcode Fuzzy Hash: 0c15b66177a5e387cc774b071d3fa16941326e2aae5c2a40f23926f19d36b48a
                                                • Instruction Fuzzy Hash: 84E0E53A2006029FC700EFA8C25DB49B7A1FF48315F118898E6559FBA0CB31F914CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79736E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000424,6C79772B,?,?,?,?,00000001), ref: 6C79739A
                                                Strings
                                                • The handle to the section is Null, xrefs: 6C797380
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FileView
                                                • String ID: The handle to the section is Null
                                                • API String ID: 3314676101-179083574
                                                • Opcode ID: f44917a7dc6e13390ea1f7767bded1db9ae8c8eaf0b00b7612f6d64d4c7a0f81
                                                • Instruction ID: 44a52157903fd6e701ce95a1b25201e67cd0726443ce66905f4e61744ec00946
                                                • Opcode Fuzzy Hash: f44917a7dc6e13390ea1f7767bded1db9ae8c8eaf0b00b7612f6d64d4c7a0f81
                                                • Instruction Fuzzy Hash: E4E0ECB0784702AFE7208F299E0AF017AE4EF08B05F50C869B659EE9D1D671E4408B04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C3536 Relevance: 3.2, APIs: 2, Instructions: 213COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E6C3C3536(void* __ecx, void* __edx, void* __edi, void* __fp0, char* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				void* __ebp;
				signed int _t70;
				intOrPtr _t71;
				signed int _t72;
				char _t75;
				signed int _t76;
				intOrPtr _t77;
				signed int _t81;
				intOrPtr _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t93;
				signed int _t96;
				intOrPtr _t107;
				intOrPtr _t109;
				void* _t110;
				void* _t111;
				intOrPtr* _t113;
				intOrPtr _t115;
				void* _t117;
				intOrPtr* _t119;
				void* _t135;

				_t135 = __fp0;
				_t111 = __edi;
				_t110 = __edx;
				_push(__ecx);
				_t70 = _a12 & 0x00000001;
				_t117 = __ecx;
				_v8 = _t70;
				if(_t70 == 0) {
					_t96 = 0;
					L2:
					if( *((intOrPtr*)(_t117 + 0xc)) != _t96) {
						_t71 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t71 - 0x6c3e0088;
						if(_t71 != 0x6c3e0088) {
							__eflags =  *(_t71 + 0x1c) & 0x00000002;
							if(( *(_t71 + 0x1c) & 0x00000002) != 0) {
								_t32 = _t71 + 0x14; // 0x0
								_t33 = _t71 + 0x10; // 0x1
								E6C3D5F11( *_t33,  *_t32, 0x23, E6C3C27B0);
							}
						}
						_t72 = 0;
						L18:
						return _t72;
					}
					_push(_t111);
					_t112 = _a4;
					if(_a4 != _t96) {
						_t23 = _t117 + 0x10; // 0x10
						_t75 = E6C3C173D(_t23, 0x400, _t112);
						__eflags = _t75 - _t96;
						if(_t75 >= _t96) {
							goto L4;
						}
						_t109 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t109 - 0x6c3e0088;
						if(_t109 != 0x6c3e0088) {
							__eflags =  *(_t109 + 0x1c) & 0x00000001;
							if(( *(_t109 + 0x1c) & 0x00000001) != 0) {
								_t37 = _t109 + 0x14; // 0x0
								_t38 = _t109 + 0x10; // 0x1
								E6C3D77B8( *_t38,  *_t37, 0x24, E6C3C27B0, _t112, _t75);
							}
						}
						_a12 = 0x80004005;
						L58:
						_t67 = _t117 + 0x830; // 0x830
						_t113 = _t67;
						_t101 =  *_t113;
						__eflags =  *_t113 - _t96;
						if(__eflags != 0) {
							E6C3CB55A(_t101, __eflags, 1);
							 *_t113 = _t96;
						}
						_t119 = _t117 + 0x814;
						_t102 =  *_t119;
						__eflags =  *_t119 - _t96;
						if(__eflags != 0) {
							E6C3C9EEB(_t102, __eflags, 1);
							 *_t119 = _t96;
						}
						_t72 = _a12;
						L17:
						goto L18;
					}
					L4:
					_t76 = E6C3C17EB(0x20);
					if(_t76 == _t96) {
						_t76 = 0;
					} else {
						 *_t76 = _t96;
						 *((intOrPtr*)(_t76 + 0x1c)) = _t96;
					}
					 *((intOrPtr*)(_t117 + 0x830)) = _t76;
					if(_t76 == _t96) {
						_t77 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t77 - 0x6c3e0088;
						if(_t77 == 0x6c3e0088) {
							goto L40;
						}
						__eflags =  *(_t77 + 0x1c) & 0x00000001;
						if(( *(_t77 + 0x1c) & 0x00000001) == 0) {
							goto L40;
						}
						_push(0x20);
						_push(E6C3C27B0);
						_push(0x25);
						goto L39;
					} else {
						_t81 = E6C3C2885(_t76, _t110, _t112);
						_a12 = _t81;
						if(_t81 < _t96) {
							_t82 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t82 - 0x6c3e0088;
							if(_t82 == 0x6c3e0088) {
								goto L58;
							}
							__eflags =  *(_t82 + 0x1c) & 0x00000001;
							if(( *(_t82 + 0x1c) & 0x00000001) == 0) {
								goto L58;
							}
							_push(E6C3C27B0);
							_push(0x26);
							L44:
							_t49 = _t82 + 0x14; // 0x0
							_push( *_t49);
							_t50 = _t82 + 0x10; // 0x1
							_push( *_t50);
							E6C3D5F11();
							goto L58;
						}
						_t84 = E6C3C17EB(0xc);
						if(_t84 == _t96) {
							_t84 = 0;
						} else {
							 *_t84 = _t96;
							 *((intOrPtr*)(_t84 + 4)) = 0x1f;
							 *((intOrPtr*)(_t84 + 8)) = _t96;
						}
						 *((intOrPtr*)(_t117 + 0x814)) = _t84;
						if(_t84 == _t96) {
							_t77 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t77 - 0x6c3e0088;
							if(_t77 == 0x6c3e0088) {
								L40:
								_a12 = 0x8008000e;
								goto L58;
							}
							__eflags =  *(_t77 + 0x1c) & 0x00000001;
							if(( *(_t77 + 0x1c) & 0x00000001) == 0) {
								goto L40;
							}
							_push(0xc);
							_push(E6C3C27B0);
							_push(0x27);
							L39:
							_t43 = _t77 + 0x14; // 0x0
							_push( *_t43);
							_t44 = _t77 + 0x10; // 0x1
							_push( *_t44);
							E6C3D99F8();
							goto L40;
						} else {
							 *((intOrPtr*)(_t117 + 0x818)) = E6C3C2A40(_t110, _t135, _a8, _t96);
							_t86 = E6C3C3992( *((intOrPtr*)(_t117 + 0x830)));
							_a12 = _t86;
							if(_t86 < _t96) {
								_t82 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t82 - 0x6c3e0088;
								if(_t82 == 0x6c3e0088) {
									goto L58;
								}
								__eflags =  *(_t82 + 0x1c) & 0x00000001;
								if(( *(_t82 + 0x1c) & 0x00000001) == 0) {
									goto L58;
								}
								_push(E6C3C27B0);
								_push(0x28);
								goto L44;
							}
							_t115 = E6C3C27B0;
							if( *((intOrPtr*)(_t117 + 0xc)) == 0) {
								_t89 = E6C3C2C9B(_t117, _t110, _t135, _a4, _v8); // executed
								_a12 = _t89;
								if(_t89 < 0) {
									_t90 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t90 - 0x6c3e0088;
									if(_t90 != 0x6c3e0088) {
										__eflags =  *(_t90 + 0x1c) & 0x00000001;
										if(( *(_t90 + 0x1c) & 0x00000001) != 0) {
											_t60 = _t90 + 0x14; // 0x0
											_t61 = _t90 + 0x10; // 0x1
											E6C3D5F11( *_t61,  *_t60, 0x29, E6C3C27B0);
										}
									}
								}
							}
							if(E6C3C364E( *((intOrPtr*)(_t117 + 0x830))) < 0) {
								_t107 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t107 - 0x6c3e0088;
								if(_t107 != 0x6c3e0088) {
									__eflags =  *(_t107 + 0x1c) & 0x00000001;
									if(( *(_t107 + 0x1c) & 0x00000001) != 0) {
										_t65 = _t107 + 0x14; // 0x0
										_t66 = _t107 + 0x10; // 0x1
										E6C3D99F8( *_t66,  *_t65, 0x2a, _t115, _t87);
									}
								}
							}
							if(_a12 < 0) {
								_t96 = 0;
								__eflags = 0;
								goto L58;
							} else {
								 *((intOrPtr*)(_t117 + 0xc)) = 1;
								_t72 = 0;
								goto L17;
							}
						}
					}
				}
				_t96 = 0;
				if(_a8 == 0) {
					_t93 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t93 - 0x6c3e0088;
					if(_t93 != 0x6c3e0088) {
						__eflags =  *(_t93 + 0x1c) & 0x00000001;
						if(( *(_t93 + 0x1c) & 0x00000001) != 0) {
							_t27 = _t93 + 0x14; // 0x0
							_t28 = _t93 + 0x10; // 0x1
							E6C3D5F11( *_t28,  *_t27, 0x22, E6C3C27B0);
						}
					}
					_t72 = 0x80080057;
					goto L18;
				}
				goto L2;
			}




























                                                0x6c3c3536
                                                0x6c3c3536
                                                0x6c3c3536
                                                0x6c3c353b
                                                0x6c3c3540
                                                0x6c3c3544
                                                0x6c3c3546
                                                0x6c3c3549
                                                0x6c3c3c1e
                                                0x6c3c355a
                                                0x6c3c355d
                                                0x6c3d1eb5
                                                0x6c3d1eba
                                                0x6c3d1ebf
                                                0x6c3d1ec1
                                                0x6c3d1ec5
                                                0x6c3d1ece
                                                0x6c3d1ed1
                                                0x6c3d1ed4
                                                0x6c3d1ed4
                                                0x6c3d1ec5
                                                0x6c3d1ed9
                                                0x6c3c3643
                                                0x6c3c3646
                                                0x6c3c3646
                                                0x6c3c3563
                                                0x6c3c3564
                                                0x6c3c3569
                                                0x6c3c3c08
                                                0x6c3c3c0c
                                                0x6c3c3c11
                                                0x6c3c3c13
                                                0x00000000
                                                0x00000000
                                                0x6c3d1ee0
                                                0x6c3d1ee6
                                                0x6c3d1eec
                                                0x6c3d1eee
                                                0x6c3d1ef2
                                                0x6c3d1efd
                                                0x6c3d1f00
                                                0x6c3d1f03
                                                0x6c3d1f03
                                                0x6c3d1ef2
                                                0x6c3d1f08
                                                0x6c3d2007
                                                0x6c3d2007
                                                0x6c3d2007
                                                0x6c3d200d
                                                0x6c3d200f
                                                0x6c3d2011
                                                0x6c3d2015
                                                0x6c3d201a
                                                0x6c3d201a
                                                0x6c3d201c
                                                0x6c3d2022
                                                0x6c3d2024
                                                0x6c3d2026
                                                0x6c3d202a
                                                0x6c3d202f
                                                0x6c3d202f
                                                0x6c3d2031
                                                0x6c3c3642
                                                0x00000000
                                                0x6c3c3642
                                                0x6c3c356f
                                                0x6c3c3571
                                                0x6c3c3579
                                                0x6c3c3c25
                                                0x6c3c357f
                                                0x6c3c357f
                                                0x6c3c3581
                                                0x6c3c3581
                                                0x6c3c3586
                                                0x6c3c358c
                                                0x6c3d1f14
                                                0x6c3d1f19
                                                0x6c3d1f1e
                                                0x00000000
                                                0x00000000
                                                0x6c3d1f20
                                                0x6c3d1f24
                                                0x00000000
                                                0x00000000
                                                0x6c3d1f26
                                                0x6c3d1f28
                                                0x6c3d1f2d
                                                0x00000000
                                                0x6c3c3592
                                                0x6c3c3595
                                                0x6c3c359c
                                                0x6c3c359f
                                                0x6c3d1f46
                                                0x6c3d1f4b
                                                0x6c3d1f50
                                                0x00000000
                                                0x00000000
                                                0x6c3d1f56
                                                0x6c3d1f5a
                                                0x00000000
                                                0x00000000
                                                0x6c3d1f60
                                                0x6c3d1f65
                                                0x6c3d1f67
                                                0x6c3d1f67
                                                0x6c3d1f67
                                                0x6c3d1f6a
                                                0x6c3d1f6a
                                                0x6c3d1f6d
                                                0x00000000
                                                0x6c3d1f6d
                                                0x6c3c35a7
                                                0x6c3c35af
                                                0x6c3c3c2c
                                                0x6c3c35b5
                                                0x6c3c35b5
                                                0x6c3c35b7
                                                0x6c3c35be
                                                0x6c3c35be
                                                0x6c3c35c3
                                                0x6c3c35c9
                                                0x6c3d1f77
                                                0x6c3d1f7c
                                                0x6c3d1f81
                                                0x6c3d1f3a
                                                0x6c3d1f3a
                                                0x00000000
                                                0x6c3d1f3a
                                                0x6c3d1f83
                                                0x6c3d1f87
                                                0x00000000
                                                0x00000000
                                                0x6c3d1f89
                                                0x6c3d1f8b
                                                0x6c3d1f90
                                                0x6c3d1f2f
                                                0x6c3d1f2f
                                                0x6c3d1f2f
                                                0x6c3d1f32
                                                0x6c3d1f32
                                                0x6c3d1f35
                                                0x00000000
                                                0x6c3c35cf
                                                0x6c3c35de
                                                0x6c3c35e4
                                                0x6c3c35eb
                                                0x6c3c35ee
                                                0x6c3d1f94
                                                0x6c3d1f99
                                                0x6c3d1f9e
                                                0x00000000
                                                0x00000000
                                                0x6c3d1fa0
                                                0x6c3d1fa4
                                                0x00000000
                                                0x00000000
                                                0x6c3d1fa6
                                                0x6c3d1fab
                                                0x00000000
                                                0x6c3d1fab
                                                0x6c3c35f8
                                                0x6c3c3602
                                                0x6c3c360c
                                                0x6c3c3613
                                                0x6c3c3616
                                                0x6c3d1faf
                                                0x6c3d1fb4
                                                0x6c3d1fb6
                                                0x6c3d1fbc
                                                0x6c3d1fc0
                                                0x6c3d1fc9
                                                0x6c3d1fcc
                                                0x6c3d1fcf
                                                0x6c3d1fcf
                                                0x6c3d1fc0
                                                0x6c3d1fb6
                                                0x6c3c3616
                                                0x6c3c3629
                                                0x6c3d1fd9
                                                0x6c3d1fdf
                                                0x6c3d1fe1
                                                0x6c3d1fe7
                                                0x6c3d1feb
                                                0x6c3d1ff5
                                                0x6c3d1ff8
                                                0x6c3d1ffb
                                                0x6c3d1ffb
                                                0x6c3d1feb
                                                0x6c3d1fe1
                                                0x6c3c3633
                                                0x6c3d2005
                                                0x6c3d2005
                                                0x00000000
                                                0x6c3c3639
                                                0x6c3c3639
                                                0x6c3c3640
                                                0x00000000
                                                0x6c3c3640
                                                0x6c3c3633
                                                0x6c3c35c9
                                                0x6c3c358c
                                                0x6c3c354f
                                                0x6c3c3554
                                                0x6c3d1e87
                                                0x6c3d1e8c
                                                0x6c3d1e91
                                                0x6c3d1e93
                                                0x6c3d1e97
                                                0x6c3d1ea0
                                                0x6c3d1ea3
                                                0x6c3d1ea6
                                                0x6c3d1ea6
                                                0x6c3d1e97
                                                0x6c3d1eab
                                                0x00000000
                                                0x6c3d1eab
                                                0x00000000

                                                APIs
                                                • ctype.LIBCPMT ref: 6C3D2015
                                                • ctype.LIBCPMT ref: 6C3D202A
                                                  • Part of subcall function 6C3C17EB: malloc.MSVCRT ref: 6C3C17F6
                                                  • Part of subcall function 6C3C2885: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,00000000), ref: 6C3C28C4
                                                  • Part of subcall function 6C3C3992: EnterCriticalSection.KERNEL32(?,00000000,6C3C397F,00000000,6C3C371E,80004005), ref: 6C3C39AE
                                                  • Part of subcall function 6C3C2C9B: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,6C3C27B0,00000000,6C3E0088), ref: 6C3C2D01
                                                  • Part of subcall function 6C3C2C9B: VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6C3C27B0,00000000,6C3E0088), ref: 6C3C2D4F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocCriticalSectionVirtualctype$CountEnterInitializeSpinmalloc
                                                • String ID:
                                                • API String ID: 738331480-0
                                                • Opcode ID: 519451f5dd5655bf85ed8c6e8d39474a4e09306cf9924b7e0073555aa9f1eec3
                                                • Instruction ID: 7398ee645faa5c5e416cbe9633ca2a69f4999147a85d9e36c585ca08ce8c3f28
                                                • Opcode Fuzzy Hash: 519451f5dd5655bf85ed8c6e8d39474a4e09306cf9924b7e0073555aa9f1eec3
                                                • Instruction Fuzzy Hash: 0D71C4323442419BDB909E11C9C8FDD3AA9BB0531CF22446DE5509BEA1CB76EC58DF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BD779 Relevance: 3.1, APIs: 2, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BD780
                                                  • Part of subcall function 6C793096: __EH_prolog3.LIBCMT ref: 6C79309D
                                                • InitializeCriticalSection.KERNEL32(0000000C), ref: 6C7BD96A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CriticalInitializeSection
                                                • String ID:
                                                • API String ID: 1185523453-0
                                                • Opcode ID: 154bf3ceabcc7428282f1a3fe3d2e6f70e406136c5b53f03f0839a3c8144efea
                                                • Instruction ID: ad446791f2a6d86ba8bd10725f67f070e8a478c704ea5725c8ab42d9ce9d64a9
                                                • Opcode Fuzzy Hash: 154bf3ceabcc7428282f1a3fe3d2e6f70e406136c5b53f03f0839a3c8144efea
                                                • Instruction Fuzzy Hash: F9615A7550064AEFCF01CFA8C688BDABBB4BF08304F148159E958AB745D774AA19CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C784613 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7C847A: RegCloseKey.ADVAPI32(?,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C84BA
                                                • RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C7842F8,6C76A794,-00000960), ref: 6C78468D
                                                • RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C7842F8,6C76A794,-00000960), ref: 6C78469E
                                                  • Part of subcall function 6C7C83D2: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,6C784685,?,?,6C7842F8,00000034,00000034,00000034,00000034), ref: 6C7C83F4
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Close$QueryValue
                                                • String ID:
                                                • API String ID: 2393043351-0
                                                • Opcode ID: bade8c43f160b944060f5d417530ecebef7b48e451fce154d062e3fe55cced32
                                                • Instruction ID: 9ac762657b63e33abb4c03d5658ba0c6a63961b0bf309a5c1e66bca95a2a00e1
                                                • Opcode Fuzzy Hash: bade8c43f160b944060f5d417530ecebef7b48e451fce154d062e3fe55cced32
                                                • Instruction Fuzzy Hash: FA111675E1122AEFCF01DF95CA088DEBBB9EF48715B104067F924E2214D3B49B15EB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775F12 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C775F19
                                                  • Part of subcall function 6C7753D4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000105,00000010,6C7FEE70,?,?,?,?,6C7B995C,00000000,?,UiInfo.xml,?,?,00000000), ref: 6C775412
                                                  • Part of subcall function 6C7753D4: ExpandEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,6C7B995C,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C775440
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • PathIsDirectoryW.SHLWAPI(?), ref: 6C775F56
                                                  • Part of subcall function 6C7A8F9E: PathStripPathW.SHLWAPI(00000000,?,?,6C7BF516), ref: 6C7A8FAE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Path$EnvironmentExpandH_prolog3Strings$DirectoryStrip
                                                • String ID:
                                                • API String ID: 1110704599-0
                                                • Opcode ID: b31c0a4360b686f5a554ccc23d3cbef9f1035f06a999f389de826e58c4c00f9b
                                                • Instruction ID: 1baef8db0c6e75fc45243a6a79b6e56ac03572756811f2652e371e885f8e954b
                                                • Opcode Fuzzy Hash: b31c0a4360b686f5a554ccc23d3cbef9f1035f06a999f389de826e58c4c00f9b
                                                • Instruction Fuzzy Hash: 33112E7161010A9FDB10DBA4DE4CBEEB3B9BF01319F540569E020EBB90DB74DA099B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A3B2B Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A3B32
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A4513: __CxxThrowException@8.LIBCMT ref: 6C7A45A2
                                                  • Part of subcall function 6C778168: GetFileSize.KERNEL32(?,?,?,?,?,6C7A3B9F,?,?,00000000,?,?,?,?,00000008,6C7AEC79,?), ref: 6C778178
                                                • InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C7AEC79,?,?), ref: 6C7A3BC9
                                                  • Part of subcall function 6C7780F7: WriteFile.KERNEL32(?,?,?,?,00000000,?,6C7A60F1), ref: 6C77810D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FileH_prolog3$CriticalException@8InitializeSectionSizeThrowWrite
                                                • String ID:
                                                • API String ID: 593797809-0
                                                • Opcode ID: efb59fcd484c8df6cc7ff49b5f1eca5ae929e0f0b7c5eb768c8e60f466a15381
                                                • Instruction ID: 498225220972b76bf04058032301393e50879dafcd0c1de14970763a084ff3c9
                                                • Opcode Fuzzy Hash: efb59fcd484c8df6cc7ff49b5f1eca5ae929e0f0b7c5eb768c8e60f466a15381
                                                • Instruction Fuzzy Hash: C6117F7150124AEFDB00DF94CB4DBDEBBB8BF04704F408546A510BBA41C770AA29CBB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B1315 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B131C
                                                  • Part of subcall function 6C7B36BA: GetUserDefaultUILanguage.KERNEL32(-00000960,?,00000000,?,?,?,?,6C7B1338,?,00000010,6C785A14,?,?,?,0000004C,6C7BB498), ref: 6C7B36D8
                                                • _free.LIBCMT ref: 6C7B137B
                                                  • Part of subcall function 6C7B374B: __EH_prolog3.LIBCMT ref: 6C7B3752
                                                  • Part of subcall function 6C7B374B: PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,6C7AFA6E,0000000C,6C7B3A05,?,6C76A794,?), ref: 6C7B37B7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DefaultExistsFileLanguagePathUser_free
                                                • String ID:
                                                • API String ID: 2326855983-0
                                                • Opcode ID: b741c38a05a3594900e396c77b58c78b41aca8b0f9103888a2edff6ef642ed7a
                                                • Instruction ID: 724f12a03bbf5e16fd172527870d04b62409f583a73bc761882edb22b6c4ab5e
                                                • Opcode Fuzzy Hash: b741c38a05a3594900e396c77b58c78b41aca8b0f9103888a2edff6ef642ed7a
                                                • Instruction Fuzzy Hash: 2C115BB0C0122A9BCF119FA5CA8D9EEBB78AF04708F114466E96077F00DB34D546CBE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C798CBF Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C798CC6
                                                • PathFileExistsW.SHLWAPI(?,?,?,?), ref: 6C798D2F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ExistsFileH_prolog3Path
                                                • String ID:
                                                • API String ID: 20096932-0
                                                • Opcode ID: 301a34a4227b31201458d723915d64fffbf2f52c34e20c6050d0460a3c8c7bf1
                                                • Instruction ID: 16fdf84de0fcfb19cb2c3458b39acbe8e468684d0760638c215a6d33915c95b9
                                                • Opcode Fuzzy Hash: 301a34a4227b31201458d723915d64fffbf2f52c34e20c6050d0460a3c8c7bf1
                                                • Instruction Fuzzy Hash: 77114F71600249DFDB00DF6CCA89ADD77A4FF15318B00896AE461CF751DB30DA04CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A9067 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A906E
                                                • __recalloc.LIBCMT ref: 6C7A90B0
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw__recalloc
                                                • String ID:
                                                • API String ID: 2968967773-0
                                                • Opcode ID: 7e79de864db9c62570c181f05181630da15c2d23e1449fba9c7ec3648c872bae
                                                • Instruction ID: 8887011173d14ec8379c9f59a10eecef2fd0e285dc0c71db1148b97689a9b31e
                                                • Opcode Fuzzy Hash: 7e79de864db9c62570c181f05181630da15c2d23e1449fba9c7ec3648c872bae
                                                • Instruction Fuzzy Hash: 5801A131240603CAD7208FAA864475B73E6EFA1788F658A2CD5A59BE41EB73E4268641
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C8BDC Relevance: 3.1, APIs: 2, Instructions: 51COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: _memmove_s
                                                • String ID:
                                                • API String ID: 800865076-0
                                                • Opcode ID: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                • Instruction ID: 05a6815221b3db02adc5698b01c9b0ced252bdf07dfce5a6e0963ca2785c41d9
                                                • Opcode Fuzzy Hash: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                • Instruction Fuzzy Hash: 3D01B1B1700006AF8718CF59CE9DCAEB36AEFA4348714016EE5058B700EF71BD04C696
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775D3F Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C775D46
                                                • GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FileH_prolog3ModuleName
                                                • String ID:
                                                • API String ID: 3149745539-0
                                                • Opcode ID: ece64c6b3662350a450c974338a0e1e58ead7f76fc28a31da165e14f35833585
                                                • Instruction ID: a5236578c40f0168255465c2ea4abf8c9aa1db18ee45b40e067bed2f7b44412d
                                                • Opcode Fuzzy Hash: ece64c6b3662350a450c974338a0e1e58ead7f76fc28a31da165e14f35833585
                                                • Instruction Fuzzy Hash: B0017571A1011A9FDB00DF64CA8C9EEBB75FF45355F414A39E414AB790CB30AE0ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B3ACC Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3AD3
                                                • _memcpy_s.LIBCMT ref: 6C7B3B17
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: _memcpy_s_wcsnlen$H_prolog3
                                                • String ID:
                                                • API String ID: 301610209-0
                                                • Opcode ID: 17deffd131fb5b0e4bbbc531225f955ae6ee460dd3b24465e2b4716bd454232d
                                                • Instruction ID: d299d6331eca66bdbb1a0efa7bda38e898b9e74d58c439c64b3e880ca7c9c6d4
                                                • Opcode Fuzzy Hash: 17deffd131fb5b0e4bbbc531225f955ae6ee460dd3b24465e2b4716bd454232d
                                                • Instruction Fuzzy Hash: 46012C7561020A9FDB00DFA4CA89ADE7369FF08304F458966E9119B711DB34FA19CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C847A Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNEL32(00000000,00000034,00000000,00000001,00000000,00000000,00000034,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C84A9
                                                • RegCloseKey.ADVAPI32(?,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C84BA
                                                  • Part of subcall function 6C7C8414: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,6C7C849F,00000000,00000034,00000001,00000000,00000000,00000034,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C8425
                                                  • Part of subcall function 6C7C8414: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C7C8435
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressCloseHandleModuleOpenProc
                                                • String ID:
                                                • API String ID: 823179699-0
                                                • Opcode ID: 01bb3cfa02f62ba6250824a4f57b402c8ab77fa7f54da88a19e07758647d3bc5
                                                • Instruction ID: d294a26596672f402a36064ac92c6b9b0038049d8ae63203c5957c1d6df60777
                                                • Opcode Fuzzy Hash: 01bb3cfa02f62ba6250824a4f57b402c8ab77fa7f54da88a19e07758647d3bc5
                                                • Instruction Fuzzy Hash: 16F06272201206FFDB058F44CD44B9AB779FF00369F208126F9259B540D735DA10DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A9540 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A9547
                                                • GetCommandLineW.KERNEL32(00000018,?,6C7EBDC8,6C768CA4,6C768CA4,00000738,00000000,ParameterInfo.xml,00000738,schema validation failure: Invalid SerialDownload Value. Only True and False are supported.,?,false,?,true,?), ref: 6C7A954E
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CommandLine
                                                • String ID:
                                                • API String ID: 1384747822-0
                                                • Opcode ID: c78d900e012dc6bb679592ff9b4760e706928141e993d27ad6db98bbf26f6350
                                                • Instruction ID: be7523cf10dc5b133a4a1ace39196dfa903cc24dcb537ca9e75ddf027ceeebc3
                                                • Opcode Fuzzy Hash: c78d900e012dc6bb679592ff9b4760e706928141e993d27ad6db98bbf26f6350
                                                • Instruction Fuzzy Hash: 07F04F326002048BDB20DBA1C74E7DE73F4AF15309F148969E456E7EA0DB36EE59DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A3AE6 Relevance: 3.0, APIs: 2, Instructions: 25COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • UnloadUserProfile.USERENV(6C7A3AE6,6C76BF34,?,6C7A4ABC,6C76A590,10000000,6C76A590,80000000,6C76A590,10000000,6C76A5D8,6C76A54C), ref: 6C7A3AFB
                                                • FindCloseChangeNotification.KERNEL32(6C7A3AE6,?,6C7A4ABC,6C76A590,10000000,6C76A590,80000000,6C76A590,10000000,6C76A5D8,6C76A54C), ref: 6C7A3B0D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ChangeCloseFindNotificationProfileUnloadUser
                                                • String ID:
                                                • API String ID: 122385185-0
                                                • Opcode ID: f47500901afeb511f121722b3c2de9112b1987569fcce2bbcde4cf3634b361e8
                                                • Instruction ID: 78646753fcf2a942ca24d2036c4ad3bea2561f6ad79739f82bd3ce92a5a591ad
                                                • Opcode Fuzzy Hash: f47500901afeb511f121722b3c2de9112b1987569fcce2bbcde4cf3634b361e8
                                                • Instruction Fuzzy Hash: 26E032313127018BEB288F11DA89F2377EAAF00726F20892CA4AA87840DB74F841CA14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4029 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                Download Yara Rule
                                                APIs
                                                • FlushFileBuffers.KERNEL32(?,?,6C7B2CF3), ref: 6C7A4035
                                                • FindCloseChangeNotification.KERNEL32(?), ref: 6C7A404C
                                                  • Part of subcall function 6C7C89C8: GetLastError.KERNEL32(6C7780E8,6C77A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C7C89C8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: BuffersChangeCloseErrorFileFindFlushLastNotification
                                                • String ID:
                                                • API String ID: 4236133906-0
                                                • Opcode ID: 6fe73e22bd4ffc4d0d8660c7bd930bfc425a3b12efa4dc6b531666036959ab23
                                                • Instruction ID: 064306ad9ab0e78aea734be46197b4e22a7f201b05fe895deaab0e3fe367e029
                                                • Opcode Fuzzy Hash: 6fe73e22bd4ffc4d0d8660c7bd930bfc425a3b12efa4dc6b531666036959ab23
                                                • Instruction Fuzzy Hash: 63D0C7312003018BEB308F72D50E74376F8BF0035AF020E68E462C2800DFB0E809AA51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A84FF Relevance: 2.5, APIs: 2, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6C7AFA6E,-00000960,?,?,6C7A83B3,-00000960,6C76A794,-00000960,6C76A794,00000000), ref: 6C7A851E
                                                • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6C7AFA6E,-00000960,?,?,6C7A83B3,-00000960,6C76A794,-00000960,6C76A794), ref: 6C7A853F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide
                                                • String ID:
                                                • API String ID: 626452242-0
                                                • Opcode ID: 8af9763ce980bb5a4ed02003a32ac21e3cbac841004540e4c986c7bd0375d25e
                                                • Instruction ID: 1a81a8d776450cf4dea675a4e5db3fd90bdb08c6abf4fdea3a12eda80a988d32
                                                • Opcode Fuzzy Hash: 8af9763ce980bb5a4ed02003a32ac21e3cbac841004540e4c986c7bd0375d25e
                                                • Instruction Fuzzy Hash: 70F096323451257BDB115E8A8D48EDF7B2DEB96B74F104216FA28975808E70990287E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79878D Relevance: 1.9, APIs: 1, Instructions: 412COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C798797
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C7924CD: __EH_prolog3.LIBCMT ref: 6C7924D4
                                                  • Part of subcall function 6C7924CD: __CxxThrowException@8.LIBCMT ref: 6C79255B
                                                  • Part of subcall function 6C78953C: __EH_prolog3.LIBCMT ref: 6C789543
                                                  • Part of subcall function 6C78953C: PathFileExistsW.SHLWAPI(00000000,?,?,?), ref: 6C7895E6
                                                  • Part of subcall function 6C7D68B5: PMDtoOffset.LIBCMT ref: 6C7D6989
                                                  • Part of subcall function 6C7D68B5: std::bad_exception::bad_exception.LIBCMT ref: 6C7D69B3
                                                  • Part of subcall function 6C7D68B5: __CxxThrowException@8.LIBCMT ref: 6C7D69C1
                                                  • Part of subcall function 6C798CBF: __EH_prolog3.LIBCMT ref: 6C798CC6
                                                  • Part of subcall function 6C7A8E8B: PathCombineW.SHLWAPI(?,6C7A831D,?,74AD40B0,?,6C777971,00000000,DW\DW20.exe,?,?,6C7A831D,00000000), ref: 6C7A8EB8
                                                  • Part of subcall function 6C7AB369: __EH_prolog3.LIBCMT ref: 6C7AB370
                                                  • Part of subcall function 6C7AB369: __recalloc.LIBCMT ref: 6C7AB3BB
                                                  • Part of subcall function 6C7ABC6D: __recalloc.LIBCMT ref: 6C7ABCAB
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8FilePathThrow__recalloc$CombineExistsModuleNameOffsetstd::bad_exception::bad_exception
                                                • String ID:
                                                • API String ID: 1089964648-0
                                                • Opcode ID: 28cde8e7fec3412bbb2a82e85af345c658c655bc0ccc6c8f44377867638bd59a
                                                • Instruction ID: 28cf2939121b94d7800d695b1e20d1f31aa4a4e7f40bead4dc30fbcc0c9133c5
                                                • Opcode Fuzzy Hash: 28cde8e7fec3412bbb2a82e85af345c658c655bc0ccc6c8f44377867638bd59a
                                                • Instruction Fuzzy Hash: 6FF18E71D0125ADFCF00DFA4CA88ADEBBB5BF05318F1445A5E924BB751C730AA49CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A7889 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A7890
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7AA226: GetTickCount.KERNEL32 ref: 6C7AA241
                                                  • Part of subcall function 6C7AA226: GetTickCount.KERNEL32 ref: 6C7AA27C
                                                  • Part of subcall function 6C7AA226: __time64.LIBCMT ref: 6C7AA282
                                                  • Part of subcall function 6C7AA226: InitializeCriticalSection.KERNEL32(00000040,?,6C7A7905,?), ref: 6C7AA292
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick$CriticalH_prolog3InitializeSection__time64_malloc
                                                • String ID:
                                                • API String ID: 349597444-0
                                                • Opcode ID: 8c12e84543b3d1ffcdef3ba4190640fa833bf9cc588de7a71ae60cacee9e2b34
                                                • Instruction ID: 082f53bfe59ca141d9eaaeed695f2ec5cd35eb57304c04e99175faf173fb613d
                                                • Opcode Fuzzy Hash: 8c12e84543b3d1ffcdef3ba4190640fa833bf9cc588de7a71ae60cacee9e2b34
                                                • Instruction Fuzzy Hash: 0B519935600A05DFDB04DFA8C988AAD37B1FF49324F1086A9F416DB7A1CB30E95ACB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7859B8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7859BF
                                                  • Part of subcall function 6C7856A3: SysFreeString.OLEAUT32(?), ref: 6C78578A
                                                  • Part of subcall function 6C7856A3: SysFreeString.OLEAUT32(?), ref: 6C785799
                                                  • Part of subcall function 6C7856A3: SysFreeString.OLEAUT32(?), ref: 6C7857C7
                                                  • Part of subcall function 6C7B1315: __EH_prolog3.LIBCMT ref: 6C7B131C
                                                  • Part of subcall function 6C7B1315: _free.LIBCMT ref: 6C7B137B
                                                  • Part of subcall function 6C7AB17C: __recalloc.LIBCMT ref: 6C7AB18D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FreeString$H_prolog3$__recalloc_free
                                                • String ID:
                                                • API String ID: 2446356840-0
                                                • Opcode ID: 19bf6830412873e22935acad8fc533d0eb8dc8eda2e8a753845bc089fe799fcc
                                                • Instruction ID: 4e4d874d9bb080639f96d42328333cda723554546face3127e093c93ecdaf1ba
                                                • Opcode Fuzzy Hash: 19bf6830412873e22935acad8fc533d0eb8dc8eda2e8a753845bc089fe799fcc
                                                • Instruction Fuzzy Hash: A1514CB1D012099FDB40CFA9C6896DEBBF0BF19304F14456ED419ABB00D7749A49CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B14D1 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B14D8
                                                  • Part of subcall function 6C7B3ACC: __EH_prolog3.LIBCMT ref: 6C7B3AD3
                                                  • Part of subcall function 6C7B3ACC: _memcpy_s.LIBCMT ref: 6C7B3B17
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$_memcpy_s
                                                • String ID:
                                                • API String ID: 1663610674-0
                                                • Opcode ID: 2898575f891fc40697568f165b0a4c6f6cf1d0e29bed302dcc042ab8edd749e3
                                                • Instruction ID: bc8754d8a7caff17e18a43edbf64daf22997feb29fce46ee38e6b5a882d720a4
                                                • Opcode Fuzzy Hash: 2898575f891fc40697568f165b0a4c6f6cf1d0e29bed302dcc042ab8edd749e3
                                                • Instruction Fuzzy Hash: 5441F171A0010ADFDF00DF98CA88AEEBBB5FF08308F004555E924AB751C771E915DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • _calloc.LIBCMT ref: 6C795761
                                                  • Part of subcall function 6C7AB5F3: __EH_prolog3.LIBCMT ref: 6C7AB5FA
                                                  • Part of subcall function 6C7AB5F3: __recalloc.LIBCMT ref: 6C7AB642
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3__recalloc_calloc
                                                • String ID:
                                                • API String ID: 2338097913-0
                                                • Opcode ID: 2e50a356ca27d78d166379f2a21ba56d9aedbae898d140e2bba1dfefd2369ccb
                                                • Instruction ID: 04204b719d5d454317509e844fe12fa2704ff345b2fa32d4fb47d3144c368c2e
                                                • Opcode Fuzzy Hash: 2e50a356ca27d78d166379f2a21ba56d9aedbae898d140e2bba1dfefd2369ccb
                                                • Instruction Fuzzy Hash: F8113976600316EBD750CFB9E6C894AF7E8AB442597208629E569C3B00E770EA508B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B36BA Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7B66E5: __EH_prolog3.LIBCMT ref: 6C7B66EC
                                                  • Part of subcall function 6C7B66E5: GetCommandLineW.KERNEL32(00000024,6C7B36CF,00000000,?,?,?,?,6C7B1338,?,00000010,6C785A14,?,?,?,0000004C,6C7BB498), ref: 6C7B66F3
                                                  • Part of subcall function 6C7B66E5: GetUserDefaultUILanguage.KERNEL32(00000738,00000000,00000000,?,?,?,6C7B1338,?,00000010,6C785A14,?,?,?,0000004C,6C7BB498,?), ref: 6C7B672F
                                                  • Part of subcall function 6C7B6782: __EH_prolog3.LIBCMT ref: 6C7B6789
                                                  • Part of subcall function 6C7B6782: CoInitialize.OLE32(00000000), ref: 6C7B67DD
                                                  • Part of subcall function 6C7B6782: CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,6C7AFA6E,?,?,?,UiInfo.xml,?,00000000,00000044,6C7B36D8,-00000960,?,00000000), ref: 6C7B67FB
                                                • GetUserDefaultUILanguage.KERNEL32(-00000960,?,00000000,?,?,?,?,6C7B1338,?,00000010,6C785A14,?,?,?,0000004C,6C7BB498), ref: 6C7B36D8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DefaultH_prolog3LanguageUser$CommandCreateInitializeInstanceLine
                                                • String ID:
                                                • API String ID: 4049621043-0
                                                • Opcode ID: 09a20be717cbc84a6721380e8d351d7564aaa1fa98ed7c309527e4c70bfdbc43
                                                • Instruction ID: 35410e4230d64a6b591be693858e184576882fa34ce4d12e162d2789853504dd
                                                • Opcode Fuzzy Hash: 09a20be717cbc84a6721380e8d351d7564aaa1fa98ed7c309527e4c70bfdbc43
                                                • Instruction Fuzzy Hash: C601C4716006455FE3148E7ACEC8C9A7795EF85278B208339E5B597BE0EF30E8468B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D0EDA Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C7CD777,6C7CC0C9,?,00000000,00000000,00000000,?,6C7CD37E,00000001,00000214,?,6C7A831D), ref: 6C7D0F1D
                                                  • Part of subcall function 6C7CBD29: __getptd_noexit.LIBCMT ref: 6C7CBD29
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocateHeap__getptd_noexit
                                                • String ID:
                                                • API String ID: 328603210-0
                                                • Opcode ID: f33795dccf5b2e30345105f3006b1216fbbaec41c381433ee151aa35a32b7939
                                                • Instruction ID: f5842843cbe7419d15a521c3cc81ccd0deece6a80db021279f26ea331b540251
                                                • Opcode Fuzzy Hash: f33795dccf5b2e30345105f3006b1216fbbaec41c381433ee151aa35a32b7939
                                                • Instruction Fuzzy Hash: D101B1313052959FEB198F66DB18B5A37A4BF82369F225639F829DB990C770F400C692
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77BE52 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: d53a1e19c932b9d667e409946e50088b68f2e9663ddaeb082b2b8e8ef54e76e0
                                                • Instruction ID: a1604641bd4976f4e620c21fe3005d04f0d9f1e27ad14c15339bc9367429e575
                                                • Opcode Fuzzy Hash: d53a1e19c932b9d667e409946e50088b68f2e9663ddaeb082b2b8e8ef54e76e0
                                                • Instruction Fuzzy Hash: BF113C70A01618EFCF10DFA8CA8899DBBB9AF08714B20C559F519DB750C774EA45CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C8C9E Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: _memcpy_s
                                                • String ID:
                                                • API String ID: 2001391462-0
                                                • Opcode ID: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                • Instruction ID: 794789c88da953b118fc076ff372cda367ce5255f25b5a825a325207c99b5741
                                                • Opcode Fuzzy Hash: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                • Instruction Fuzzy Hash: D6012C76601205AFC710DFA9C888D9AB7F9FF89354715456AF915CB311DB70ED04CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77A1FF Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_catch
                                                • String ID:
                                                • API String ID: 3886170330-0
                                                • Opcode ID: 52caf66f6056ab399935d858d44a76b8b7fef2d827f78de4baae5f9b6c959ace
                                                • Instruction ID: 4219d43c55c8cd5c8de2ddc5f46f1efcbf644a849d479fcaf3da051650ad7f9b
                                                • Opcode Fuzzy Hash: 52caf66f6056ab399935d858d44a76b8b7fef2d827f78de4baae5f9b6c959ace
                                                • Instruction Fuzzy Hash: 24F04F70A11309EBDF14DF68CA09B8D3B65AF89364F208168B814DB790CB72DA01CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77809D Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,?,?,?,00000000,?,00000000,00000001,?,6C77A9FA,?,80000000,00000001,00000003,00000080,00000000), ref: 6C7780D7
                                                  • Part of subcall function 6C7C89E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C7780C1,?,?,?,?,00000000,?,00000001,?,6C77A9FA,?,80000000,00000001), ref: 6C7C89F3
                                                  • Part of subcall function 6C7C89E2: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C7C8A03
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressCreateFileHandleModuleProc
                                                • String ID:
                                                • API String ID: 2580138172-0
                                                • Opcode ID: c67df6d02979f1b7e5ae49e1be86406ac908c020a3ce3b65058cfd6edb6cd9c4
                                                • Instruction ID: ee934f023bd3c8bc2e75bc880327ba460e78ff75fbc38501fd9bf75a012820d2
                                                • Opcode Fuzzy Hash: c67df6d02979f1b7e5ae49e1be86406ac908c020a3ce3b65058cfd6edb6cd9c4
                                                • Instruction Fuzzy Hash: 6FF0AF3210411EBBCF225E95DD09ECA3F26EF19320F118112FA2866960C732D572EBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C4C0C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 3dd92d3c9a89a46d300a7e194adc6ffcf7f39dc193f87ac08ee2ed5e185ec7a3
                                                • Instruction ID: 178ebc37189fdc6391c253e9967c144fe662211f7b3194b0f5719f452e26563c
                                                • Opcode Fuzzy Hash: 3dd92d3c9a89a46d300a7e194adc6ffcf7f39dc193f87ac08ee2ed5e185ec7a3
                                                • Instruction Fuzzy Hash: 5101E4B5600B01AFD720CF15C545B6ABBF1FF08704F00891DE8598BB50C334EA549F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C779E49 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_catch
                                                • String ID:
                                                • API String ID: 3886170330-0
                                                • Opcode ID: 5c9dfcde23da1a541dd7cd0512f3c59e2a9774585de50fc16d8f78aae273cfd7
                                                • Instruction ID: e7c07ec1c1e9305a1bf42d13e65c94ad2dc98cc51f54276bc38d31ea0a651313
                                                • Opcode Fuzzy Hash: 5c9dfcde23da1a541dd7cd0512f3c59e2a9774585de50fc16d8f78aae273cfd7
                                                • Instruction Fuzzy Hash: 6CF06231601209DFDB10DF68CA08B9D3BA4AF05364F248158B805EF380CB71EE00CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C2306 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: f2c68f23b1b4d28ba860e90e0afe8bdac665cf60c02dacd25e40e2230f4d2f52
                                                • Instruction ID: 3e079bde5b0605e329848f6be35e771e8c8c76f76c6aeacaf611ce09828f2eba
                                                • Opcode Fuzzy Hash: f2c68f23b1b4d28ba860e90e0afe8bdac665cf60c02dacd25e40e2230f4d2f52
                                                • Instruction Fuzzy Hash: 9501E4B5600B01AFD720CF15C545B6ABBF1FF08704F10891DE8598BB50C334EA549F95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A53E5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: f63e233a6a94a663ba838f85f0a2966523004cff5ef292cd9af538c797478f47
                                                • Instruction ID: 47610fe91aa826a7a9ce0c0e279582e3cda87b3a020c2bb0e945b2f3979b5f3e
                                                • Opcode Fuzzy Hash: f63e233a6a94a663ba838f85f0a2966523004cff5ef292cd9af538c797478f47
                                                • Instruction Fuzzy Hash: 5EF0BE3294154A9ECF01DBF4C70D7ECBB666F1235DF10825094607BBA0C735A61E9761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C777C6E Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C777C75
                                                  • Part of subcall function 6C777CE8: __EH_prolog3.LIBCMT ref: 6C777CEF
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 597340b40eb71e235c4a91de43d27ea7cc6a64a24bf078bb037cd48bf9468d68
                                                • Instruction ID: 44d2a0bbabb2cce6b2025d6d4fdf51ca722ed6adf30acdc01d8bf47e206885f6
                                                • Opcode Fuzzy Hash: 597340b40eb71e235c4a91de43d27ea7cc6a64a24bf078bb037cd48bf9468d68
                                                • Instruction Fuzzy Hash: 19F01DB0700A07AAD748DF3886453E9F6A5BF48308F41463A942DEB741CB306919CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7739AD Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7739B4
                                                  • Part of subcall function 6C7C8DCD: _vwprintf.LIBCMT ref: 6C7C8E13
                                                  • Part of subcall function 6C7C8DCD: _vswprintf_s.LIBCMT ref: 6C7C8E38
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_vswprintf_s_vwprintf
                                                • String ID:
                                                • API String ID: 3682816334-0
                                                • Opcode ID: 5d2b600cdbf04769aec6c915050abac131af2c58ec1905661770cf8aaa6b9b97
                                                • Instruction ID: c67fa54090d6610b8b54e6c1d363822063dba24aebfe861c059607b20b30a118
                                                • Opcode Fuzzy Hash: 5d2b600cdbf04769aec6c915050abac131af2c58ec1905661770cf8aaa6b9b97
                                                • Instruction Fuzzy Hash: 58F0F87061014A9FDB00DFA4CA49AADB7BABF44318F058829E424DB750CB34EA19CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D5514 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05b862f72e42a298143803ae3fb696e1f69bb26cabf66a15a5523ef4258ff781
                                                • Instruction ID: 1009d3b1219b61d0bfe6b7ebbe48c05d2da9651518766e79fb310fc945ebd9c5
                                                • Opcode Fuzzy Hash: 05b862f72e42a298143803ae3fb696e1f69bb26cabf66a15a5523ef4258ff781
                                                • Instruction Fuzzy Hash: 64E0C275214109FFCB425FA5D9088897FBBFF1A35AB15C065F80A8A520D732EA50DB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C778129 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,6C77AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6C778149
                                                  • Part of subcall function 6C7C89C8: GetLastError.KERNEL32(6C7780E8,6C77A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C7C89C8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastPointer
                                                • String ID:
                                                • API String ID: 2976181284-0
                                                • Opcode ID: b16ec6edfbce2b4517d62af499d4f5fbfde3be5c2444539cebc165b8addcba76
                                                • Instruction ID: 3961970fe0b45ac8192d352807a0616fe4d2a4c2832777bd7699cb5ffc233502
                                                • Opcode Fuzzy Hash: b16ec6edfbce2b4517d62af499d4f5fbfde3be5c2444539cebc165b8addcba76
                                                • Instruction Fuzzy Hash: A6E01275600108BF8F04CF69C944D9E7BF9EB45354B104769F925D3290DB70EA10EB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77395E Relevance: 1.5, APIs: 1, Instructions: 22COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C773965
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 5bca6ab3955c6132f961ed5ca376ae50495483cfb1b0938b8d22022a7ce71fce
                                                • Instruction ID: 435157f053ae4fdaea1daefdf4f103acb64cbce74fb1a6025840c5d246ddf9e2
                                                • Opcode Fuzzy Hash: 5bca6ab3955c6132f961ed5ca376ae50495483cfb1b0938b8d22022a7ce71fce
                                                • Instruction Fuzzy Hash: 1CF0397120014AEFCB00EBB8CA0CB9DF762BF00318F108A45E1209BB90CB31E928DB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7972F2 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,Function_000472BD,?,00000000,00000000), ref: 6C79730C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: d17f2bc3317e18c728b10711f2cca42eb1b7658995a69f4e3d9014740e52a7a3
                                                • Instruction ID: ac828ab57e8f16c764e349a6049848d461bed14805c0d108286c87a9e967ab7b
                                                • Opcode Fuzzy Hash: d17f2bc3317e18c728b10711f2cca42eb1b7658995a69f4e3d9014740e52a7a3
                                                • Instruction Fuzzy Hash: 87D09EB65103147F67109E699C44CB37BECEA592A1751C426FD19C3600DA70EC418BB4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77391D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C773924
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 1ec05a975bb0dc0829a0763b3e672982943402e104d471035c80a1270b7a6c6b
                                                • Instruction ID: 4e12cb12f93de68bf212c53472b0b0d543b2ed4ef8dcf740d5282e6e34139318
                                                • Opcode Fuzzy Hash: 1ec05a975bb0dc0829a0763b3e672982943402e104d471035c80a1270b7a6c6b
                                                • Instruction Fuzzy Hash: AEE01A75601605EFCF019F54CA48B9DB7A1FF08314F00C405F9159B750C734EA25EB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7780F7 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,?,6C7A60F1), ref: 6C77810D
                                                  • Part of subcall function 6C7C89C8: GetLastError.KERNEL32(6C7780E8,6C77A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C7C89C8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID:
                                                • API String ID: 442123175-0
                                                • Opcode ID: b3de669c3059242a419b218132abe16ad029acb42620f0edd5848d56f2abbbb3
                                                • Instruction ID: c36d3f81306172478b070790919266d4b3130f5fc8f6935432956828571ad817
                                                • Opcode Fuzzy Hash: b3de669c3059242a419b218132abe16ad029acb42620f0edd5848d56f2abbbb3
                                                • Instruction Fuzzy Hash: 12D0173220420DBFDF108EA2CD05E9A3BADEB45390F004426FA1486510DA32D820DB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A833E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 2652416486aa40cd7ced27198804b6a06e8879869ce305bf797b07218eb4543e
                                                • Instruction ID: 5d4eb607520d81021b1a392ba5bf7af28db2ae9d0a389734a1fa0712861b253d
                                                • Opcode Fuzzy Hash: 2652416486aa40cd7ced27198804b6a06e8879869ce305bf797b07218eb4543e
                                                • Instruction Fuzzy Hash: 70E0C23120050467DF016B608B0DBCE33156F0171CF01C441F8407FB00C7349B2A5BA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A8380 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7A8387
                                                  • Part of subcall function 6C7A84FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6C7AFA6E,-00000960,?,?,6C7A83B3,-00000960,6C76A794,-00000960,6C76A794,00000000), ref: 6C7A851E
                                                  • Part of subcall function 6C7A84FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6C7AFA6E,-00000960,?,?,6C7A83B3,-00000960,6C76A794,-00000960,6C76A794), ref: 6C7A853F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$H_prolog3
                                                • String ID:
                                                • API String ID: 692526729-0
                                                • Opcode ID: 2f14e547771a8dc72b2f49108dbb8f802203cada6baaaaa35c49a3fba32687d5
                                                • Instruction ID: 0728fe2ebe83f470595b0645c4ad9e51c3ff8a9aa02f7b7d10e16ec3096206b5
                                                • Opcode Fuzzy Hash: 2f14e547771a8dc72b2f49108dbb8f802203cada6baaaaa35c49a3fba32687d5
                                                • Instruction Fuzzy Hash: FBE0123110055467DB016F948B0DBCE33166F0171CF058551F9546FB40CB359B2A57A6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D54F2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C7D5505
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: 63364f8786b7b670924d37db887e53a16bf2abb108c914f43320807ad14fd966
                                                • Instruction ID: 1179a9850d855b7629796a6b5df23033baa05aca49b98468ae5211973aa005e5
                                                • Opcode Fuzzy Hash: 63364f8786b7b670924d37db887e53a16bf2abb108c914f43320807ad14fd966
                                                • Instruction Fuzzy Hash: E6C08C32040208FBCF124E80DD09F9A7F6AEB90355F65C030B61C188A0CB72E5A1DBC4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A91AF Relevance: 1.5, APIs: 1, Instructions: 11comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,6C77B029,?,0000002C,6C7BD55B,?,?,?,?,00000001), ref: 6C7A91C5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID:
                                                • API String ID: 542301482-0
                                                • Opcode ID: 23d5059685491bfab54fbab2669f85c82321249c6799240a38ec01be29341fae
                                                • Instruction ID: 41919deb322e137b4628129096c7b6d0a34317c19f8b3b3c435f2acc417c8ada
                                                • Opcode Fuzzy Hash: 23d5059685491bfab54fbab2669f85c82321249c6799240a38ec01be29341fae
                                                • Instruction Fuzzy Hash: F8C02B3218030CBBC7100983CC05FA5BE28C7C4730F314421BB4A14C824FB1D5109D69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D54D6 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6C7D54E3
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: c9ce6e2989a8ad5aa0b372018b152fbeee4a655ad360779068225210ff2a034a
                                                • Instruction ID: 1cfff628007bb00a6bf77ceb53ebdbb9b187b07441a8ddcdaa3834b31db7ff90
                                                • Opcode Fuzzy Hash: c9ce6e2989a8ad5aa0b372018b152fbeee4a655ad360779068225210ff2a034a
                                                • Instruction Fuzzy Hash: 0FC09B36140108B7CB111E41DC05F45BFA9D795751F54C061F608054628B73D421D694
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79D0C1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42725d52b55b85df1397cc2b02556029724c17e74395ac60014fb864f0cb37de
                                                • Instruction ID: 183d9fce43d4d71b83556d235f1ca361bb167ba15b1ce0c5bb60238e7891c57d
                                                • Opcode Fuzzy Hash: 42725d52b55b85df1397cc2b02556029724c17e74395ac60014fb864f0cb37de
                                                • Instruction Fuzzy Hash: 33B0923200024CFB8F016F82EC08C9ABF2AEB95321B648426F929020218B32D830EA50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77C53D Relevance: 1.3, APIs: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,6C7AA320,342C82DB,?,?), ref: 6C77C55E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: 4cab10ff8ecb64d19086b14082a3a04766a12104d2302f9e4f319810dcb17536
                                                • Instruction ID: 89ee0ffdb12c4949393ab1503ae2afda8ba0288f863154d5dc8353fb0a3bf002
                                                • Opcode Fuzzy Hash: 4cab10ff8ecb64d19086b14082a3a04766a12104d2302f9e4f319810dcb17536
                                                • Instruction Fuzzy Hash: F511C272741706AFEB34CF21DA1AB267BE4AB04715F20893DE206CA5D0DB75E5048B54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7972BD Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 1aefbb7d5e7fc3b024e319d9d652e712d48c55a9fa80289326d9c1cd55f0e8d6
                                                • Instruction ID: 3d1cef4d6b03c9455d0287dcfbc2a0c1b991ebed71096f39ba48d84f5c9333e6
                                                • Opcode Fuzzy Hash: 1aefbb7d5e7fc3b024e319d9d652e712d48c55a9fa80289326d9c1cd55f0e8d6
                                                • Instruction Fuzzy Hash: DCE0EC361007049FCB209F66D54DD86BBE5EF45331B00C82AE99A97A20DB31F810DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 6C3C4281 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 270filethreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E6C3C4281(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, short _a16, short _a20, intOrPtr* _a24) {
				signed int _v8;
				void _v526;
				char _v528;
				struct _WIN32_FIND_DATAW _v1120;
				struct _SECURITY_ATTRIBUTES* _v1124;
				void* _v1128;
				intOrPtr _v1132;
				char _v1136;
				void* _v1140;
				intOrPtr _v1144;
				struct _CRITICAL_SECTION* _v1148;
				intOrPtr _v1152;
				WCHAR* _v1156;
				intOrPtr _v1160;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t105;
				intOrPtr _t113;
				intOrPtr _t116;
				void* _t119;
				intOrPtr _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				intOrPtr _t123;
				struct _CRITICAL_SECTION* _t125;
				intOrPtr _t127;
				intOrPtr _t131;
				void* _t134;
				void* _t140;
				void* _t143;
				intOrPtr _t144;
				long _t145;
				intOrPtr _t146;
				intOrPtr _t149;
				intOrPtr _t150;
				WCHAR* _t152;
				intOrPtr _t153;
				intOrPtr _t165;
				void* _t180;
				void* _t181;
				WCHAR* _t182;
				signed int _t183;

				_t180 = __edx;
				_t168 = __ecx;
				_t105 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t105 ^ _t183;
				_t182 = _a4;
				_v1152 = _a8;
				_v1160 = _a12;
				_v1128 = _a24;
				_t181 = __ecx;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				 *_v1128 = 0;
				_v1136 = 0;
				if( *_t181 == 0) {
					_t113 = 0x80004005;
					L11:
					return E6C3C171F(_t113, 0, _v8 ^ _t183, _t180, _t181, _t182);
				}
				if(E6C3C443B(_t168) == 0) {
					_t116 =  *0x6c3e0088; // 0x6c3e0088
					if(_t116 != 0x6c3e0088 && ( *(_t116 + 0x1c) & 0x00000004) != 0) {
						_t70 = _t116 + 0x14; // 0x0
						_t71 = _t116 + 0x10; // 0x1
						E6C3D5F11( *_t71,  *_t70, 0x13, 0x6c3c7af4);
					}
					_t113 = 0x1000010c;
					goto L11;
				}
				_t119 = E6C3C3E29(_t182, 0x80000002, L"Software\\Microsoft\\SQMClient", L"DoNotDeleteFileAfterUpload",  &_v1136);
				if(_t119 == 0) {
					if(_v1136 == 0) {
						goto L3;
					}
					_t120 = _t119 + 1;
					L4:
					 *((intOrPtr*)(_t181 + 8)) = _t120;
					_t122 = E6C3C173D( &_v528, 0x104, _t182);
					_v1124 = _t122;
					if(_t122 < 0) {
						_t123 =  *0x6c3e0088; // 0x6c3e0088
						if(_t123 != 0x6c3e0088 && ( *(_t123 + 0x1c) & 0x00000001) != 0) {
							_t77 = _t123 + 0x14; // 0x0
							_t78 = _t123 + 0x10; // 0x1
							E6C3D99F8( *_t78,  *_t77, 0x14, 0x6c3c7af4, _v1124);
						}
						_t113 = 0x80070057;
						goto L11;
					}
					_t17 = _t181 + 0x30; // 0x30
					_t125 = _t17;
					_v1148 = _t125;
					EnterCriticalSection(_t125);
					_t127 =  *0x6c3e04ec( &_v528);
					_v1132 = _t127;
					_v1144 = 0x103 - (_t127 -  &_v528 >> 1);
					if(_v1132 == 0) {
						_t131 =  *0x6c3e0088; // 0x6c3e0088
						if(_t131 != 0x6c3e0088 && ( *(_t131 + 0x1c) & 0x00000001) != 0) {
							_t82 = _t131 + 0x14; // 0x0
							_t83 = _t131 + 0x10; // 0x1
							E6C3D5F11( *_t83,  *_t82, 0x15, 0x6c3c7af4);
						}
						_v1124 = 0x80070057;
						L10:
						LeaveCriticalSection(_v1148);
						_t113 = _v1124;
						goto L11;
					}
					_t134 = FindFirstFileW(_t182,  &_v1120);
					_v1140 = _t134;
					if(_t134 != 0xffffffff) {
						do {
							if(_v1120.dwFileAttributes == 0x10) {
								goto L21;
							}
							_t149 = E6C3C173D(_v1132, _v1144,  &(_v1120.cFileName));
							_v1124 = _t149;
							if(_t149 < 0) {
								_t150 =  *0x6c3e0088; // 0x6c3e0088
								if(_t150 != 0x6c3e0088 && ( *(_t150 + 0x1c) & 0x00000001) != 0) {
									_t91 = _t150 + 0x14; // 0x0
									_t92 = _t150 + 0x10; // 0x1
									E6C3D99F8( *_t92,  *_t91, 0x17, 0x6c3c7af4, _v1124);
								}
							} else {
								_t152 = E6C3C17EB(0x14);
								if(_t152 == 0) {
									_t182 = 0;
								} else {
									 *_t152 = 0;
									_t152[2] = 0;
									_t152[4] = 0;
									_t182 = _t152;
								}
								_v1156 = _t182;
								if(_t182 == 0) {
									_t153 =  *0x6c3e0088; // 0x6c3e0088
									if(_t153 != 0x6c3e0088 && ( *(_t153 + 0x1c) & 0x00000001) != 0) {
										_t96 = _t153 + 0x14; // 0x0
										_t97 = _t153 + 0x10; // 0x1
										E6C3D99F8( *_t97,  *_t96, 0x18, 0x6c3c7af4, 0x14);
									}
									_v1124 = 0x8007000e;
									break;
								}
								E6C3CBA1D(_t182,  &_v528);
								_t43 =  &(_t182[2]); // 0x4
								E6C3CBA1D(_t43, _v1152);
								_t45 =  &(_t182[4]); // 0x8
								E6C3CBA1D(_t45, _v1160);
								_t182[6] = _a20;
								_t182[8] = _a16;
								_t51 = _t181 + 0x14; // 0x14
								if(E6C3CB850(_t51,  &_v1156) == 0) {
									E6C3CE3FA(_t182, 1);
								} else {
									 *_v1128 =  *_v1128 + 1;
									_v1124 = 0;
								}
							}
							L21:
						} while (FindNextFileW(_v1140,  &_v1120) != 0 && (_a16 & 0x00000002) != 0);
						FindClose(_v1140);
						if( *_v1128 > 0 &&  *((intOrPtr*)(_t181 + 4)) == 0) {
							ResetEvent( *(_t181 + 0x48));
							_t140 =  *(_t181 + 0x50);
							if(_t140 != 0) {
								CloseHandle(_t140);
							}
							_t64 = _t181 + 0x54; // 0x54
							_t143 = CreateThread(0, 0, E6C3CBC8D, _t181, 0, _t64);
							 *(_t181 + 0x50) = _t143;
							if(_t143 == 0) {
								_t144 =  *0x6c3e0088; // 0x6c3e0088
								if(_t144 != 0x6c3e0088 && ( *(_t144 + 0x1c) & 0x00000001) != 0) {
									_t145 = GetLastError();
									_t146 =  *0x6c3e0088; // 0x6c3e0088
									_t102 = _t146 + 0x14; // 0x0
									_t103 = _t146 + 0x10; // 0x1
									E6C3D99F8( *_t103,  *_t102, 0x19, 0x6c3c7af4, _t145);
								}
								_v1124 = 0x80004005;
							} else {
								 *((intOrPtr*)(_t181 + 4)) = 1;
							}
						}
						goto L10;
					}
					_t165 =  *0x6c3e0088; // 0x6c3e0088
					if(_t165 != 0x6c3e0088 && ( *(_t165 + 0x1c) & 0x00000001) != 0) {
						_t85 = _t165 + 0x14; // 0x0
						_t86 = _t165 + 0x10; // 0x1
						E6C3D774A( *_t86,  *_t85, 0x16, 0x6c3c7af4, _t182);
					}
					_v1124 = 0x90080108;
					goto L10;
				}
				L3:
				_t120 = 0;
				goto L4;
			}














































                                                0x6c3c4281
                                                0x6c3c4281
                                                0x6c3c428c
                                                0x6c3c4293
                                                0x6c3c429b
                                                0x6c3c429e
                                                0x6c3c42a8
                                                0x6c3c42b8
                                                0x6c3c42c6
                                                0x6c3c42c8
                                                0x6c3c42cf
                                                0x6c3c42dd
                                                0x6c3c42e1
                                                0x6c3c42e7
                                                0x6c3d0dff
                                                0x6c3c43d9
                                                0x6c3c43e7
                                                0x6c3c43e7
                                                0x6c3c42f4
                                                0x6c3d0e09
                                                0x6c3d0e13
                                                0x6c3d0e22
                                                0x6c3d0e25
                                                0x6c3d0e28
                                                0x6c3d0e28
                                                0x6c3d0e2d
                                                0x00000000
                                                0x6c3d0e2d
                                                0x6c3c4310
                                                0x6c3c4317
                                                0x6c3d0e3d
                                                0x00000000
                                                0x00000000
                                                0x6c3d0e43
                                                0x6c3c431f
                                                0x6c3c4320
                                                0x6c3c432f
                                                0x6c3c4336
                                                0x6c3c433c
                                                0x6c3d0e49
                                                0x6c3d0e53
                                                0x6c3d0e68
                                                0x6c3d0e6b
                                                0x6c3d0e6e
                                                0x6c3d0e6e
                                                0x6c3d0e73
                                                0x00000000
                                                0x6c3d0e73
                                                0x6c3c4342
                                                0x6c3c4342
                                                0x6c3c4346
                                                0x6c3c434c
                                                0x6c3c4359
                                                0x6c3c435f
                                                0x6c3c437e
                                                0x6c3c4384
                                                0x6c3d0e7d
                                                0x6c3d0e87
                                                0x6c3d0e96
                                                0x6c3d0e99
                                                0x6c3d0e9c
                                                0x6c3d0e9c
                                                0x6c3d0ea1
                                                0x6c3c43c7
                                                0x6c3c43cd
                                                0x6c3c43d3
                                                0x00000000
                                                0x6c3c43d3
                                                0x6c3c4392
                                                0x6c3c439b
                                                0x6c3c43a1
                                                0x6c3cb8e0
                                                0x6c3cb8e7
                                                0x00000000
                                                0x00000000
                                                0x6c3cb900
                                                0x6c3cb907
                                                0x6c3cb90d
                                                0x6c3d0ec8
                                                0x6c3d0ed2
                                                0x6c3d0eef
                                                0x6c3d0ef2
                                                0x6c3d0ef5
                                                0x6c3d0ef5
                                                0x6c3cb913
                                                0x6c3cb915
                                                0x6c3cb91d
                                                0x6c3c43ea
                                                0x6c3cb923
                                                0x6c3cb923
                                                0x6c3cb925
                                                0x6c3cb928
                                                0x6c3cb92b
                                                0x6c3cb92b
                                                0x6c3cb92f
                                                0x6c3cb935
                                                0x6c3d0eff
                                                0x6c3d0f09
                                                0x6c3d0f1a
                                                0x6c3d0f1d
                                                0x6c3d0f20
                                                0x6c3d0f20
                                                0x6c3d0f25
                                                0x00000000
                                                0x6c3d0f25
                                                0x6c3cb944
                                                0x6c3cb94f
                                                0x6c3cb952
                                                0x6c3cb95d
                                                0x6c3cb960
                                                0x6c3cb968
                                                0x6c3cb96e
                                                0x6c3cb978
                                                0x6c3cb982
                                                0x6c3c43f5
                                                0x6c3cb988
                                                0x6c3cb98e
                                                0x6c3cb990
                                                0x6c3cb990
                                                0x6c3cb982
                                                0x6c3cb996
                                                0x6c3cb9a9
                                                0x6c3cb9bd
                                                0x6c3cb9cb
                                                0x6c3cb9dd
                                                0x6c3cb9e3
                                                0x6c3cb9e8
                                                0x6c3d0f35
                                                0x6c3d0f35
                                                0x6c3cb9ee
                                                0x6c3cb9fb
                                                0x6c3cba03
                                                0x6c3cba06
                                                0x6c3d0f40
                                                0x6c3d0f4a
                                                0x6c3d0f52
                                                0x6c3d0f59
                                                0x6c3d0f65
                                                0x6c3d0f68
                                                0x6c3d0f6b
                                                0x6c3d0f6b
                                                0x6c3d0f70
                                                0x6c3cba0c
                                                0x6c3cba0c
                                                0x6c3cba0c
                                                0x6c3cba06
                                                0x00000000
                                                0x6c3cb9cb
                                                0x6c3c43a7
                                                0x6c3c43b1
                                                0x6c3d0eb8
                                                0x6c3d0ebb
                                                0x6c3d0ebe
                                                0x6c3d0ebe
                                                0x6c3c43bd
                                                0x00000000
                                                0x6c3c43bd
                                                0x6c3c431d
                                                0x6c3c431d
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C42CF
                                                  • Part of subcall function 6C3C443B: LoadLibraryW.KERNEL32(SensApi.dll,00000000,?), ref: 6C3C4452
                                                  • Part of subcall function 6C3C443B: GetProcAddress.KERNEL32(00000000,IsNetworkAlive), ref: 6C3C4468
                                                  • Part of subcall function 6C3C443B: FreeLibrary.KERNEL32(00000000), ref: 6C3C447F
                                                  • Part of subcall function 6C3C3E29: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                  • Part of subcall function 6C3C3E29: RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                  • Part of subcall function 6C3C3E29: RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                • EnterCriticalSection.KERNEL32(00000030,?,00000104,?,80000002,Software\Microsoft\SQMClient,DoNotDeleteFileAfterUpload,?,00000000,?,6C3E0168), ref: 6C3C434C
                                                • FindFirstFileW.KERNEL32(?,?,?,6C3E0168), ref: 6C3C4392
                                                • LeaveCriticalSection.KERNEL32(?,?,6C3E0168), ref: 6C3C43CD
                                                • ctype.LIBCPMT ref: 6C3C43F5
                                                • FindNextFileW.KERNEL32(?,00000010,?,6C3E0168), ref: 6C3CB9A3
                                                • FindClose.KERNEL32(?,?,6C3E0168), ref: 6C3CB9BD
                                                • ResetEvent.KERNEL32(?,?,6C3E0168), ref: 6C3CB9DD
                                                • CreateThread.KERNEL32(00000000,00000000,6C3CBC8D,00000000,00000000,00000054), ref: 6C3CB9FB
                                                  • Part of subcall function 6C3CB850: realloc.MSVCRT ref: 6C3CB88E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Find$CloseCriticalFileLibrarySection$AddressCreateEnterEventFirstFreeLeaveLoadNextOpenProcQueryResetThreadValuectypememsetrealloc
                                                • String ID: DoNotDeleteFileAfterUpload$Fm*$Software\Microsoft\SQMClient$W
                                                • API String ID: 746345222-3951231449
                                                • Opcode ID: 946d2151874ee16431a601ff8f73cacc08b1259389e747f9b44371b9f92ae044
                                                • Instruction ID: 1319998bb331f322a36d56f1a9cc22cf029e874c4dfbd67ea878d50d613c8ce3
                                                • Opcode Fuzzy Hash: 946d2151874ee16431a601ff8f73cacc08b1259389e747f9b44371b9f92ae044
                                                • Instruction Fuzzy Hash: F6B19EB1A002599FCB50CF24CC84B9D7BB8BF05308F104599E658D6A51DB32EE94DF56
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D8097 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 166fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E6C3D8097(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void _v526;
				short _v528;
				struct _WIN32_FIND_DATAW _v1120;
				long _v1124;
				void* _v1128;
				intOrPtr _v1132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t67;
				void* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t101;
				long _t102;
				signed int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t99 = __edx;
				_t60 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t60 ^ _t103;
				_t101 = _a8;
				_t100 = _a4;
				_t91 = 0;
				_v1132 = _t100;
				_v1124 = 0;
				_v1120.dwFileAttributes = 0;
				memset( &(_v1120.ftCreationTime), 0, 0x24c);
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t105 = _t104 + 0x18;
				if(_t101 != 0) {
					if(_t100 != 0) {
						_push(_t101);
						_t91 = L"%s\\%s";
						_t100 = 0x104;
						_t67 = E6C3C18E5( &_v528, 0x104, L"%s\\%s", 0x104);
						_t106 = _t105 + 0x14;
						if(_t67 >= 0) {
							_t70 = FindFirstFileW( &_v528,  &_v1120);
							_v1128 = _t70;
							if(_t70 != 0xffffffff) {
								do {
									if(_v1120.dwFileAttributes != 0x10) {
										_push( &(_v1120.cFileName));
										_t102 = E6C3C18E5( &_v528, _t100, _t91, _v1132);
										_t106 = _t106 + 0x14;
										if(_t102 < 0) {
											_t76 =  *0x6c3e0088; // 0x6c3e0088
											if(_t76 != 0x6c3e0088 && ( *(_t76 + 0x1c) & 0x00000001) != 0) {
												_t52 = _t76 + 0x14; // 0x0
												_t53 = _t76 + 0x10; // 0x1
												E6C3D99F8( *_t53,  *_t52, 0x63, 0x6c3d5ab8, _t102);
											}
											_v1124 = _t102;
										} else {
											if(DeleteFileW( &_v528) == 0) {
												_v1124 = GetLastError();
												_t81 =  *0x6c3e0088; // 0x6c3e0088
												if(_t81 != 0x6c3e0088 && ( *(_t81 + 0x1c) & 0x00000001) != 0) {
													_t47 = _t81 + 0x14; // 0x0
													_t48 = _t81 + 0x10; // 0x1
													E6C3D77B8( *_t48,  *_t47, 0x62, 0x6c3d5ab8,  &_v528, _v1124);
												}
											}
										}
									}
								} while (FindNextFileW(_v1128,  &_v1120) != 0);
								FindClose(_v1128);
								L29:
								return E6C3C171F(_v1124, _t91, _v8 ^ _t103, _t99, _t100, _t102);
							}
							_t86 =  *0x6c3e0088; // 0x6c3e0088
							if(_t86 != 0x6c3e0088 && ( *(_t86 + 0x1c) & 0x00000004) != 0) {
								_t34 = _t86 + 0x14; // 0x0
								_t35 = _t86 + 0x10; // 0x1
								E6C3D774A( *_t35,  *_t34, 0x61, 0x6c3d5ab8,  &_v528);
							}
							goto L29;
						}
						_v1124 = _t67 & 0x1000ffff;
						_t98 =  *0x6c3e0088; // 0x6c3e0088
						if(_t98 != 0x6c3e0088 && ( *(_t98 + 0x1c) & 0x00000001) != 0) {
							_t25 = _t98 + 0x14; // 0x0
							_t26 = _t98 + 0x10; // 0x1
							E6C3D99F8( *_t26,  *_t25, 0x60, 0x6c3d5ab8, _t67);
						}
						goto L29;
					}
					_v1124 = 0x57;
					_t89 =  *0x6c3e0088; // 0x6c3e0088
					if(_t89 != 0x6c3e0088 && ( *(_t89 + 0x1c) & 0x00000001) != 0) {
						_push(0x6c3d5ab8);
						_push(0x5f);
						L4:
						_t14 = _t89 + 0x14; // 0x0
						_push( *_t14);
						_t15 = _t89 + 0x10; // 0x1
						_push( *_t15);
						E6C3D5F11();
					}
					goto L29;
				}
				_v1124 = 0x57;
				_t89 =  *0x6c3e0088; // 0x6c3e0088
				if(_t89 == 0x6c3e0088 || ( *(_t89 + 0x1c) & 0x00000001) == 0) {
					goto L29;
				} else {
					_push(0x6c3d5ab8);
					_push(0x5e);
					goto L4;
				}
			}




























                                                0x6c3d8097
                                                0x6c3d80a2
                                                0x6c3d80a9
                                                0x6c3d80ae
                                                0x6c3d80b2
                                                0x6c3d80b5
                                                0x6c3d80c4
                                                0x6c3d80ca
                                                0x6c3d80d0
                                                0x6c3d80d6
                                                0x6c3d80e8
                                                0x6c3d80ef
                                                0x6c3d80f4
                                                0x6c3d80f9
                                                0x6c3d8138
                                                0x6c3d8167
                                                0x6c3d8169
                                                0x6c3d816f
                                                0x6c3d817c
                                                0x6c3d8181
                                                0x6c3d8186
                                                0x6c3d81d8
                                                0x6c3d81e1
                                                0x6c3d81e7
                                                0x6c3d8221
                                                0x6c3d8228
                                                0x6c3d8234
                                                0x6c3d8249
                                                0x6c3d824b
                                                0x6c3d8250
                                                0x6c3d82a2
                                                0x6c3d82ac
                                                0x6c3d82bc
                                                0x6c3d82bf
                                                0x6c3d82c2
                                                0x6c3d82c2
                                                0x6c3d82cd
                                                0x6c3d8252
                                                0x6c3d8261
                                                0x6c3d8269
                                                0x6c3d826f
                                                0x6c3d8279
                                                0x6c3d8295
                                                0x6c3d8298
                                                0x6c3d829b
                                                0x6c3d829b
                                                0x6c3d8279
                                                0x6c3d8261
                                                0x6c3d8250
                                                0x6c3d82e6
                                                0x6c3d82f4
                                                0x6c3d82fa
                                                0x6c3d830e
                                                0x6c3d830e
                                                0x6c3d81e9
                                                0x6c3d81f3
                                                0x6c3d8211
                                                0x6c3d8214
                                                0x6c3d8217
                                                0x6c3d8217
                                                0x00000000
                                                0x6c3d81f3
                                                0x6c3d8190
                                                0x6c3d8196
                                                0x6c3d81a2
                                                0x6c3d81ba
                                                0x6c3d81bd
                                                0x6c3d81c0
                                                0x6c3d81c0
                                                0x00000000
                                                0x6c3d81a2
                                                0x6c3d813a
                                                0x6c3d8144
                                                0x6c3d814e
                                                0x6c3d815e
                                                0x6c3d8163
                                                0x6c3d8126
                                                0x6c3d8126
                                                0x6c3d8126
                                                0x6c3d8129
                                                0x6c3d8129
                                                0x6c3d812c
                                                0x6c3d812c
                                                0x00000000
                                                0x6c3d814e
                                                0x6c3d80fb
                                                0x6c3d8105
                                                0x6c3d810f
                                                0x00000000
                                                0x6c3d811f
                                                0x6c3d811f
                                                0x6c3d8124
                                                0x00000000
                                                0x6c3d8124

                                                APIs
                                                • memset.MSVCRT ref: 6C3D80D6
                                                • memset.MSVCRT ref: 6C3D80EF
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,1000FFFF,00000000), ref: 6C3D81D8
                                                  • Part of subcall function 6C3D99F8: EtwTraceMessage.NTDLL ref: 6C3D9A13
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memset$FileFindFirstMessageTrace_vsnwprintf
                                                • String ID: %s\%s$Fm*$W
                                                • API String ID: 675349215-382410875
                                                • Opcode ID: 78b6c4a685fd3f5de084b599c419c1434b3f999f702982de322849e41b81f4d5
                                                • Instruction ID: c5bad2e841429cb694d2a822f93a7eafe7a8f71955fb0b63a69345aaa84e2699
                                                • Opcode Fuzzy Hash: 78b6c4a685fd3f5de084b599c419c1434b3f999f702982de322849e41b81f4d5
                                                • Instruction Fuzzy Hash: 4551B4B29002589FCB11DF55CC84FDA77B8AB0930CF1201D6E616A6952D732FE88DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C171F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 35%
                                                			E6C3C171F(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr* _t27;
				void* _t30;

				_t30 = __ecx -  *0x6c3e01a0; // 0xeb2a6d46
				if(_t30 == 0) {
					asm("repe ret");
					return memset();
				}
				 *0x6c3e02b8 = __eax;
				 *0x6c3e02b4 = __ecx;
				 *0x6c3e02b0 = __edx;
				 *0x6c3e02ac = __ebx;
				 *0x6c3e02a8 = __esi;
				 *0x6c3e02a4 = __edi;
				 *0x6c3e02d0 = ss;
				 *0x6c3e02c4 = cs;
				 *0x6c3e02a0 = ds;
				 *0x6c3e029c = es;
				 *0x6c3e0298 = fs;
				 *0x6c3e0294 = gs;
				asm("pushfd");
				_pop( *0x6c3e02c8);
				 *0x6c3e02bc =  *_t27;
				 *0x6c3e02c0 = _v0;
				 *0x6c3e02cc =  &_a4;
				 *0x6c3e0208 = 0x10001;
				_t11 =  *0x6c3e02c0; // 0x0
				 *0x6c3e01c4 = _t11;
				 *0x6c3e01b8 = 0xc0000409;
				 *0x6c3e01bc = 1;
				_t12 =  *0x6c3e01a0; // 0xeb2a6d46
				_v812 = _t12;
				_t13 =  *0x6c3e008c; // 0x14d592b9
				_v808 = _t13;
				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(E6C3DA50C);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}












                                                0x6c3c171f
                                                0x6c3c1725
                                                0x6c3c172b
                                                0x6c3c1732
                                                0x6c3c1732
                                                0x6c3da434
                                                0x6c3da439
                                                0x6c3da43f
                                                0x6c3da445
                                                0x6c3da44b
                                                0x6c3da451
                                                0x6c3da457
                                                0x6c3da45e
                                                0x6c3da465
                                                0x6c3da46c
                                                0x6c3da473
                                                0x6c3da47a
                                                0x6c3da481
                                                0x6c3da482
                                                0x6c3da48b
                                                0x6c3da493
                                                0x6c3da49b
                                                0x6c3da4a6
                                                0x6c3da4b0
                                                0x6c3da4b5
                                                0x6c3da4ba
                                                0x6c3da4c4
                                                0x6c3da4ce
                                                0x6c3da4d3
                                                0x6c3da4d9
                                                0x6c3da4de
                                                0x6c3da4e6
                                                0x6c3da4f1
                                                0x6c3da50a

                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C3DA4E6
                                                • UnhandledExceptionFilter.KERNEL32(6C3DA50C), ref: 6C3DA4F1
                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 6C3DA4FC
                                                • TerminateProcess.KERNEL32(00000000), ref: 6C3DA503
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                • String ID: Fm*
                                                • API String ID: 3231755760-3000852143
                                                • Opcode ID: 90c7b8008f4b96b836c0d4df1140dbdd8b7e19a9d686a65f47a03b0820afc10b
                                                • Instruction ID: f85c80ec63dbd34dee3b55c7da5a56a8f36fa506ceca515ad05352d46942b942
                                                • Opcode Fuzzy Hash: 90c7b8008f4b96b836c0d4df1140dbdd8b7e19a9d686a65f47a03b0820afc10b
                                                • Instruction Fuzzy Hash: 252189B8A06285DFCBE1DF59C5856887BFCFB0E300B50415BE9499B350EB71AA80AF45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DD81C Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 157COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 32%
                                                			E6C3DD81C(intOrPtr __ebx, signed int __ecx, signed int __edx, intOrPtr __edi, signed int _a4, unsigned int _a8, signed int _a12, signed int _a16, char _a20) {
				signed int _v8;
				void _v1608;
				void _v3208;
				signed int _v3212;
				unsigned int _v3216;
				signed int _v3220;
				signed int _v3224;
				char _v3228;
				signed int _v3232;
				void* __esi;
				signed int _t86;
				signed int _t91;
				intOrPtr _t96;
				signed short _t98;
				unsigned int _t99;
				signed int _t102;
				signed int _t110;
				signed int _t113;
				unsigned int _t115;
				signed int _t119;
				intOrPtr _t127;
				signed int _t130;
				char _t131;
				signed short _t134;
				unsigned int _t135;
				signed int _t138;
				signed int _t156;
				int _t164;
				intOrPtr _t165;
				intOrPtr _t166;
				signed int _t167;
				signed int _t168;

				_t162 = __edi;
				_t156 = __edx;
				_t126 = __ebx;
				_t86 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t86 ^ _t168;
				_v3212 = _a4;
				_t167 = __ecx;
				_v3216 = _a8;
				_t91 =  *((intOrPtr*)(__ecx + 0x870)) + 0x20;
				_t130 = _t91 << 3;
				_v3232 = _t130;
				if(_t130 < 0x320) {
					_push(__edi);
					_t164 = _t91 << 4;
					memset( &_v3208, 0, _t164);
					memset( &_v1608, 0, _t164);
					_t131 = _a20;
					if(_t131 > 0) {
						_t166 =  *((intOrPtr*)(_t167 + 0x30));
						_v3220 = _a16 << 2;
						_t110 = _a12 << 2;
						_push(__ebx);
						_t127 =  *((intOrPtr*)(_t167 + 0x34));
						_v3224 = _t110;
						_v3228 = _t131;
						L5:
						L5:
						if(( *((_v3212 >> 3) + _t127) & 1 << (_v3212 & 0x00000007)) != 0) {
							_push( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x2c)) + _t110)));
							_push(_t167);
							if( *(_t166 + _v3212) >= 7) {
								_t113 = 0x107 + (E6C3C4EB0() & 0x000000ff) * 8;
							} else {
								_t113 = ( *(_t166 + _v3212) & 0x000000ff) + 0x100 + (E6C3C4EB0() & 0x000000ff) * 8;
							}
							_v3224 = _v3224 + 4;
						} else {
							_t113 =  *(_t166 + _v3212) & 0x000000ff;
						}
						_v3212 = _v3212 + 1;
						 *((short*)(_t168 + _t113 * 2 - 0xc84)) =  *((short*)(_t168 + _t113 * 2 - 0xc84)) + 1;
						_t115 = _v3216;
						_t156 = 1 << (_t115 & 0x00000007);
						if(( *((_t115 >> 3) + _t127) & _t156) != 0) {
							_push( *((intOrPtr*)(_v3220 +  *((intOrPtr*)(_t167 + 0x2c)))));
							_push(_t167);
							if( *(_t166 + _t115) >= 7) {
								_t119 = 0x107 + (E6C3C4EB0() & 0x000000ff) * 8;
							} else {
								_t119 = ( *(_t166 + _v3216) & 0x000000ff) + 0x100 + (E6C3C4EB0() & 0x000000ff) * 8;
							}
							_v3220 = _v3220 + 4;
						} else {
							_t119 =  *(_t166 + _t115) & 0x000000ff;
						}
						_v3216 = _v3216 + 1;
						 *((short*)(_t168 + _t119 * 2 - 0x644)) =  *((short*)(_t168 + _t119 * 2 - 0x644)) + 1;
						_t67 =  &_v3228;
						 *_t67 = _v3228 - 1;
						if( *_t67 != 0) {
							goto L4;
						}
						_pop(_t126);
						goto L19;
						L4:
						_t110 = _v3224;
						goto L5;
					}
					L19:
					_t167 = 0;
					_t165 = 0;
					if(_v3232 > 0) {
						do {
							_t98 =  *(_t168 + _t167 * 2 - 0xc84) & 0x0000ffff;
							_t99 = _t98 & 0x0000ffff;
							if(_t98 >= 0x100) {
								_t102 = ( *((_t99 >> 8) + 0x6c3ddaa0) & 0x000000ff) + 8;
							} else {
								_t102 =  *(_t99 + 0x6c3ddaa0) & 0x000000ff;
							}
							_t134 =  *(_t168 + _t167 * 2 - 0x644) & 0x0000ffff;
							_t135 = _t134 & 0x0000ffff;
							if(_t134 >= 0x100) {
								_t138 = ( *((_t135 >> 8) + 0x6c3ddaa0) & 0x000000ff) + 8;
							} else {
								_t138 =  *(_t135 + 0x6c3ddaa0) & 0x000000ff;
							}
							asm("cdq");
							_t165 = _t165 + ( *((intOrPtr*)(0x6c3dda58 + _t102 * 4)) -  *((intOrPtr*)(0x6c3dda58 + _t138 * 4)) ^ _t156) - _t156;
							_t167 = _t167 + 1;
						} while (_t167 < _v3232);
					}
					_t96 = _t165;
					_pop(_t162);
				} else {
					_t96 = 0;
				}
				return E6C3C171F(_t96, _t126, _v8 ^ _t168, _t156, _t162, _t167);
			}



































                                                0x6c3dd81c
                                                0x6c3dd81c
                                                0x6c3dd81c
                                                0x6c3dd827
                                                0x6c3dd82e
                                                0x6c3dd834
                                                0x6c3dd83e
                                                0x6c3dd840
                                                0x6c3dd84c
                                                0x6c3dd851
                                                0x6c3dd85a
                                                0x6c3dd860
                                                0x6c3dd869
                                                0x6c3dd86c
                                                0x6c3dd879
                                                0x6c3dd888
                                                0x6c3dd88d
                                                0x6c3dd895
                                                0x6c3dd89e
                                                0x6c3dd8a4
                                                0x6c3dd8ad
                                                0x6c3dd8b0
                                                0x6c3dd8b1
                                                0x6c3dd8b4
                                                0x6c3dd8ba
                                                0x00000000
                                                0x6c3dd8c8
                                                0x6c3dd8e4
                                                0x6c3dd8ff
                                                0x6c3dd902
                                                0x6c3dd903
                                                0x6c3dd928
                                                0x6c3dd905
                                                0x6c3dd917
                                                0x6c3dd917
                                                0x6c3dd92f
                                                0x6c3dd8e6
                                                0x6c3dd8ec
                                                0x6c3dd8ec
                                                0x6c3dd936
                                                0x6c3dd943
                                                0x6c3dd946
                                                0x6c3dd954
                                                0x6c3dd960
                                                0x6c3dd975
                                                0x6c3dd978
                                                0x6c3dd979
                                                0x6c3dd99e
                                                0x6c3dd97b
                                                0x6c3dd98d
                                                0x6c3dd98d
                                                0x6c3dd9a5
                                                0x6c3dd962
                                                0x6c3dd962
                                                0x6c3dd962
                                                0x6c3dd9ac
                                                0x6c3dd9b9
                                                0x6c3dd9bc
                                                0x6c3dd9bc
                                                0x6c3dd9c2
                                                0x00000000
                                                0x00000000
                                                0x6c3dd9c8
                                                0x00000000
                                                0x6c3dd8c2
                                                0x6c3dd8c2
                                                0x00000000
                                                0x6c3dd8c2
                                                0x6c3dd9c9
                                                0x6c3dd9c9
                                                0x6c3dd9cb
                                                0x6c3dd9d3
                                                0x6c3dd9d5
                                                0x6c3dd9d5
                                                0x6c3dd9e1
                                                0x6c3dd9e4
                                                0x6c3dd9f9
                                                0x6c3dd9e6
                                                0x6c3dd9e6
                                                0x6c3dd9e6
                                                0x6c3dd9fc
                                                0x6c3dda09
                                                0x6c3dda0c
                                                0x6c3dda21
                                                0x6c3dda0e
                                                0x6c3dda0e
                                                0x6c3dda0e
                                                0x6c3dda32
                                                0x6c3dda37
                                                0x6c3dda39
                                                0x6c3dda3a
                                                0x6c3dd9d5
                                                0x6c3dda42
                                                0x6c3dda44
                                                0x6c3dd862
                                                0x6c3dd862
                                                0x6c3dd862
                                                0x6c3dda51

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: Fm*
                                                • API String ID: 2221118986-3000852143
                                                • Opcode ID: 44c616ec219fcda3580a7baff165d070e5a9cdd9dd603957ab3343badd5f2e6a
                                                • Instruction ID: 4e74f2edb6781b1c24225931cdc4de0fd83ff3a5c721fa51efb55b8a3002d409
                                                • Opcode Fuzzy Hash: 44c616ec219fcda3580a7baff165d070e5a9cdd9dd603957ab3343badd5f2e6a
                                                • Instruction Fuzzy Hash: 7151E571A040688BEB65CB29C890FAD77F5FB46308F5182D9E48A9BA40CF31BD55CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C78DF Relevance: 4.5, APIs: 3, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadResource.KERNEL32(6C7A831D,FFFF0000,6C7A831D,?,6C7A8BE5,6C7A831D,00000000,?,6C7A8BAA,00000000,FFFF0000,00000000,00000010,6C7AF845,00000001), ref: 6C7C78ED
                                                • LockResource.KERNEL32(00000000,6C8083A4,?,6C7A8BE5,6C7A831D,00000000,?,6C7A8BAA,00000000,FFFF0000,00000000,00000010,6C7AF845,00000001), ref: 6C7C78F9
                                                • SizeofResource.KERNEL32(6C7A831D,FFFF0000,?,6C7A8BE5,6C7A831D,00000000,?,6C7A8BAA,00000000,FFFF0000,00000000,00000010,6C7AF845,00000001), ref: 6C7C790B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Resource$LoadLockSizeof
                                                • String ID:
                                                • API String ID: 2853612939-0
                                                • Opcode ID: 76410d73e3317a2ac46e0a4f5f395d6c551b92c84e79569ba6c58483ce7a1bd7
                                                • Instruction ID: cae068ca628391d9e772ade749dce2eaea6fe1a01f7c82d85b4c62135c7e6a98
                                                • Opcode Fuzzy Hash: 76410d73e3317a2ac46e0a4f5f395d6c551b92c84e79569ba6c58483ce7a1bd7
                                                • Instruction Fuzzy Hash: F5F0F037780113AF8F012F3ACC048AA7FBAEA807A63178531F818C2811EF30C460D2E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C343E Relevance: 3.1, APIs: 2, Instructions: 93timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E6C3C343E(void* __ebx, void* __ecx) {
				void* _v8;
				struct _FILETIME _v12;
				void* _v26;
				struct _SYSTEMTIME _v28;
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				void* _t61;

				_v28.wYear = _v28.wYear & 0x00000000;
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t60 = __ecx;
				asm("stosd");
				if( *((intOrPtr*)(__ecx + 0xc)) == 0) {
					_t36 =  *0x6c3e0088; // 0x6c3e0088
					if(_t36 != 0x6c3e0088 && ( *(_t36 + 0x1c) & 0x00000001) != 0) {
						_t17 = _t36 + 0x14; // 0x0
						_t18 = _t36 + 0x10; // 0x1
						E6C3D5F11( *_t18,  *_t17, 0x3c, E6C3C27B0);
					}
					return 0x90080101;
				}
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x7c)) != 0) {
					_t40 =  *0x6c3e0088; // 0x6c3e0088
					if(_t40 != 0x6c3e0088 && ( *(_t40 + 0x1c) & 0x00000001) != 0) {
						_t22 = _t40 + 0x14; // 0x0
						_t23 = _t40 + 0x10; // 0x1
						E6C3D5F11( *_t23,  *_t22, 0x3d, E6C3C27B0);
					}
					return 0;
				}
				GetSystemTime( &_v28);
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					_t47 =  *0x6c3e0088; // 0x6c3e0088
					if(_t47 != 0x6c3e0088 && ( *(_t47 + 0x1c) & 0x00000001) != 0) {
						_t27 = _t47 + 0x14; // 0x0
						_t28 = _t47 + 0x10; // 0x1
						E6C3D5F11( *_t28,  *_t27, 0x3e, E6C3C27B0);
					}
					return 0x80004005;
				}
				_t51 = E6C3C34B7(__ebx, _t60,  &_v12);
				_t61 = _t51;
				if(_t61 < 0) {
					_t52 =  *0x6c3e0088; // 0x6c3e0088
					if(_t52 != 0x6c3e0088 && ( *(_t52 + 0x1c) & 0x00000001) != 0) {
						_t32 = _t52 + 0x14; // 0x0
						_t33 = _t52 + 0x10; // 0x1
						E6C3D99F8( *_t33,  *_t32, 0x3f, E6C3C27B0, _t61);
					}
					return _t61;
				}
				return _t51;
			}














                                                0x6c3c3446
                                                0x6c3c344b
                                                0x6c3c3456
                                                0x6c3c3457
                                                0x6c3c3458
                                                0x6c3c3459
                                                0x6c3c345d
                                                0x6c3c3465
                                                0x6c3c3466
                                                0x6c3d1175
                                                0x6c3d117f
                                                0x6c3d118e
                                                0x6c3d1191
                                                0x6c3d1194
                                                0x6c3d1194
                                                0x00000000
                                                0x6c3d1199
                                                0x6c3c3473
                                                0x6c3d11a3
                                                0x6c3d11ad
                                                0x6c3d11bc
                                                0x6c3d11bf
                                                0x6c3d11c2
                                                0x6c3d11c2
                                                0x00000000
                                                0x6c3d11c7
                                                0x6c3c347d
                                                0x6c3c3493
                                                0x6c3d11ce
                                                0x6c3d11d8
                                                0x6c3d11e7
                                                0x6c3d11ea
                                                0x6c3d11ed
                                                0x6c3d11ed
                                                0x00000000
                                                0x6c3d11f2
                                                0x6c3c349f
                                                0x6c3c34a4
                                                0x6c3c34a8
                                                0x6c3d11fc
                                                0x6c3d1206
                                                0x6c3d1216
                                                0x6c3d1219
                                                0x6c3d121c
                                                0x6c3d121c
                                                0x00000000
                                                0x6c3d1221
                                                0x6c3c34b1

                                                APIs
                                                • GetSystemTime.KERNEL32(00000000,00000838,00000000), ref: 6C3C347D
                                                • SystemTimeToFileTime.KERNEL32(00000000,00000000), ref: 6C3C348B
                                                  • Part of subcall function 6C3C34B7: GetTickCount.KERNEL32 ref: 6C3C3508
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Time$System$CountFileTick
                                                • String ID:
                                                • API String ID: 1416027899-0
                                                • Opcode ID: 6e57d4468c6e875dfc441e3643f96d69f02f7a9f5b0938090698d52e80406baa
                                                • Instruction ID: 9af7b7befeaa9f503a67d3a00cef5759a1d773a36c9541304aa32aa1360abff0
                                                • Opcode Fuzzy Hash: 6e57d4468c6e875dfc441e3643f96d69f02f7a9f5b0938090698d52e80406baa
                                                • Instruction Fuzzy Hash: 2C31D636610244AFD752CE64C885FDE7BB9AB05328F020451F920EBD61CB76ED88DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C9A50 Relevance: 2.7, Strings: 2, Instructions: 180COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E6C3C9A50(signed int __ebx, intOrPtr __edi, signed int _a4, signed int _a8, unsigned int _a12, intOrPtr _a16, unsigned int* _a20, signed int _a24) {
				signed int _v8;
				char _v2072;
				unsigned int _v2076;
				unsigned int _v2080;
				char _v2081;
				signed int _v2088;
				signed int _v2092;
				unsigned int* _v2096;
				signed int _v2100;
				unsigned int _v2104;
				unsigned int _v2108;
				void* __esi;
				signed int _t96;
				unsigned int* _t98;
				char _t101;
				intOrPtr _t102;
				signed char _t104;
				signed int _t107;
				unsigned int _t108;
				void* _t109;
				signed int _t123;
				unsigned int _t125;
				signed int _t131;
				signed int _t133;
				signed int* _t146;
				intOrPtr _t164;
				signed char _t165;
				unsigned int _t167;
				signed int _t168;

				_t164 = __edi;
				_t130 = __ebx;
				_t96 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t96 ^ _t168;
				_t147 = _a24;
				_t98 = _a20;
				_t133 = _a4;
				_t167 = _a12;
				_v2088 = _t133;
				_v2096 = _t98;
				_v2100 = _t147;
				 *_t98 = _t167;
				if(_t147 != 0) {
					 *_t147 = _a16;
				}
				if(_t167 - _a8 >= 0x1800) {
					_t101 =  *((intOrPtr*)(_t133 + 0x880));
					_v2081 = _t101;
					if(_t101 >= 4) {
						goto L3;
					}
					_push(_t130);
					_push(_t164);
					_v2076 = _t167;
					_t165 = 0;
					_t104 = 0;
					_t15 =  &_v2076;
					 *_t15 = _v2076 >> 3;
					if( *_t15 == 0) {
						L11:
						_t107 = _a8 + 0x0000003f & 0xffffffc0;
						_a8 = _t107;
						_t108 = _t107 + 0x800;
						_t167 = _t167 + 0xfffff000;
						_v2080 = _t108;
						_v2104 = _t167;
						if(_t108 >= _t167) {
							L25:
							_t102 = 0;
							L26:
							_pop(_t164);
							_pop(_t130);
							goto L4;
						}
						_t33 = _t108 + 0x400; // -1087
						_t167 = _t33;
						while(1) {
							_t147 =  *(_t168 + (_t108 >> 6) * 2 - 0x814) & 0x0000ffff;
							_t109 = E6C3DD81C(_t130, _t133,  *(_t168 + (_t108 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400, _t108, _t167,  *(_t168 + (_t108 >> 6) * 2 - 0x814) & 0x0000ffff,  *(_t168 + (_t167 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400);
							_t130 = 0x578;
							if(_t109 <= 0x578) {
								goto L24;
							}
							_t42 = _t167 + 0x400; // -63
							_t46 = _t167 - 0x800; // -3135
							_t147 =  *(_t168 + (_t46 >> 6) * 2 - 0x814) & 0x0000ffff;
							if(E6C3DD81C(0x578, _v2088,  *(_t168 + (_t46 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400, _t46, _t42,  *(_t168 + (_t46 >> 6) * 2 - 0x814) & 0x0000ffff,  *(_t168 + (_t42 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400) <= 0x578) {
								goto L24;
							}
							_t51 = _t167 + 0x800; // 0x3c1
							_t55 = _t167 - 0xc00; // -4159
							_t147 =  *(_t168 + (_t55 >> 6) * 2 - 0x814) & 0x0000ffff;
							if(E6C3DD81C(0x578, _v2088,  *(_t168 + (_t55 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400, _t55, _t51,  *(_t168 + (_t55 >> 6) * 2 - 0x814) & 0x0000ffff,  *(_t168 + (_t51 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400) <= 0x578) {
								goto L24;
							}
							_v2092 = _v2092 & 0x00000000;
							_t62 = _t167 - 0x200; // -1599
							_t130 = _t62;
							_t63 = _t167 + 0x600; // 0x1c1
							if(_t130 >= _t63) {
								goto L24;
							}
							_t64 = _t167 - 0x600; // -2623
							_v2076 = _t64;
							do {
								_t123 = E6C3DD81C(_t130, _v2088, _t147, 0x400, _v2076, _t130,  *(_t168 + (_v2076 >> 6) * 2 - 0x814) & 0x0000ffff,  *(_t168 + (_t130 >> 6) * 2 - 0x814) & 0x0000ffff, 0x400);
								if(_t123 > _v2092) {
									_v2092 = _t123;
									_v2108 = _t130;
								}
								_v2076 = _v2076 + 0x40;
								_t130 = _t130 + 0x40;
								_t80 = _t167 + 0x600; // 0x1c1
							} while (_t130 < _t80);
							if(_v2092 < 0x6a4) {
								goto L24;
							}
							_t125 = _v2108;
							if(_t125 - _a8 >= 0x1000) {
								_t147 = _v2088;
								 *((char*)(_v2088 + 0x880)) = _v2081 + 1;
								 *_v2096 = _t125;
								_t146 = _v2100;
								if(_t146 != 0) {
									 *_t146 =  *(_t168 + (_t125 >> 6) * 2 - 0x814) & 0x0000ffff;
								}
								_t102 = 1;
								goto L26;
							}
							L24:
							_v2080 = _v2080 + 0x400;
							_t167 = _t167 + 0x400;
							if(_v2080 < _v2104) {
								_t133 = _v2088;
								_t108 = _v2080;
								continue;
							}
							goto L25;
						}
					}
					_v2080 =  &_v2072;
					_t147 =  *(_t133 + 0x34);
					do {
						if((_t104 & 0x00000007) == 0) {
							_v2080 = _v2080 + 2;
							 *_v2080 = _t165;
						}
						_t131 =  *(_t147 + _t104) & 0x000000ff;
						_t130 =  *(_t131 + _t133 + 0x881) & 0x000000ff;
						_t165 = _t165 + ( *(_t131 + _t133 + 0x881) & 0x000000ff);
						_t104 = _t104 + 1;
					} while (_t104 < _v2076);
					goto L11;
				} else {
					L3:
					_t102 = 0;
					L4:
					return E6C3C171F(_t102, _t130, _v8 ^ _t168, _t147, _t164, _t167);
				}
			}
































                                                0x6c3c9a50
                                                0x6c3c9a50
                                                0x6c3c9a5b
                                                0x6c3c9a62
                                                0x6c3c9a65
                                                0x6c3c9a6a
                                                0x6c3c9a6d
                                                0x6c3c9a71
                                                0x6c3c9a74
                                                0x6c3c9a7a
                                                0x6c3c9a80
                                                0x6c3c9a86
                                                0x6c3c9a88
                                                0x6c3c9a8d
                                                0x6c3c9a8d
                                                0x6c3c9a99
                                                0x6c3d56f2
                                                0x6c3d56fa
                                                0x6c3d5700
                                                0x00000000
                                                0x00000000
                                                0x6c3d5706
                                                0x6c3d5707
                                                0x6c3d5708
                                                0x6c3d570e
                                                0x6c3d5710
                                                0x6c3d5712
                                                0x6c3d5712
                                                0x6c3d5719
                                                0x6c3d5755
                                                0x6c3d575b
                                                0x6c3d575e
                                                0x6c3d5761
                                                0x6c3d5766
                                                0x6c3d576e
                                                0x6c3d5774
                                                0x6c3d577a
                                                0x6c3d5901
                                                0x6c3d5901
                                                0x6c3d5903
                                                0x6c3d5903
                                                0x6c3d5904
                                                0x00000000
                                                0x6c3d5904
                                                0x6c3d5780
                                                0x6c3d5780
                                                0x6c3d5799
                                                0x6c3d57ad
                                                0x6c3d57b8
                                                0x6c3d57bd
                                                0x6c3d57c4
                                                0x00000000
                                                0x00000000
                                                0x6c3d57ca
                                                0x6c3d57df
                                                0x6c3d57ea
                                                0x6c3d5802
                                                0x00000000
                                                0x00000000
                                                0x6c3d5808
                                                0x6c3d581d
                                                0x6c3d5828
                                                0x6c3d5840
                                                0x00000000
                                                0x00000000
                                                0x6c3d5846
                                                0x6c3d584d
                                                0x6c3d584d
                                                0x6c3d5853
                                                0x6c3d585b
                                                0x00000000
                                                0x00000000
                                                0x6c3d5861
                                                0x6c3d5867
                                                0x6c3d586d
                                                0x6c3d589b
                                                0x6c3d58a6
                                                0x6c3d58a8
                                                0x6c3d58ae
                                                0x6c3d58ae
                                                0x6c3d58b4
                                                0x6c3d58bb
                                                0x6c3d58be
                                                0x6c3d58c4
                                                0x6c3d58d2
                                                0x00000000
                                                0x00000000
                                                0x6c3d58d4
                                                0x6c3d58e5
                                                0x6c3d5910
                                                0x6c3d5918
                                                0x6c3d5924
                                                0x6c3d5926
                                                0x6c3d592e
                                                0x6c3d593b
                                                0x6c3d593b
                                                0x6c3d593f
                                                0x00000000
                                                0x6c3d593f
                                                0x6c3d58e7
                                                0x6c3d58e7
                                                0x6c3d58f3
                                                0x6c3d58fb
                                                0x6c3d578d
                                                0x6c3d5793
                                                0x00000000
                                                0x6c3d5793
                                                0x00000000
                                                0x6c3d58fb
                                                0x6c3d5799
                                                0x6c3d5721
                                                0x6c3d5727
                                                0x6c3d572a
                                                0x6c3d572c
                                                0x6c3d5734
                                                0x6c3d573b
                                                0x6c3d573b
                                                0x6c3d573e
                                                0x6c3d5742
                                                0x6c3d574a
                                                0x6c3d574c
                                                0x6c3d574d
                                                0x00000000
                                                0x6c3c9a9f
                                                0x6c3c9a9f
                                                0x6c3c9a9f
                                                0x6c3c9aa1
                                                0x6c3c9aad
                                                0x6c3c9aad

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$Fm*
                                                • API String ID: 0-1951596295
                                                • Opcode ID: 274a12090030b5cffefbc951f2ba2abb930af171407338eb7d0d6db38fde205c
                                                • Instruction ID: f68c13b500cec0b9fb5b03c19bd506ab2ebe61c4380e335d40ac6bbd5eaa0373
                                                • Opcode Fuzzy Hash: 274a12090030b5cffefbc951f2ba2abb930af171407338eb7d0d6db38fde205c
                                                • Instruction Fuzzy Hash: B17130B1A0022C8BDB64CF15C980AD9B7F9FF84304F15C5A9E889D7244DA319E86CFE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79E9B4 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                Download Yara Rule
                                                APIs
                                                • ChangeServiceConfigW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C79E9DA
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ChangeConfigService
                                                • String ID:
                                                • API String ID: 3849694230-0
                                                • Opcode ID: 8005409ed326a4e9bc6b2474807f808c64b62bd69c44b09331982541a89fed01
                                                • Instruction ID: 728ac1a5bc23221f1aa24b812b725e56f8c4da7593b87bd45fa741d1e8150494
                                                • Opcode Fuzzy Hash: 8005409ed326a4e9bc6b2474807f808c64b62bd69c44b09331982541a89fed01
                                                • Instruction Fuzzy Hash: 7FE0FE3200018DBBCF029E81DD04CDA3F26FB4C3A4B4A9214FA2820020C736D871EB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DD064 Relevance: .2, Instructions: 212COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DD064(intOrPtr* __eax, void* __edi) {
				intOrPtr _v8;
				signed short _v12;
				signed short _v16;
				void* __esi;
				signed short _t104;
				signed int _t105;
				void* _t106;
				signed short _t109;
				intOrPtr _t110;
				signed int _t114;
				signed short _t124;
				signed short _t125;
				signed int _t126;
				void* _t127;
				void* _t133;
				signed int _t134;
				void* _t135;
				intOrPtr _t140;
				signed short _t142;
				signed int _t148;
				signed short _t149;
				signed int _t153;
				signed int _t160;
				intOrPtr _t161;
				intOrPtr _t164;
				signed short _t166;
				signed int _t167;
				signed short _t168;
				signed int _t173;
				signed short _t176;
				signed int _t190;
				signed int _t195;
				intOrPtr* _t199;

				_t142 = 0;
				_t199 = __eax;
				_v12 = 0;
				_v8 = 2;
				if( *((intOrPtr*)(__eax + 0x24)) == 0) {
					L41:
					_t104 =  *(_t199 + 0x3c) & 0x0000ffff;
					_t148 =  *(_t199 + 0x34);
					if(_t104 != _t142) {
						_t105 = _t104 & 0x0000ffff;
					} else {
						_t105 = 0x10000;
					}
					_t106 = _t105 - _t148;
					_t222 = _t148 - _t142;
					if(_t148 < _t142) {
						_t149 = 0;
						__eflags = 0;
					} else {
						_t149 = ( *(_t199 + 0x34) & 0x0000ffff) +  *((intOrPtr*)(_t199 + 0x14));
					}
					return E6C3DCF02(_t199, _t149, _t179, _t222, _t149, _t106, 1);
				} else {
					_t195 = 0x7fff;
					do {
						if( *((intOrPtr*)(_t199 + 0x24)) <= 2) {
							_t109 = 0;
							__eflags = 0;
							 *((intOrPtr*)(_t199 + 0x38)) = _t142;
						} else {
							_t153 =  *(_t199 + 0x3c) & 0x0000ffff;
							_t114 = ( *( *((intOrPtr*)(_t199 + 0x14)) + _t153 + 2) & 0x000000ff ^  *(_t199 + 0x20) << 0x00000005) & _t195;
							 *(_t199 + 0x20) = _t114;
							_t109 =  *( *(_t199 + 0x18) + _t114 * 2) & 0x0000ffff;
							 *( *((intOrPtr*)(_t199 + 0x1c)) + (_t153 & _t195) * 2) = _t109;
							_t179 =  *(_t199 + 0x18);
							 *((short*)( *(_t199 + 0x18) +  *(_t199 + 0x20) * 2)) =  *(_t199 + 0x3c);
						}
						 *((intOrPtr*)(_t199 + 0x38)) = _v8;
						_v16 =  *(_t199 + 0x3e) & 0x0000ffff;
						_v8 = 2;
						if(_t109 != 0 &&  *((intOrPtr*)(_t199 + 0x38)) < 0x20) {
							_t176 =  *(_t199 + 0x3c) & 0x0000ffff;
							_t179 = (_t176 & 0x0000ffff) - (_t109 & 0x0000ffff);
							if((_t176 & 0x0000ffff) - (_t109 & 0x0000ffff) <= 0x7efa && _t176 < 0xfffd) {
								_v8 = E6C3DCBD8(_t199, _t109);
								_t140 =  *((intOrPtr*)(_t199 + 0x24));
								if(_v8 > _t140) {
									_v8 = _t140;
								}
								if(_v8 == 3 && ( *(_t199 + 0x3c) & 0x0000ffff) - ( *(_t199 + 0x3e) & 0x0000ffff) > 0x1000) {
									_v8 = 2;
								}
							}
						}
						_t110 =  *((intOrPtr*)(_t199 + 0x38));
						if(_t110 < 3 || _v8 > _t110) {
							_t142 = 0;
							__eflags = _v12;
							if(_v12 == 0) {
								_v12 = 1;
							} else {
								_t179 = 0;
								_t124 = E6C3DC942(_t199,  *(( *(_t199 + 0x3c) - 0x00000001 & 0x0000ffff) +  *((intOrPtr*)(_t199 + 0x14))) & 0x000000ff, 0);
								__eflags = _t124;
								if(_t124 != 0) {
									_t125 =  *(_t199 + 0x3c) & 0x0000ffff;
									__eflags = _t125;
									_t160 =  *(_t199 + 0x34);
									if(_t125 != 0) {
										_t126 = _t125 & 0x0000ffff;
									} else {
										_t126 = 0x10000;
									}
									_t127 = _t126 - _t160;
									__eflags = _t160 - _t142;
									if(__eflags < 0) {
										_t161 = 0;
										__eflags = 0;
									} else {
										_t161 = ( *(_t199 + 0x34) & 0x0000ffff) +  *((intOrPtr*)(_t199 + 0x14));
									}
									E6C3DCF02(_t199, _t161, _t179, __eflags, _t161, _t127, _t142);
									 *(_t199 + 0x34) =  *(_t199 + 0x3c) & 0x0000ffff;
								}
							}
							 *(_t199 + 0x3c) =  *(_t199 + 0x3c) + 1;
							_t92 = _t199 + 0x24;
							 *_t92 =  *((intOrPtr*)(_t199 + 0x24)) - 1;
							__eflags =  *_t92;
						} else {
							_t133 = E6C3DC942(_t199, _t110 - 3, ( *(_t199 + 0x3c) & 0x0000ffff) - (_v16 & 0x0000ffff) - 1);
							_t164 =  *((intOrPtr*)(_t199 + 0x38));
							 *((intOrPtr*)(_t199 + 0x24)) =  *((intOrPtr*)(_t199 + 0x24)) + 1 - _t164;
							 *((intOrPtr*)(_t199 + 0x38)) = _t164 + 0xfffffffe;
							do {
								 *(_t199 + 0x3c) =  *(_t199 + 0x3c) + 1;
								_t166 =  *(_t199 + 0x3c) & 0x0000ffff;
								if( *((intOrPtr*)(_t199 + 0x24)) > 2) {
									_t190 = _t166 & 0x0000ffff;
									_t173 = ( *( *((intOrPtr*)(_t199 + 0x14)) + _t190 + 2) & 0x000000ff ^  *(_t199 + 0x20) << 0x00000005) & _t195;
									 *(_t199 + 0x20) = _t173;
									 *((short*)( *((intOrPtr*)(_t199 + 0x1c)) + (_t190 & _t195) * 2)) =  *((intOrPtr*)( *(_t199 + 0x18) + _t173 * 2));
									 *((short*)( *(_t199 + 0x18) +  *(_t199 + 0x20) * 2)) =  *(_t199 + 0x3c);
									_t195 = 0x7fff;
								}
								_t67 = _t199 + 0x38;
								 *_t67 =  *((intOrPtr*)(_t199 + 0x38)) - 1;
							} while ( *_t67 != 0);
							_t142 = 0;
							 *(_t199 + 0x3c) =  *(_t199 + 0x3c) + 1;
							_t179 =  *(_t199 + 0x3c) & 0x0000ffff;
							_v12 = 0;
							_v8 = 2;
							if(_t133 != 0) {
								_t167 =  *(_t199 + 0x34);
								_t134 = 0x10000;
								if(_t179 != 0) {
									_t134 = _t179 & 0x0000ffff;
								}
								_t135 = _t134 - _t167;
								_t217 = _t167 - _t142;
								if(_t167 < _t142) {
									_t168 = 0;
									__eflags = 0;
								} else {
									_t168 = ( *(_t199 + 0x34) & 0x0000ffff) +  *((intOrPtr*)(_t199 + 0x14));
								}
								E6C3DCF02(_t199, _t168, _t179, _t217, _t168, _t135, _t142);
								 *(_t199 + 0x34) =  *(_t199 + 0x3c) & 0x0000ffff;
							}
						}
					} while ( *((intOrPtr*)(_t199 + 0x24)) != _t142);
					if(_v12 != _t142) {
						_t179 = 0;
						E6C3DC942(_t199,  *(( *(_t199 + 0x3c) - 0x00000001 & 0x0000ffff) +  *((intOrPtr*)(_t199 + 0x14))) & 0x000000ff, 0);
					}
					goto L41;
				}
			}




































                                                0x6c3dd06e
                                                0x6c3dd070
                                                0x6c3dd075
                                                0x6c3dd078
                                                0x6c3dd07f
                                                0x6c3dd2a8
                                                0x6c3dd2a8
                                                0x6c3dd2af
                                                0x6c3dd2b2
                                                0x6c3dd2bb
                                                0x6c3dd2b4
                                                0x6c3dd2b4
                                                0x6c3dd2b4
                                                0x6c3dd2be
                                                0x6c3dd2c0
                                                0x6c3dd2c2
                                                0x6c3dd2cd
                                                0x6c3dd2cd
                                                0x6c3dd2c4
                                                0x6c3dd2c8
                                                0x6c3dd2c8
                                                0x6c3dd2dd
                                                0x6c3dd085
                                                0x6c3dd086
                                                0x6c3dd08b
                                                0x6c3dd08f
                                                0x6c3dd0ca
                                                0x6c3dd0ca
                                                0x6c3dd0cc
                                                0x6c3dd091
                                                0x6c3dd091
                                                0x6c3dd0a8
                                                0x6c3dd0aa
                                                0x6c3dd0ad
                                                0x6c3dd0b6
                                                0x6c3dd0bd
                                                0x6c3dd0c4
                                                0x6c3dd0c4
                                                0x6c3dd0d5
                                                0x6c3dd0dc
                                                0x6c3dd0df
                                                0x6c3dd0e6
                                                0x6c3dd0ee
                                                0x6c3dd0f8
                                                0x6c3dd100
                                                0x6c3dd10e
                                                0x6c3dd111
                                                0x6c3dd117
                                                0x6c3dd119
                                                0x6c3dd119
                                                0x6c3dd120
                                                0x6c3dd134
                                                0x6c3dd134
                                                0x6c3dd120
                                                0x6c3dd100
                                                0x6c3dd13b
                                                0x6c3dd141
                                                0x6c3dd214
                                                0x6c3dd216
                                                0x6c3dd219
                                                0x6c3dd272
                                                0x6c3dd21b
                                                0x6c3dd22b
                                                0x6c3dd22f
                                                0x6c3dd234
                                                0x6c3dd236
                                                0x6c3dd238
                                                0x6c3dd23c
                                                0x6c3dd23f
                                                0x6c3dd242
                                                0x6c3dd24b
                                                0x6c3dd244
                                                0x6c3dd244
                                                0x6c3dd244
                                                0x6c3dd24e
                                                0x6c3dd250
                                                0x6c3dd252
                                                0x6c3dd25d
                                                0x6c3dd25d
                                                0x6c3dd254
                                                0x6c3dd258
                                                0x6c3dd258
                                                0x6c3dd264
                                                0x6c3dd26d
                                                0x6c3dd26d
                                                0x6c3dd236
                                                0x6c3dd279
                                                0x6c3dd27d
                                                0x6c3dd27d
                                                0x6c3dd27d
                                                0x6c3dd150
                                                0x6c3dd160
                                                0x6c3dd165
                                                0x6c3dd16d
                                                0x6c3dd173
                                                0x6c3dd176
                                                0x6c3dd176
                                                0x6c3dd17e
                                                0x6c3dd182
                                                0x6c3dd187
                                                0x6c3dd19a
                                                0x6c3dd1a1
                                                0x6c3dd1a8
                                                0x6c3dd1b6
                                                0x6c3dd1ba
                                                0x6c3dd1ba
                                                0x6c3dd1bf
                                                0x6c3dd1bf
                                                0x6c3dd1bf
                                                0x6c3dd1c4
                                                0x6c3dd1c6
                                                0x6c3dd1cc
                                                0x6c3dd1d0
                                                0x6c3dd1d3
                                                0x6c3dd1da
                                                0x6c3dd1e3
                                                0x6c3dd1e6
                                                0x6c3dd1eb
                                                0x6c3dd1ed
                                                0x6c3dd1ed
                                                0x6c3dd1f0
                                                0x6c3dd1f2
                                                0x6c3dd1f4
                                                0x6c3dd1ff
                                                0x6c3dd1ff
                                                0x6c3dd1f6
                                                0x6c3dd1fa
                                                0x6c3dd1fa
                                                0x6c3dd206
                                                0x6c3dd20f
                                                0x6c3dd20f
                                                0x6c3dd1da
                                                0x6c3dd280
                                                0x6c3dd28d
                                                0x6c3dd29f
                                                0x6c3dd2a3
                                                0x6c3dd2a3
                                                0x00000000
                                                0x6c3dd28d

                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c3a4e0fec333f5e0de6669a44665c0b4cdd52350f996b6acc430fd419882173b
                                                • Instruction ID: 0a2c0c78251aca9da790c96f8dbb8903c555fcaf2d9966397fe4f7499e5628dc
                                                • Opcode Fuzzy Hash: c3a4e0fec333f5e0de6669a44665c0b4cdd52350f996b6acc430fd419882173b
                                                • Instruction Fuzzy Hash: EB81A971A01A208AC7649F6AC69057AF3F1FF48705B91892EE8C787E40E374F885CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4DC9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed2cbdcedc398da826b454c523778528c59bf51cf5625b9893ab52e8b6d8c020
                                                • Instruction ID: 7e95828890b7b474f977a1185608dc2220e02ca0da9b2d69d75011c11305e9a7
                                                • Opcode Fuzzy Hash: ed2cbdcedc398da826b454c523778528c59bf51cf5625b9893ab52e8b6d8c020
                                                • Instruction Fuzzy Hash: C1A002322486CCD7465059865409B3777BEE1C26A3A9501B1D518025059D72EC11D5D6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4E0D Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7d429d64cb9acdd69f56aab6b178aab374dac4956efd76b9535aa01d4206f6b
                                                • Instruction ID: b6576ee12b6bde867a53692dd4514be29f94e38510d74a2c00f2703630429675
                                                • Opcode Fuzzy Hash: f7d429d64cb9acdd69f56aab6b178aab374dac4956efd76b9535aa01d4206f6b
                                                • Instruction Fuzzy Hash: C4A0023264874CD7475019C6946993277ADD1C2A63A9541F5D514029015D72E851C5D5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77DF27 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 312d8234440c11131e889c9df94a963e0fb05a31be8da1586d6fd6305fb1ede5
                                                • Instruction ID: 5af7eff24a70f4d18be4e9ede1aaa2c1c2380684959585640a723e985b5c0a08
                                                • Opcode Fuzzy Hash: 312d8234440c11131e889c9df94a963e0fb05a31be8da1586d6fd6305fb1ede5
                                                • Instruction Fuzzy Hash: BBA0023228868CD746A01986590997277ADD1C2663A9600B1D618425116E76EC11E5E6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C4B54 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3381dd4e66820da250015d2f4a14c857556fc60903c7717b06f90930a85e6ff3
                                                • Instruction ID: 4b9f8ae01ca98b83d772a51550c15c8e654f2b274181b0b885869ff9edc03fc9
                                                • Opcode Fuzzy Hash: 3381dd4e66820da250015d2f4a14c857556fc60903c7717b06f90930a85e6ff3
                                                • Instruction Fuzzy Hash: 05A0223228820CCB03000882000883233ACC0C2223E8800B0C000020000C32E800C8C0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78FACF Relevance: 30.2, APIs: 2, Strings: 15, Instructions: 475COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78FAD6
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: +$ActionTable$ApplicableIf$Compressed$CompressedDownloadSize$CompressedHashValue$CustomErrorHandling$EstimatedInstallTime$IsPresent$Name$ParameterInfo.xml$RepairOverride$UninstallOverride$schema validation failure: ServiceControl does not support Compressed attributes!$schema validation failure: ServiceControl does not support RepairOverride or UninstallOverride child elements!
                                                • API String ID: 431132790-3507379325
                                                • Opcode ID: c61aa0be0c27025c4522981a47c8ffa49496bb56dfbfc179e01f21688e28e587
                                                • Instruction ID: 60446f870f1819c3995160c843379c590fb5059f5edd4a4ae532b080bc6e4749
                                                • Opcode Fuzzy Hash: c61aa0be0c27025c4522981a47c8ffa49496bb56dfbfc179e01f21688e28e587
                                                • Instruction Fuzzy Hash: 6B123D71905249EFDF04DFA8CA48AEEBBB8BF09318F144569E524E7780D734DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C799C23 Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 486COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C77391D: __EH_prolog3.LIBCMT ref: 6C773924
                                                • __CxxThrowException@8.LIBCMT ref: 6C79A26F
                                                  • Part of subcall function 6C775349: __EH_prolog3.LIBCMT ref: 6C775350
                                                  • Part of subcall function 6C775349: OutputDebugStringW.KERNEL32(?,?,?,00000008,6C7A63AF,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6C754A4C), ref: 6C775371
                                                • SysFreeString.OLEAUT32(?), ref: 6C79A065
                                                Strings
                                                • Exe %s returned success, but changes will not be effective until the service is restarted., xrefs: 6C79A076
                                                • Exe (%s) failed with 0x%x - %s., xrefs: 6C79A03D
                                                • %s - Exe installer does not provide a log file name, xrefs: 6C799EED
                                                • Exe log file(s) :, xrefs: 6C799F57
                                                • Exe (%s) succeeded and requires reboot., xrefs: 6C79A081
                                                • Exe %s has initiated a restart., xrefs: 6C79A08C
                                                • complete, xrefs: 6C799C5F
                                                • PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x), xrefs: 6C79A1B7
                                                • Performing Action on Exe at , xrefs: 6C799CE1
                                                • Exe (%s) succeeded (but does not apply to any products on this machine), xrefs: 6C79A09B
                                                • Action, xrefs: 6C799D07
                                                • Exe (%s) succeeded., xrefs: 6C79A0A6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$String$DebugException@8FreeOutputThrow_memcpy_s
                                                • String ID: complete$%s - Exe installer does not provide a log file name$Action$Exe %s has initiated a restart.$Exe %s returned success, but changes will not be effective until the service is restarted.$Exe (%s) failed with 0x%x - %s.$Exe (%s) succeeded (but does not apply to any products on this machine)$Exe (%s) succeeded and requires reboot.$Exe (%s) succeeded.$Exe log file(s) :$PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x)$Performing Action on Exe at
                                                • API String ID: 4069489755-2724633158
                                                • Opcode ID: be124442bdffb742501d231100afcc6702c0d3b0e96c0bfeb9b189589b56f350
                                                • Instruction ID: 8075eeba464b39a05485b5cf41176e15723a2da273f2bd0a10c6208af7c410f9
                                                • Opcode Fuzzy Hash: be124442bdffb742501d231100afcc6702c0d3b0e96c0bfeb9b189589b56f350
                                                • Instruction Fuzzy Hash: A01238716083419FD720CF68CA88B5ABBE5BF99318F044A2DF199D7751DB31E908CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C787E17 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 445COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C787E1E
                                                • __CxxThrowException@8.LIBCMT ref: 6C787FA8
                                                • __EH_prolog3.LIBCMT ref: 6C787FBA
                                                • __CxxThrowException@8.LIBCMT ref: 6C7880A9
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                  • Part of subcall function 6C7A878F: __EH_prolog3.LIBCMT ref: 6C7A8796
                                                  • Part of subcall function 6C7A878F: _wcsspn.LIBCMT ref: 6C7A87D2
                                                  • Part of subcall function 6C7A878F: _wcscspn.LIBCMT ref: 6C7A87E8
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                Strings
                                                • When Rollback is true for item , xrefs: 6C788036
                                                • schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like , xrefs: 6C78836E
                                                • schema validation failure: , xrefs: 6C78816D
                                                • ", xrefs: 6C7883BD
                                                • ParameterInfo.xml, xrefs: 6C787F63, 6C788026, 6C78815D, 6C788246, 6C78835E
                                                • [%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var, xrefs: 6C787F32
                                                • schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like , xrefs: 6C788256
                                                • a valid UninstallCommandLine is required., xrefs: 6C78804B
                                                • has invalid LogFileHint, xrefs: 6C788182
                                                • must be empty., xrefs: 6C78826B
                                                • [%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to, xrefs: 6C787F55
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw$_wcscspn_wcsspn
                                                • String ID: a valid UninstallCommandLine is required.$ has invalid LogFileHint$ must be empty.$"$ParameterInfo.xml$When Rollback is true for item $[%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var$[%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to$schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like $schema validation failure: $schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like
                                                • API String ID: 200342494-2088432839
                                                • Opcode ID: 401dce425281cdecac9b918ca579792aaca2f6fe2bbd5e6baf5be77933b6bc4a
                                                • Instruction ID: d52f7655e93ff7ec11e2d13aa9a12f7f065c49a90e7d1c98917127676e6962e2
                                                • Opcode Fuzzy Hash: 401dce425281cdecac9b918ca579792aaca2f6fe2bbd5e6baf5be77933b6bc4a
                                                • Instruction Fuzzy Hash: FF026231901149EFDB10DBF8CA4CBDDBBB4AF05328F544266E121B7B81DB74AA49CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D66A1 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 174fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E6C3D66A1(void* _a4) {
				long _v8;
				void* _v12;
				struct _FILETIME _v20;
				struct _SYSTEMTIME _v36;
				void* _t52;
				void* _t53;
				signed int _t58;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t79;
				void _t82;
				long _t83;
				void* _t85;

				_v8 = 0;
				if(_a4 != 0) {
					__eflags =  *0x6c3e009c; // 0x0
					if(__eflags != 0) {
						_t52 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0x80000080, 0);
						__eflags = _t52 - 0xffffffff;
						_v12 = _t52;
						if(_t52 != 0xffffffff) {
							_t53 = CreateFileMappingW(_t52, 0, 4, 0, 0x78, 0);
							__eflags = _t53;
							_a4 = _t53;
							if(_t53 != 0) {
								_t85 = MapViewOfFile(_t53, 2, 0, 0, 0x78);
								__eflags = _t85;
								if(_t85 != 0) {
									_t82 =  *_t85;
									__eflags = _t82 - 0x4d51534d;
									if(_t82 == 0x4d51534d) {
										GetSystemTime( &_v36);
										_t58 = SystemTimeToFileTime( &_v36,  &_v20);
										__eflags = _t58;
										if(_t58 != 0) {
											 *(_t85 + 0x28) = _v20.dwLowDateTime;
											 *((intOrPtr*)(_t85 + 0x2c)) = _v20.dwHighDateTime;
											_t83 = 0;
											__eflags = 0;
											_v8 = 1;
											L32:
											__eflags = _t85;
											if(_t85 != 0) {
												UnmapViewOfFile(_t85);
											}
											L34:
											__eflags = _a4;
											if(_a4 != 0) {
												CloseHandle(_a4);
											}
											CloseHandle(_v12);
											goto L37;
										}
										_t83 = GetLastError();
										_t66 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t66 - 0x6c3e0088;
										if(_t66 == 0x6c3e0088) {
											goto L32;
										}
										__eflags =  *(_t66 + 0x1c) & 0x00000001;
										if(( *(_t66 + 0x1c) & 0x00000001) == 0) {
											goto L32;
										}
										_push(_t83);
										_push(0x6c3d5a6c);
										_push(0x81);
										L30:
										_t41 = _t66 + 0x14; // 0x0
										_push( *_t41);
										_t42 = _t66 + 0x10; // 0x1
										_push( *_t42);
										E6C3D99F8();
										goto L32;
									}
									_t83 = 0xd;
									_t68 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t68 - 0x6c3e0088;
									if(_t68 != 0x6c3e0088) {
										__eflags =  *(_t68 + 0x1c) & 0x00000001;
										if(( *(_t68 + 0x1c) & 0x00000001) != 0) {
											_t33 = _t68 + 0x14; // 0x0
											_t34 = _t68 + 0x10; // 0x1
											E6C3D99F8( *_t34,  *_t33, 0x80, 0x6c3d5a6c, _t82);
										}
									}
									goto L32;
								}
								_t83 = GetLastError();
								_t66 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t66 - 0x6c3e0088;
								if(_t66 == 0x6c3e0088) {
									goto L32;
								}
								__eflags =  *(_t66 + 0x1c) & 0x00000001;
								if(( *(_t66 + 0x1c) & 0x00000001) == 0) {
									goto L32;
								}
								_push(_t83);
								_push(0x6c3d5a6c);
								_push(0x7f);
								goto L30;
							}
							_t83 = GetLastError();
							_t72 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t72 - 0x6c3e0088;
							if(_t72 != 0x6c3e0088) {
								__eflags =  *(_t72 + 0x1c) & 0x00000001;
								if(( *(_t72 + 0x1c) & 0x00000001) != 0) {
									_t25 = _t72 + 0x14; // 0x0
									_t26 = _t72 + 0x10; // 0x1
									E6C3D99F8( *_t26,  *_t25, 0x7e, 0x6c3d5a6c, _t83);
								}
							}
							goto L34;
						}
						_t83 = GetLastError();
						_t75 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t75 - 0x6c3e0088;
						if(_t75 != 0x6c3e0088) {
							__eflags =  *(_t75 + 0x1c) & 0x00000001;
							if(( *(_t75 + 0x1c) & 0x00000001) != 0) {
								_t19 = _t75 + 0x14; // 0x0
								_t20 = _t75 + 0x10; // 0x1
								E6C3D77B8( *_t20,  *_t19, 0x7d, 0x6c3d5a6c, _a4, _t83);
							}
						}
					} else {
						_t77 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t77 - 0x6c3e0088;
						if(_t77 != 0x6c3e0088) {
							__eflags =  *(_t77 + 0x1c) & 0x00000001;
							if(( *(_t77 + 0x1c) & 0x00000001) != 0) {
								_t11 = _t77 + 0x14; // 0x0
								_t12 = _t77 + 0x10; // 0x1
								E6C3D5F11( *_t12,  *_t11, 0x7c, 0x6c3d5a6c);
							}
						}
						_t83 = 0x1000010a;
					}
					goto L37;
				} else {
					_t79 =  *0x6c3e0088; // 0x6c3e0088
					if(_t79 != 0x6c3e0088 && ( *(_t79 + 0x1c) & 0x00000001) != 0) {
						_t6 = _t79 + 0x14; // 0x0
						_t7 = _t79 + 0x10; // 0x1
						E6C3D5F11( *_t7,  *_t6, 0x7b, 0x6c3d5a6c);
					}
					_t83 = 0x57;
					L37:
					SetLastError(_t83);
					return _v8;
				}
			}



















                                                0x6c3d66b0
                                                0x6c3d66b3
                                                0x6c3d66e1
                                                0x6c3d66e7
                                                0x6c3d672a
                                                0x6c3d6730
                                                0x6c3d6733
                                                0x6c3d6736
                                                0x6c3d677e
                                                0x6c3d6784
                                                0x6c3d6786
                                                0x6c3d6789
                                                0x6c3d67d2
                                                0x6c3d67d4
                                                0x6c3d67d6
                                                0x6c3d6804
                                                0x6c3d6806
                                                0x6c3d680c
                                                0x6c3d6843
                                                0x6c3d6851
                                                0x6c3d6857
                                                0x6c3d6859
                                                0x6c3d6890
                                                0x6c3d6896
                                                0x6c3d6899
                                                0x6c3d6899
                                                0x6c3d689b
                                                0x6c3d68a2
                                                0x6c3d68a2
                                                0x6c3d68a4
                                                0x6c3d68a7
                                                0x6c3d68a7
                                                0x6c3d68ad
                                                0x6c3d68ad
                                                0x6c3d68b6
                                                0x6c3d68bb
                                                0x6c3d68bb
                                                0x6c3d68c0
                                                0x00000000
                                                0x6c3d68c2
                                                0x6c3d6861
                                                0x6c3d6863
                                                0x6c3d6868
                                                0x6c3d686d
                                                0x00000000
                                                0x00000000
                                                0x6c3d686f
                                                0x6c3d6873
                                                0x00000000
                                                0x00000000
                                                0x6c3d6875
                                                0x6c3d6876
                                                0x6c3d687b
                                                0x6c3d6880
                                                0x6c3d6880
                                                0x6c3d6880
                                                0x6c3d6883
                                                0x6c3d6883
                                                0x6c3d6886
                                                0x00000000
                                                0x6c3d6886
                                                0x6c3d6810
                                                0x6c3d6811
                                                0x6c3d6816
                                                0x6c3d681b
                                                0x6c3d6821
                                                0x6c3d6825
                                                0x6c3d6832
                                                0x6c3d6835
                                                0x6c3d6838
                                                0x6c3d6838
                                                0x6c3d6825
                                                0x00000000
                                                0x6c3d681b
                                                0x6c3d67de
                                                0x6c3d67e0
                                                0x6c3d67e5
                                                0x6c3d67ea
                                                0x00000000
                                                0x00000000
                                                0x6c3d67f0
                                                0x6c3d67f4
                                                0x00000000
                                                0x00000000
                                                0x6c3d67fa
                                                0x6c3d67fb
                                                0x6c3d6800
                                                0x00000000
                                                0x6c3d6800
                                                0x6c3d6791
                                                0x6c3d6793
                                                0x6c3d6798
                                                0x6c3d679d
                                                0x6c3d67a3
                                                0x6c3d67a7
                                                0x6c3d67b5
                                                0x6c3d67b8
                                                0x6c3d67bb
                                                0x6c3d67bb
                                                0x6c3d67a7
                                                0x00000000
                                                0x6c3d679d
                                                0x6c3d673e
                                                0x6c3d6740
                                                0x6c3d6745
                                                0x6c3d674a
                                                0x6c3d6750
                                                0x6c3d6754
                                                0x6c3d6765
                                                0x6c3d6768
                                                0x6c3d676b
                                                0x6c3d676b
                                                0x6c3d6754
                                                0x6c3d66e9
                                                0x6c3d66e9
                                                0x6c3d66ee
                                                0x6c3d66f3
                                                0x6c3d66f5
                                                0x6c3d66f9
                                                0x6c3d6702
                                                0x6c3d6705
                                                0x6c3d6708
                                                0x6c3d6708
                                                0x6c3d66f9
                                                0x6c3d670d
                                                0x6c3d670d
                                                0x00000000
                                                0x6c3d66b5
                                                0x6c3d66b5
                                                0x6c3d66bf
                                                0x6c3d66ce
                                                0x6c3d66d1
                                                0x6c3d66d4
                                                0x6c3d66d4
                                                0x6c3d66db
                                                0x6c3d68c3
                                                0x6c3d68c4
                                                0x6c3d68d0
                                                0x6c3d68d0

                                                APIs
                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,80000080,00000000), ref: 6C3D672A
                                                • GetLastError.KERNEL32 ref: 6C3D6738
                                                  • Part of subcall function 6C3D5F11: EtwTraceMessage.NTDLL ref: 6C3D5F26
                                                • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000078,00000000), ref: 6C3D677E
                                                • GetLastError.KERNEL32 ref: 6C3D678B
                                                  • Part of subcall function 6C3D99F8: EtwTraceMessage.NTDLL ref: 6C3D9A13
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000078), ref: 6C3D67CC
                                                • GetLastError.KERNEL32 ref: 6C3D67D8
                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 6C3D68A7
                                                • CloseHandle.KERNEL32(?), ref: 6C3D68BB
                                                • CloseHandle.KERNEL32(?), ref: 6C3D68C0
                                                • SetLastError.KERNEL32(00000000), ref: 6C3D68C4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorFileLast$CloseCreateHandleMessageTraceView$MappingUnmap
                                                • String ID: MSQM
                                                • API String ID: 3767376415-2366479917
                                                • Opcode ID: ac17db107d84a9bf508cc6a83009623dad09345dab6963a579dd98b647d06399
                                                • Instruction ID: 05b44d76761d8e48cd99bd638fe26697072c2cd024453a74eb32ac880cec22b2
                                                • Opcode Fuzzy Hash: ac17db107d84a9bf508cc6a83009623dad09345dab6963a579dd98b647d06399
                                                • Instruction Fuzzy Hash: 2851FE76640244AFDB51DE61CCC8F8E7BB8BB05348F160865F925EA9A0C772FD849F20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C5C36 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5C3D
                                                • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C7C4247,00000000,?), ref: 6C7C5C90
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5CB7
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5CC4
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5CD1
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D20
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D2D
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D3A
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D5D
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D6A
                                                • GlobalFree.KERNEL32(?), ref: 6C7C5D77
                                                Strings
                                                • Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6C7C5C49
                                                • WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6C7C5C99
                                                • Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded, xrefs: 6C7C5D45
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: FreeGlobal$H_prolog3$ErrorLast
                                                • String ID: Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser$Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded$WinHttpGetIEProxyConfigForCurrentUser
                                                • API String ID: 3758970598-3016001025
                                                • Opcode ID: a3a291a6083b2e9db76d7fe9a7016d0d874fa08e7dcc735c3fe7ef8a80a98936
                                                • Instruction ID: 6961f8a44e674653931eedcbf1604eb9ab9726fd377b37b5cd0df70b24b1913f
                                                • Opcode Fuzzy Hash: a3a291a6083b2e9db76d7fe9a7016d0d874fa08e7dcc735c3fe7ef8a80a98936
                                                • Instruction Fuzzy Hash: FD410431A0161ADFCF029FA4DA499DCFBB1BF48B14F25406AE411B6624C7329D40DFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78BD2C Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 414COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78BD33
                                                  • Part of subcall function 6C781D3D: __EH_prolog3.LIBCMT ref: 6C781D44
                                                  • Part of subcall function 6C781D3D: __CxxThrowException@8.LIBCMT ref: 6C781E11
                                                • __CxxThrowException@8.LIBCMT ref: 6C78C09E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw
                                                • String ID: ($ApplicableIf$IsPresent$MSP$ParameterInfo.xml$PatchCode$RepairOverride$UninstallOverride$schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!$schema validation failure: Patch Code cannot be empty!$schema validation failure: wrong number of MSP child nodes!
                                                • API String ID: 3670251406-3439019449
                                                • Opcode ID: d96fa96bb649502f1cc36423401e9fe9d2293db2ca5d2134b1cde72bff0fc9a0
                                                • Instruction ID: 7c44a3283e0284f450c4459133477900125efdab3c9ee454623315522904eeb5
                                                • Opcode Fuzzy Hash: d96fa96bb649502f1cc36423401e9fe9d2293db2ca5d2134b1cde72bff0fc9a0
                                                • Instruction Fuzzy Hash: 54022171901249EFDB04DFA8CA49ADDBBB9BF05318F148569F924DB780C734EA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78E8B9 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 253memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C78E8C3
                                                  • Part of subcall function 6C78EDAB: __EH_prolog3.LIBCMT ref: 6C78EDB2
                                                  • Part of subcall function 6C78ED32: __EH_prolog3.LIBCMT ref: 6C78ED39
                                                  • Part of subcall function 6C78ECB9: __EH_prolog3.LIBCMT ref: 6C78ECC0
                                                  • Part of subcall function 6C78B14E: __EH_prolog3.LIBCMT ref: 6C78B155
                                                  • Part of subcall function 6C781B7A: __EH_prolog3.LIBCMT ref: 6C781B81
                                                • VariantInit.OLEAUT32(00000010), ref: 6C78E9A5
                                                • SysAllocString.OLEAUT32(IgnoreDownloadFailure), ref: 6C78E9B9
                                                • SysFreeString.OLEAUT32(6C7EBDC8), ref: 6C78E9F1
                                                • __CxxThrowException@8.LIBCMT ref: 6C78EA8E
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • VariantClear.OLEAUT32(00000010), ref: 6C78EBFF
                                                Strings
                                                • ParameterInfo.xml, xrefs: 6C78EA0F, 6C78EBA3
                                                • CompressedHashValue, xrefs: 6C78EB0A
                                                • schema validation failure: AgileMSP does not support Compressed attributes!, xrefs: 6C78EB95
                                                • Compressed, xrefs: 6C78EA93
                                                • CompressedDownloadSize, xrefs: 6C78EACD
                                                • IgnoreDownloadFailure, xrefs: 6C78E9B1
                                                • IgnoreDownloadFailure should not be authored for Agile MSPs, xrefs: 6C78EA01
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8StringThrowVariant$AllocClearFreeInit
                                                • String ID: Compressed$CompressedDownloadSize$CompressedHashValue$IgnoreDownloadFailure$IgnoreDownloadFailure should not be authored for Agile MSPs$ParameterInfo.xml$schema validation failure: AgileMSP does not support Compressed attributes!
                                                • API String ID: 2143658781-3712495632
                                                • Opcode ID: 5e24066b57e38c3454d3d7f6c58eb4ca3aff65d60bcb9134b1d8036a14fb02c9
                                                • Instruction ID: e8971845bbb171422d75293d8a75943a37c5f257e2ff63dcdc8b9e5c2ef5679a
                                                • Opcode Fuzzy Hash: 5e24066b57e38c3454d3d7f6c58eb4ca3aff65d60bcb9134b1d8036a14fb02c9
                                                • Instruction Fuzzy Hash: DAB18171901249EFDF00DFE8CA49BEDBBB8BF05308F144569E111A7B91DB359A48CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CD937 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 394COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 62%
                                                			E6C3CD937(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t153;
				intOrPtr _t162;
				void* _t165;
				signed int _t166;
				void* _t173;
				void* _t174;
				void* _t180;
				intOrPtr _t183;
				intOrPtr _t186;
				intOrPtr _t193;
				void* _t196;
				intOrPtr _t197;
				intOrPtr _t199;
				intOrPtr _t205;
				signed int _t214;
				signed int _t216;
				signed int _t221;
				signed int _t222;
				void* _t234;
				signed int _t235;
				signed int _t243;
				void* _t247;

				_push(0x4c);
				E6C3C49E9(0x6c3ddf51, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t247 - 0x18)) = __ecx;
				_t243 = 0;
				 *((intOrPtr*)(_t247 - 0x24)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t247 - 0x58) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t247 - 0x40)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *(_t247 - 0x10) = 0;
				 *((intOrPtr*)(_t247 - 0x14)) = 0;
				if( *((intOrPtr*)(_t247 + 0x14)) == 0 ||  *((intOrPtr*)(_t247 + 0x18)) == 0 ||  *((intOrPtr*)(_t247 + 8)) == 0 ||  *((intOrPtr*)(_t247 + 0xc)) == 0 ||  *((intOrPtr*)(_t247 + 0x1c)) == 0) {
					_t214 = 0x80070057;
					_t153 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t153 - 0x6c3e0088;
					if(_t153 == 0x6c3e0088) {
						goto L33;
					} else {
						__eflags =  *(_t153 + 0x1c) & 0x00000001;
						if(( *(_t153 + 0x1c) & 0x00000001) == 0) {
							goto L33;
						}
						_t140 = _t153 + 0x14; // 0x0
						_t141 = _t153 + 0x10; // 0x1
						E6C3D5F11( *_t141,  *_t140, 0x11, 0x6c3ccad8);
						goto L96;
					}
					goto L41;
				} else {
					_t165 =  *(__ecx + 0x88);
					_t216 = 1;
					if(_t165 != 0) {
						L41:
						_t166 = ImpersonateLoggedOnUser(_t165);
						__eflags = _t166;
						if(_t166 != 0) {
							 *((intOrPtr*)(_t247 - 0x14)) = 1;
							goto L6;
						}
						_t214 = E6C3D9546(GetLastError());
						_t162 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t162 - 0x6c3e0088;
						if(_t162 == 0x6c3e0088) {
							L27:
							if(_t214 >= 0) {
								_t245 =  *((intOrPtr*)(_t247 + 0x14));
								if( *((intOrPtr*)(_t247 + 0x14)) != 0) {
									_t233 =  *((intOrPtr*)(_t247 + 0x18));
									if( *((intOrPtr*)(_t247 + 0x18)) != 0) {
										_t218 =  *((intOrPtr*)(_t247 + 0x1c));
										if( *((intOrPtr*)(_t247 + 0x1c)) != 0 && _t162 != 0x6c3e0088 && ( *(_t162 + 0x1c) & 0x00000004) != 0) {
											_t142 = _t162 + 0x14; // 0x0
											_t143 = _t162 + 0x10; // 0x1
											E6C3D98D7( *_t143,  *_t142, 0x1d, 0x6c3ccad8,  *_t245,  *_t233,  *_t218);
										}
									}
								}
							}
							L33:
							if( *(_t247 - 0x20) != 0) {
								GlobalFree( *(_t247 - 0x20));
							}
							if( *(_t247 - 0x1c) != 0) {
								GlobalFree( *(_t247 - 0x1c));
							}
							if( *(_t247 - 0x3c) != 0) {
								GlobalFree( *(_t247 - 0x3c));
							}
							if( *(_t247 - 0x38) != 0) {
								GlobalFree( *(_t247 - 0x38));
							}
							if( *(_t247 - 0x34) != 0) {
								GlobalFree( *(_t247 - 0x34));
							}
							return E6C3C4821(_t214);
						}
						__eflags =  *(_t162 + 0x1c) & 0x00000001;
						if(( *(_t162 + 0x1c) & 0x00000001) != 0) {
							_t75 = _t162 + 0x14; // 0x0
							_t76 = _t162 + 0x10; // 0x1
							E6C3D99F8( *_t76,  *_t75, 0x12, 0x6c3ccad8, _t214);
							L98:
							_t162 =  *0x6c3e0088; // 0x6c3e0088
						}
						goto L27;
					}
					L6:
					E6C3CC29B( *((intOrPtr*)(_t247 + 0x14)));
					E6C3CC29B( *((intOrPtr*)(_t247 + 0x18)));
					 *((intOrPtr*)( *((intOrPtr*)(_t247 + 0x1c)))) = _t243;
					_push(_t247 - 0x24);
					if( *0x6c3e0050() == 0 ||  *(_t247 - 0x20) == _t243) {
						_t173 =  *0x6c3e0040(_t247 - 0x40);
						_t174 =  *(_t247 - 0x3c);
						if(_t173 == 0) {
							 *(_t247 - 0x58) = _t216;
							 *((intOrPtr*)(_t247 - 0x54)) = 3;
							goto L58;
						} else {
							if( *((intOrPtr*)(_t247 - 0x40)) != _t243) {
								 *(_t247 - 0x58) = _t216;
								 *((intOrPtr*)(_t247 - 0x54)) = 3;
								 *(_t247 - 0x10) = _t216;
							}
							if(_t174 != _t243) {
								 *(_t247 - 0x58) =  *(_t247 - 0x58) | 0x00000002;
								 *(_t247 - 0x50) = _t174;
								L58:
								 *(_t247 - 0x10) = _t216;
							}
							 *(_t247 - 0x44) = _t216;
							if( *(_t247 - 0x10) == _t243) {
								L73:
								_t234 =  *(_t247 - 0x38);
								__eflags = _t234;
								if(_t234 == 0) {
									L24:
									_t162 =  *0x6c3e0088; // 0x6c3e0088
									L25:
									_t214 = 0;
									goto L26;
								}
								_t162 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t162 - 0x6c3e0088;
								if(_t162 != 0x6c3e0088) {
									__eflags =  *(_t162 + 0x1c) & 0x00000004;
									if(( *(_t162 + 0x1c) & 0x00000004) != 0) {
										_t122 = _t162 + 0x14; // 0x0
										_t123 = _t162 + 0x10; // 0x1
										E6C3D5F11( *_t123,  *_t122, 0x1a, 0x6c3ccad8);
										_t234 =  *(_t247 - 0x38);
										_t162 =  *0x6c3e0088; // 0x6c3e0088
									}
								}
								_t221 =  *_t234 & 0x0000ffff;
								__eflags = _t221;
								if(_t221 == 0) {
									L85:
									_t235 =  *(_t247 - 0x34);
									__eflags = _t235;
									if(_t235 == 0) {
										goto L25;
									}
									_t222 =  *_t235 & 0x0000ffff;
									__eflags = _t222;
									if(_t222 == 0) {
										goto L25;
									}
									__eflags = _t222 - 0x3a;
									if(__eflags != 0) {
										L89:
										_push(_t235);
										_t214 = E6C3CCF7A(_t216,  *((intOrPtr*)(_t247 + 0x18)), 0x6c3ccad8, _t243, __eflags);
										__eflags = _t214;
										if(_t214 >= 0) {
											goto L24;
										}
										_t162 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t162 - 0x6c3e0088;
										if(_t162 == 0x6c3e0088) {
											goto L26;
										}
										__eflags =  *(_t162 + 0x1c) & 0x00000001;
										if(( *(_t162 + 0x1c) & 0x00000001) == 0) {
											goto L26;
										}
										_push(_t214);
										_push(0x6c3ccad8);
										_push(0x1c);
										goto L55;
									}
									__eflags =  *((short*)(_t235 + 2));
									if(__eflags == 0) {
										goto L25;
									}
									goto L89;
								} else {
									__eflags = _t221 - 0x3a;
									if(__eflags != 0) {
										L80:
										_push(_t234);
										 *((intOrPtr*)( *((intOrPtr*)(_t247 + 0x1c)))) = 3;
										_t216 = E6C3CCF7A(_t216,  *((intOrPtr*)(_t247 + 0x14)), 0x6c3ccad8, _t243, __eflags);
										__eflags = _t216;
										if(_t216 >= 0) {
											_t162 =  *0x6c3e0088; // 0x6c3e0088
											goto L85;
										}
										_t162 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t162 - 0x6c3e0088;
										if(_t162 == 0x6c3e0088) {
											goto L26;
										}
										__eflags =  *(_t162 + 0x1c) & 0x00000001;
										if(( *(_t162 + 0x1c) & 0x00000001) == 0) {
											goto L26;
										}
										_push(_t216);
										_push(0x6c3ccad8);
										_push(0x1b);
										goto L55;
									}
									__eflags =  *((short*)(_t234 + 2));
									if(__eflags == 0) {
										goto L85;
									}
									goto L80;
								}
							}
							 *((intOrPtr*)(_t247 - 0x30)) = 0;
							 *((intOrPtr*)(_t247 - 0x28)) = 0;
							 *((intOrPtr*)(_t247 - 0x2c)) = 0;
							 *(_t247 - 4) = 0;
							_t180 = 0x6c3cdba0;
							if( *((intOrPtr*)(_t247 + 0x10)) == 0) {
								_t180 = 0x6c3d5b60;
							}
							_push( *((intOrPtr*)(_t247 + 0xc)));
							_push( *((intOrPtr*)(_t247 + 8)));
							_t214 = E6C3CDBA9(_t216, 0x6c3ccad8, 0, _t247 - 0x30, L"http%s://%s/%s", _t180);
							if(_t214 < 0) {
								_t183 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t183 - 0x6c3e0088;
								if(_t183 == 0x6c3e0088) {
									goto L64;
								}
								__eflags =  *(_t183 + 0x1c) & 0x00000001;
								if(( *(_t183 + 0x1c) & 0x00000001) == 0) {
									goto L64;
								}
								_push(_t214);
								_push(0x6c3ccad8);
								_push(0x15);
								goto L63;
							} else {
								_t186 =  *0x6c3e0088; // 0x6c3e0088
								if(_t186 != 0x6c3e0088 && ( *(_t186 + 0x1c) & 0x00000004) != 0) {
									_t106 = _t186 + 0x14; // 0x0
									_t107 = _t186 + 0x10; // 0x1
									E6C3D5F11( *_t107,  *_t106, 0x16, 0x6c3ccad8);
								}
								_t243 = GetTickCount;
								GetTickCount();
								 *((intOrPtr*)(_t247 + 0xc)) =  *0x6c3e004c( *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x18)))),  *((intOrPtr*)(_t247 - 0x30)), _t247 - 0x58, _t247 - 0x24);
								GetTickCount();
								if( *((intOrPtr*)(_t247 + 0xc)) == 0) {
									_t193 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t193 - 0x6c3e0088;
									if(_t193 != 0x6c3e0088) {
										__eflags =  *(_t193 + 0x1c) & 0x00000001;
										if(( *(_t193 + 0x1c) & 0x00000001) != 0) {
											_t196 = E6C3D9546(GetLastError());
											_t197 =  *0x6c3e0088; // 0x6c3e0088
											_t116 = _t197 + 0x14; // 0x0
											_t117 = _t197 + 0x10; // 0x1
											E6C3D99F8( *_t117,  *_t116, 0x19, 0x6c3ccad8, _t196);
										}
									}
									goto L23;
								} else {
									_t199 =  *0x6c3e0088; // 0x6c3e0088
									if(_t199 != 0x6c3e0088) {
										_t269 =  *(_t199 + 0x1c) & 0x00000004;
										if(( *(_t199 + 0x1c) & 0x00000004) != 0) {
											_t108 = _t199 + 0x14; // 0x0
											_t109 = _t199 + 0x10; // 0x1
											E6C3D5F11( *_t109,  *_t108, 0x17, 0x6c3ccad8);
										}
									}
									_push( *(_t247 - 0x20));
									_t214 = E6C3CCF7A(_t214,  *((intOrPtr*)(_t247 + 0x14)), 0x6c3ccad8, _t243, _t269);
									_t270 = _t214;
									if(_t214 < 0) {
										L67:
										_t183 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t183 - 0x6c3e0088;
										if(_t183 == 0x6c3e0088) {
											L64:
											E6C3CC29B(_t247 - 0x30);
											goto L96;
										}
										__eflags =  *(_t183 + 0x1c) & 0x00000001;
										if(( *(_t183 + 0x1c) & 0x00000001) == 0) {
											goto L64;
										}
										_push(_t214);
										_push(0x6c3ccad8);
										_push(0x18);
										L63:
										_t103 = _t183 + 0x14; // 0x0
										_push( *_t103);
										_t104 = _t183 + 0x10; // 0x1
										_push( *_t104);
										E6C3D99F8();
										goto L64;
									}
									_push( *(_t247 - 0x1c));
									_t214 = E6C3CCF7A(_t214,  *((intOrPtr*)(_t247 + 0x18)), 0x6c3ccad8, _t243, _t270);
									if(_t214 < 0) {
										goto L67;
									} else {
										 *((intOrPtr*)( *((intOrPtr*)(_t247 + 0x1c)))) =  *((intOrPtr*)(_t247 - 0x24));
										L23:
										 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
										E6C3CC29B(_t247 - 0x30);
										if( *((intOrPtr*)(_t247 + 0xc)) == 0) {
											goto L73;
										}
										goto L24;
									}
								}
							}
						}
					} else {
						_t205 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t205 - 0x6c3e0088;
						if(__eflags != 0) {
							__eflags =  *(_t205 + 0x1c) & 0x00000004;
							if(__eflags != 0) {
								_t81 = _t205 + 0x14; // 0x0
								_t82 = _t205 + 0x10; // 0x1
								E6C3D5F11( *_t82,  *_t81, 0x13, 0x6c3ccad8);
							}
						}
						_push( *(_t247 - 0x20));
						_t214 = E6C3CCF7A(_t216,  *((intOrPtr*)(_t247 + 0x14)), 0x6c3ccad8, _t243, __eflags);
						__eflags = _t214 - _t243;
						if(__eflags < 0) {
							L52:
							_t162 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t162 - 0x6c3e0088;
							if(_t162 == 0x6c3e0088) {
								goto L26;
							}
							__eflags =  *(_t162 + 0x1c) & 0x00000001;
							if(( *(_t162 + 0x1c) & 0x00000001) == 0) {
								goto L26;
							}
							_push(_t214);
							_push(0x6c3ccad8);
							_push(0x14);
							L55:
							_t92 = _t162 + 0x14; // 0x0
							_push( *_t92);
							_t93 = _t162 + 0x10; // 0x1
							_push( *_t93);
							E6C3D99F8();
							goto L96;
						} else {
							_push( *(_t247 - 0x1c));
							_t214 = E6C3CCF7A(_t214,  *((intOrPtr*)(_t247 + 0x18)), 0x6c3ccad8, _t243, __eflags);
							__eflags = _t214 - _t243;
							if(_t214 < _t243) {
								goto L52;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t247 + 0x1c)))) =  *((intOrPtr*)(_t247 - 0x24));
							_t214 = 0;
							L96:
							_t162 =  *0x6c3e0088; // 0x6c3e0088
							L26:
							if( *((intOrPtr*)(_t247 - 0x14)) != 0) {
								RevertToSelf();
								goto L98;
							}
							goto L27;
						}
					}
				}
			}

























                                                0x6c3cd937
                                                0x6c3cd93e
                                                0x6c3cd943
                                                0x6c3cd948
                                                0x6c3cd94a
                                                0x6c3cd950
                                                0x6c3cd951
                                                0x6c3cd954
                                                0x6c3cd95a
                                                0x6c3cd95b
                                                0x6c3cd95c
                                                0x6c3cd95d
                                                0x6c3cd95e
                                                0x6c3cd964
                                                0x6c3cd96a
                                                0x6c3cd96b
                                                0x6c3cd96c
                                                0x6c3cd96d
                                                0x6c3cd970
                                                0x6c3cd978
                                                0x6c3cdb74
                                                0x6c3d2c89
                                                0x6c3d2c8e
                                                0x6c3d2c93
                                                0x00000000
                                                0x6c3d2c99
                                                0x6c3d2c99
                                                0x6c3d2c9d
                                                0x00000000
                                                0x00000000
                                                0x6c3d2ca6
                                                0x6c3d2ca9
                                                0x6c3d2cac
                                                0x00000000
                                                0x6c3d2cac
                                                0x00000000
                                                0x6c3cd9a2
                                                0x6c3cd9a2
                                                0x6c3cd9aa
                                                0x6c3cd9ad
                                                0x6c3d2a05
                                                0x6c3d2a06
                                                0x6c3d2a0c
                                                0x6c3d2a0e
                                                0x6c3d2a4c
                                                0x00000000
                                                0x6c3d2a4c
                                                0x6c3d2a1c
                                                0x6c3d2a1e
                                                0x6c3d2a23
                                                0x6c3d2a28
                                                0x6c3cdb0a
                                                0x6c3cdb0c
                                                0x6c3cdb0e
                                                0x6c3cdb13
                                                0x6c3cdb15
                                                0x6c3cdb1a
                                                0x6c3cdb1c
                                                0x6c3cdb21
                                                0x6c3d2cd4
                                                0x6c3d2cd7
                                                0x6c3d2cda
                                                0x6c3d2cda
                                                0x6c3cdb21
                                                0x6c3cdb1a
                                                0x6c3cdb13
                                                0x6c3cdb34
                                                0x6c3cdb3f
                                                0x6c3cdb44
                                                0x6c3cdb44
                                                0x6c3cdb49
                                                0x6c3d2ce7
                                                0x6c3d2ce7
                                                0x6c3cdb52
                                                0x6c3d2cf1
                                                0x6c3d2cf1
                                                0x6c3cdb5b
                                                0x6c3d2cfb
                                                0x6c3d2cfb
                                                0x6c3cdb64
                                                0x6c3d2d05
                                                0x6c3d2d05
                                                0x6c3cdb71
                                                0x6c3cdb71
                                                0x6c3d2a2e
                                                0x6c3d2a32
                                                0x6c3d2a3c
                                                0x6c3d2a3f
                                                0x6c3d2a42
                                                0x6c3d2cc1
                                                0x6c3d2cc1
                                                0x6c3d2cc1
                                                0x00000000
                                                0x6c3d2a32
                                                0x6c3cd9b3
                                                0x6c3cd9b6
                                                0x6c3cd9be
                                                0x6c3cd9c6
                                                0x6c3cd9cb
                                                0x6c3cd9d4
                                                0x6c3cd9e3
                                                0x6c3cd9eb
                                                0x6c3cd9ee
                                                0x6c3d2adc
                                                0x6c3d2adf
                                                0x00000000
                                                0x6c3cd9f4
                                                0x6c3cd9f7
                                                0x6c3cd9f9
                                                0x6c3cd9fc
                                                0x6c3cda03
                                                0x6c3cda03
                                                0x6c3cda08
                                                0x6c3d2ad3
                                                0x6c3d2ad7
                                                0x6c3d2ae6
                                                0x6c3d2ae6
                                                0x6c3d2ae6
                                                0x6c3cda11
                                                0x6c3cda14
                                                0x6c3d2ba3
                                                0x6c3d2ba3
                                                0x6c3d2ba6
                                                0x6c3d2ba8
                                                0x6c3cdaf9
                                                0x6c3cdaf9
                                                0x6c3cdafe
                                                0x6c3cdafe
                                                0x00000000
                                                0x6c3cdafe
                                                0x6c3d2bae
                                                0x6c3d2bb3
                                                0x6c3d2bb8
                                                0x6c3d2bba
                                                0x6c3d2bbe
                                                0x6c3d2bc3
                                                0x6c3d2bc6
                                                0x6c3d2bc9
                                                0x6c3d2bce
                                                0x6c3d2bd1
                                                0x6c3d2bd1
                                                0x6c3d2bbe
                                                0x6c3d2bd6
                                                0x6c3d2bd9
                                                0x6c3d2bdc
                                                0x6c3d2c2b
                                                0x6c3d2c2b
                                                0x6c3d2c2e
                                                0x6c3d2c30
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c36
                                                0x6c3d2c39
                                                0x6c3d2c3c
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c42
                                                0x6c3d2c46
                                                0x6c3d2c53
                                                0x6c3d2c56
                                                0x6c3d2c5c
                                                0x6c3d2c5e
                                                0x6c3d2c60
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c66
                                                0x6c3d2c6b
                                                0x6c3d2c70
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c76
                                                0x6c3d2c7a
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c80
                                                0x6c3d2c81
                                                0x6c3d2c82
                                                0x00000000
                                                0x6c3d2c82
                                                0x6c3d2c48
                                                0x6c3d2c4d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d2bde
                                                0x6c3d2bde
                                                0x6c3d2be2
                                                0x6c3d2beb
                                                0x6c3d2bf1
                                                0x6c3d2bf2
                                                0x6c3d2bfd
                                                0x6c3d2bff
                                                0x6c3d2c01
                                                0x6c3d2c26
                                                0x00000000
                                                0x6c3d2c26
                                                0x6c3d2c03
                                                0x6c3d2c08
                                                0x6c3d2c0d
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c13
                                                0x6c3d2c17
                                                0x00000000
                                                0x00000000
                                                0x6c3d2c1d
                                                0x6c3d2c1e
                                                0x6c3d2c1f
                                                0x00000000
                                                0x6c3d2c1f
                                                0x6c3d2be4
                                                0x6c3d2be9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d2be9
                                                0x6c3d2bdc
                                                0x6c3cda1c
                                                0x6c3cda1f
                                                0x6c3cda22
                                                0x6c3cda28
                                                0x6c3cda2b
                                                0x6c3cda30
                                                0x6c3d2aee
                                                0x6c3d2aee
                                                0x6c3cda36
                                                0x6c3cda39
                                                0x6c3cda4b
                                                0x6c3cda52
                                                0x6c3d2af8
                                                0x6c3d2afd
                                                0x6c3d2b02
                                                0x00000000
                                                0x00000000
                                                0x6c3d2b04
                                                0x6c3d2b08
                                                0x00000000
                                                0x00000000
                                                0x6c3d2b0a
                                                0x6c3d2b0b
                                                0x6c3d2b0c
                                                0x00000000
                                                0x6c3cda58
                                                0x6c3cda58
                                                0x6c3cda62
                                                0x6c3d2b29
                                                0x6c3d2b2c
                                                0x6c3d2b2f
                                                0x6c3d2b2f
                                                0x6c3cda6e
                                                0x6c3cda74
                                                0x6c3cda8c
                                                0x6c3cda8f
                                                0x6c3cda95
                                                0x6c3d2b64
                                                0x6c3d2b69
                                                0x6c3d2b6e
                                                0x6c3d2b74
                                                0x6c3d2b78
                                                0x6c3d2b85
                                                0x6c3d2b8b
                                                0x6c3d2b93
                                                0x6c3d2b96
                                                0x6c3d2b99
                                                0x6c3d2b99
                                                0x6c3d2b78
                                                0x00000000
                                                0x6c3cda9b
                                                0x6c3cda9b
                                                0x6c3cdaa5
                                                0x6c3cdaa7
                                                0x6c3cdaab
                                                0x6c3d2b3c
                                                0x6c3d2b3f
                                                0x6c3d2b42
                                                0x6c3d2b42
                                                0x6c3cdaab
                                                0x6c3cdab1
                                                0x6c3cdabc
                                                0x6c3cdabe
                                                0x6c3cdac0
                                                0x6c3d2b4c
                                                0x6c3d2b4c
                                                0x6c3d2b51
                                                0x6c3d2b56
                                                0x6c3d2b19
                                                0x6c3d2b1c
                                                0x00000000
                                                0x6c3d2b1c
                                                0x6c3d2b58
                                                0x6c3d2b5c
                                                0x00000000
                                                0x00000000
                                                0x6c3d2b5e
                                                0x6c3d2b5f
                                                0x6c3d2b60
                                                0x6c3d2b0e
                                                0x6c3d2b0e
                                                0x6c3d2b0e
                                                0x6c3d2b11
                                                0x6c3d2b11
                                                0x6c3d2b14
                                                0x00000000
                                                0x6c3d2b14
                                                0x6c3cdac6
                                                0x6c3cdad1
                                                0x6c3cdad5
                                                0x00000000
                                                0x6c3cdadb
                                                0x6c3cdae1
                                                0x6c3cdae3
                                                0x6c3cdae3
                                                0x6c3cdaea
                                                0x6c3cdaf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3cdaf3
                                                0x6c3cdad5
                                                0x6c3cda95
                                                0x6c3cda52
                                                0x6c3d2a54
                                                0x6c3d2a54
                                                0x6c3d2a59
                                                0x6c3d2a5e
                                                0x6c3d2a60
                                                0x6c3d2a64
                                                0x6c3d2a69
                                                0x6c3d2a6c
                                                0x6c3d2a6f
                                                0x6c3d2a6f
                                                0x6c3d2a64
                                                0x6c3d2a74
                                                0x6c3d2a7f
                                                0x6c3d2a81
                                                0x6c3d2a83
                                                0x6c3d2aa5
                                                0x6c3d2aa5
                                                0x6c3d2aaa
                                                0x6c3d2aaf
                                                0x00000000
                                                0x00000000
                                                0x6c3d2ab5
                                                0x6c3d2ab9
                                                0x00000000
                                                0x00000000
                                                0x6c3d2abf
                                                0x6c3d2ac0
                                                0x6c3d2ac1
                                                0x6c3d2ac3
                                                0x6c3d2ac3
                                                0x6c3d2ac3
                                                0x6c3d2ac6
                                                0x6c3d2ac6
                                                0x6c3d2ac9
                                                0x00000000
                                                0x6c3d2a85
                                                0x6c3d2a85
                                                0x6c3d2a90
                                                0x6c3d2a92
                                                0x6c3d2a94
                                                0x00000000
                                                0x00000000
                                                0x6c3d2a9c
                                                0x6c3d2a9e
                                                0x6c3d2cb1
                                                0x6c3d2cb1
                                                0x6c3cdb00
                                                0x6c3cdb04
                                                0x6c3d2cbb
                                                0x00000000
                                                0x6c3d2cbb
                                                0x00000000
                                                0x6c3cdb04
                                                0x6c3d2a83
                                                0x6c3cd9d4

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 6C3CDA74
                                                • GetTickCount.KERNEL32 ref: 6C3CDA8F
                                                • GlobalFree.KERNEL32(?), ref: 6C3CDB44
                                                • ImpersonateLoggedOnUser.ADVAPI32(?,0000004C,6C3CC228,?,?,00000001,?,?,00000000,?,?,?,00000000), ref: 6C3D2A06
                                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 6C3D2A10
                                                • RevertToSelf.ADVAPI32(?,?,?,00000000), ref: 6C3D2CBB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick$ErrorFreeGlobalImpersonateLastLoggedRevertSelfUser
                                                • String ID: http%s://%s/%s
                                                • API String ID: 1105026337-335662767
                                                • Opcode ID: 00c9623fec38152595f627d8f27035ef0040f7e97df4d3950ba576e78857f82f
                                                • Instruction ID: f7e2874e36bc4775a7d18c33032f92aae7cec4c4f9a4d7dd45d155e8e308848c
                                                • Opcode Fuzzy Hash: 00c9623fec38152595f627d8f27035ef0040f7e97df4d3950ba576e78857f82f
                                                • Instruction Fuzzy Hash: 02E1DE75A412499FCB11DF94C984EDEBBB8BF09708F12405AF9109BA60CB72ED44DF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CC069 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 368COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 25%
                                                			E6C3CC069(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t148;
				signed int _t150;
				signed int _t151;
				void* _t153;
				intOrPtr _t161;
				intOrPtr _t168;
				intOrPtr _t171;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t205;
				void* _t206;

				_push(0x3c);
				E6C3C49E9(E6C3DE037, __ebx, __edi, __esi);
				_t205 = __ecx;
				_t184 = 0;
				 *((intOrPtr*)(_t206 - 0x38)) = 0;
				 *((intOrPtr*)(_t206 - 0x30)) = 0;
				 *((intOrPtr*)(_t206 - 0x34)) = 0;
				 *((intOrPtr*)(_t206 - 4)) = 0;
				 *((intOrPtr*)(_t206 - 0x2c)) = 0;
				 *((intOrPtr*)(_t206 - 0x24)) = 0;
				 *((intOrPtr*)(_t206 - 0x28)) = 0;
				 *((char*)(_t206 - 4)) = 1;
				 *((intOrPtr*)(_t206 - 0x18)) = 0;
				 *((intOrPtr*)(_t206 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t206 - 0x14)) = 0x7e0000;
				 *(_t206 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 4)) != 0 ||  *((intOrPtr*)(__ecx + 8)) != 0) {
					_t185 = 0x8000000a;
					goto L23;
				} else {
					_t131 =  *((intOrPtr*)(_t206 + 0x34));
					if(_t131 != 0) {
						 *(_t206 + 0x10) = 1;
					}
					 *((intOrPtr*)(_t205 + 0x28)) = _t131;
					_t132 =  *0x6c3e0088; // 0x6c3e0088
					if(_t132 != 0x6c3e0088 && ( *(_t132 + 0x1c) & 0x00000004) != 0) {
						_t64 = _t132 + 0x14; // 0x0
						_t65 = _t132 + 0x10; // 0x1
						E6C3D877C( *_t65,  *_t64, 0x26, 0x6c3ccad8,  *((intOrPtr*)(_t206 + 8)),  *((intOrPtr*)(_t206 + 0xc)));
					}
					 *((intOrPtr*)(_t206 - 0x1c)) = _t205 + 0x54;
					_t133 = E6C3CC313(_t205 + 0x54);
					if( *_t205 != _t184) {
						L11:
						E6C3CC362(_t133,  *((intOrPtr*)(_t206 - 0x1c)));
						ResetEvent( *(_t205 + 0x10));
						ResetEvent( *(_t205 + 0x18));
						 *((intOrPtr*)(_t205 + 0x8c)) = _t184;
						if( *((intOrPtr*)(_t206 + 0x1c)) != _t184) {
							 *((intOrPtr*)(_t206 - 0x44)) =  *((intOrPtr*)(_t206 + 0x20));
							 *((intOrPtr*)(_t206 - 0x48)) = _t184;
							_t185 =  *((intOrPtr*)(_t206 + 0x1c))(_t206 - 0x48);
							__eflags = _t185;
							if(_t185 >= 0) {
								_t184 = 0;
								goto L12;
							}
							_t143 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t143 - 0x6c3e0088;
							if(_t143 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t143 + 0x1c) & 0x00000001;
							if(( *(_t143 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2b);
							L45:
							_t91 = _t143 + 0x14; // 0x0
							_push( *_t91);
							_t92 = _t143 + 0x10; // 0x1
							_push( *_t92);
							E6C3D99F8();
							goto L23;
						}
						L12:
						_t140 =  *0x6c3e0070( *_t205,  *((intOrPtr*)(_t206 + 8)),  *((intOrPtr*)(_t206 + 0x24)), _t184);
						 *((intOrPtr*)(_t205 + 4)) = _t140;
						if(_t140 == _t184) {
							_t185 = E6C3D9546(GetLastError());
							_t143 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t143 - 0x6c3e0088;
							if(_t143 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t143 + 0x1c) & 0x00000001;
							if(( *(_t143 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2c);
							goto L45;
						}
						asm("sbb ecx, ecx");
						_t145 =  *0x6c3e006c(_t140,  *((intOrPtr*)(_t206 + 0x14)),  *((intOrPtr*)(_t206 + 0xc)), _t184, _t184, _t184,  ~( *(_t206 + 0x10)) & 0x00800000);
						 *((intOrPtr*)(_t205 + 8)) = _t145;
						if(_t145 == _t184) {
							_t185 = E6C3D9546(GetLastError());
							_t148 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t148 - 0x6c3e0088;
							if(_t148 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t148 + 0x1c) & 0x00000001;
							if(( *(_t148 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2d);
							L53:
							_t99 = _t148 + 0x14; // 0x0
							_push( *_t99);
							_t100 = _t148 + 0x10; // 0x1
							_push( *_t100);
							E6C3D99F8();
							goto L23;
						}
						if( *((intOrPtr*)(_t206 + 0x34)) != _t184) {
							 *(_t206 - 0x10) = 1;
							_t150 =  *0x6c3e0048(_t145, 0x4d, _t206 - 0x10, 4);
							__eflags = _t150;
							if(_t150 != 0) {
								goto L15;
							}
							_t185 = E6C3D9546(GetLastError());
							_t148 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t148 - 0x6c3e0088;
							if(_t148 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t148 + 0x1c) & 0x00000001;
							if(( *(_t148 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2e);
							goto L53;
						}
						L15:
						if( *((intOrPtr*)(_t206 + 0x30)) != _t184) {
							_t151 =  *0x6c3e0068( *((intOrPtr*)(_t205 + 8)),  *((intOrPtr*)(_t206 + 0x30)), 0xffffffff, 0x20000000);
							__eflags = _t151;
							if(_t151 != 0) {
								goto L16;
							}
							_t185 = E6C3D9546(GetLastError());
							_t148 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t148 - 0x6c3e0088;
							if(_t148 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t148 + 0x1c) & 0x00000001;
							if(( *(_t148 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2f);
							goto L53;
						}
						L16:
						if( *((intOrPtr*)(_t205 + 0x24)) == _t184) {
							 *((intOrPtr*)(_t206 - 0x14)) = 0x7e0c00;
						}
						E6C3CC2FD(_t205);
						_t153 =  *0x6c3e0064( *((intOrPtr*)(_t205 + 8)), E6C3CE338,  *((intOrPtr*)(_t206 - 0x14)), _t184);
						_t186 = _t153;
						E6C3CC33D(_t205);
						_t225 = _t153 - 0xffffffff;
						if(_t153 == 0xffffffff) {
							_t185 = E6C3D9546(GetLastError());
							_t148 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t148 - 0x6c3e0088;
							if(_t148 == 0x6c3e0088) {
								goto L23;
							}
							__eflags =  *(_t148 + 0x1c) & 0x00000001;
							if(( *(_t148 + 0x1c) & 0x00000001) == 0) {
								goto L23;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x30);
							goto L53;
						} else {
							_t198 = _t205;
							_t185 = E6C3CD937(_t186, _t205, 0x6c3e0088, _t205, _t225,  *((intOrPtr*)(_t206 + 8)),  *((intOrPtr*)(_t206 + 0xc)),  *(_t206 + 0x10), _t206 - 0x38, _t206 - 0x2c, _t206 - 0x18);
							if(_t185 < 0) {
								_t143 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t143 - 0x6c3e0088;
								if(_t143 == 0x6c3e0088) {
									goto L23;
								}
								__eflags =  *(_t143 + 0x1c) & 0x00000001;
								if(( *(_t143 + 0x1c) & 0x00000001) == 0) {
									goto L23;
								}
								_push(_t185);
								_push(0x6c3ccad8);
								_push(0x31);
								goto L45;
							}
							_t161 =  *0x6c3e0088; // 0x6c3e0088
							if(_t161 != 0x6c3e0088 && ( *(_t161 + 0x1c) & 0x00000004) != 0) {
								_t121 = _t161 + 0x14; // 0x0
								_t122 = _t161 + 0x10; // 0x1
								E6C3D97BA(_t198,  *_t122,  *_t121, 0x32, 0x6c3ccad8,  *((intOrPtr*)(_t206 + 8)),  *((intOrPtr*)(_t206 + 0xc)),  *((intOrPtr*)(_t206 + 0x14)));
							}
							_t185 = E6C3CC385(_t205,  *((intOrPtr*)(_t206 - 0x38)),  *((intOrPtr*)(_t206 - 0x2c)),  *((intOrPtr*)(_t206 - 0x18)),  *((intOrPtr*)(_t206 + 0x18)),  *((intOrPtr*)(_t206 + 0x28)),  *((intOrPtr*)(_t206 + 0x2c)));
							if(_t185 < 0) {
								_t143 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t143 - 0x6c3e0088;
								if(_t143 == 0x6c3e0088) {
									goto L23;
								}
								__eflags =  *(_t143 + 0x1c) & 0x00000001;
								if(( *(_t143 + 0x1c) & 0x00000001) == 0) {
									goto L23;
								}
								_push(_t185);
								_push(0x6c3ccad8);
								_push(0x33);
								goto L45;
							} else {
								_t185 = 0;
								goto L23;
							}
						}
					} else {
						_t168 =  *0x6c3e0044(L"MSDW", 1, _t184, _t184, 0x10000000);
						 *_t205 = _t168;
						if(_t168 == _t184) {
							_t185 = E6C3D9546(GetLastError());
							_t171 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t171 - 0x6c3e0088;
							if(_t171 != 0x6c3e0088) {
								__eflags =  *(_t171 + 0x1c) & 0x00000001;
								if(( *(_t171 + 0x1c) & 0x00000001) != 0) {
									_t69 = _t171 + 0x14; // 0x0
									_t70 = _t171 + 0x10; // 0x1
									_t171 = E6C3D99F8( *_t70,  *_t69, 0x27, 0x6c3ccad8, _t185);
								}
							}
							L30:
							E6C3CC362(_t171,  *((intOrPtr*)(_t206 - 0x1c)));
							L23:
							E6C3CC29B(_t206 - 0x2c);
							E6C3CC29B(_t206 - 0x38);
							return E6C3C4821(_t185);
						}
						_push(4);
						_push(_t206 - 0x20);
						_push(0x2d);
						_push(_t168);
						if( *0x6c3e0048() == 0) {
							_t185 = E6C3D9546(GetLastError());
							_t171 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t171 - 0x6c3e0088;
							if(_t171 == 0x6c3e0088) {
								goto L30;
							}
							__eflags =  *(_t171 + 0x1c) & 0x00000001;
							if(( *(_t171 + 0x1c) & 0x00000001) == 0) {
								goto L30;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x28);
							L34:
							_t75 = _t171 + 0x14; // 0x0
							_push( *_t75);
							_t76 = _t171 + 0x10; // 0x1
							_push( *_t76);
							_t171 = E6C3D99F8();
							goto L30;
						}
						_push(4);
						_push(_t206 - 0x10);
						_push(0x58);
						_push( *_t205);
						 *(_t206 - 0x10) = 1;
						if( *0x6c3e0048() == 0) {
							_t185 = E6C3D9546(GetLastError());
							_t171 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t171 - 0x6c3e0088;
							if(_t171 == 0x6c3e0088) {
								goto L30;
							}
							__eflags =  *(_t171 + 0x1c) & 0x00000001;
							if(( *(_t171 + 0x1c) & 0x00000001) == 0) {
								goto L30;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x29);
							goto L34;
						}
						if( *((intOrPtr*)(_t205 + 0x24)) == _t184) {
							goto L11;
						}
						_push(4);
						_push(_t205 + 0x18);
						_push(0x63);
						_push( *_t205);
						if( *0x6c3e0048() == 0) {
							_t185 = E6C3D9546(GetLastError());
							_t171 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t171 - 0x6c3e0088;
							if(_t171 == 0x6c3e0088) {
								goto L30;
							}
							__eflags =  *(_t171 + 0x1c) & 0x00000001;
							if(( *(_t171 + 0x1c) & 0x00000001) == 0) {
								goto L30;
							}
							_push(_t185);
							_push(0x6c3ccad8);
							_push(0x2a);
							goto L34;
						}
						goto L11;
					}
				}
			}



















                                                0x6c3cc069
                                                0x6c3cc070
                                                0x6c3cc075
                                                0x6c3cc077
                                                0x6c3cc079
                                                0x6c3cc07c
                                                0x6c3cc07f
                                                0x6c3cc082
                                                0x6c3cc085
                                                0x6c3cc088
                                                0x6c3cc08b
                                                0x6c3cc091
                                                0x6c3cc095
                                                0x6c3cc098
                                                0x6c3cc09b
                                                0x6c3cc0a2
                                                0x6c3cc0a5
                                                0x6c3cc284
                                                0x00000000
                                                0x6c3cc0b4
                                                0x6c3cc0b4
                                                0x6c3cc0b9
                                                0x6c3d34aa
                                                0x6c3d34aa
                                                0x6c3cc0bf
                                                0x6c3cc0c2
                                                0x6c3cc0ce
                                                0x6c3d34c3
                                                0x6c3d34c6
                                                0x6c3d34c9
                                                0x6c3d34c9
                                                0x6c3cc0dd
                                                0x6c3cc0e0
                                                0x6c3cc0e7
                                                0x6c3cc15a
                                                0x6c3cc15d
                                                0x6c3cc165
                                                0x6c3cc16e
                                                0x6c3cc177
                                                0x6c3cc17d
                                                0x6c3d3597
                                                0x6c3d359e
                                                0x6c3d35a4
                                                0x6c3d35a6
                                                0x6c3d35a8
                                                0x6c3d35d9
                                                0x00000000
                                                0x6c3d35d9
                                                0x6c3d35aa
                                                0x6c3d35af
                                                0x6c3d35b1
                                                0x00000000
                                                0x00000000
                                                0x6c3d35b7
                                                0x6c3d35bb
                                                0x00000000
                                                0x00000000
                                                0x6c3d35c1
                                                0x6c3d35c2
                                                0x6c3d35c7
                                                0x6c3d35c9
                                                0x6c3d35c9
                                                0x6c3d35c9
                                                0x6c3d35cc
                                                0x6c3d35cc
                                                0x6c3d35cf
                                                0x00000000
                                                0x6c3d35cf
                                                0x6c3cc183
                                                0x6c3cc18c
                                                0x6c3cc194
                                                0x6c3cc197
                                                0x6c3d35ec
                                                0x6c3d35ee
                                                0x6c3d35f3
                                                0x6c3d35f5
                                                0x00000000
                                                0x00000000
                                                0x6c3d35fb
                                                0x6c3d35ff
                                                0x00000000
                                                0x00000000
                                                0x6c3d3605
                                                0x6c3d3606
                                                0x6c3d360b
                                                0x00000000
                                                0x6c3d360b
                                                0x6c3cc1a2
                                                0x6c3cc1b5
                                                0x6c3cc1bd
                                                0x6c3cc1c0
                                                0x6c3d361b
                                                0x6c3d361d
                                                0x6c3d3622
                                                0x6c3d3624
                                                0x00000000
                                                0x00000000
                                                0x6c3d362a
                                                0x6c3d362e
                                                0x00000000
                                                0x00000000
                                                0x6c3d3634
                                                0x6c3d3635
                                                0x6c3d363a
                                                0x6c3d363c
                                                0x6c3d363c
                                                0x6c3d363c
                                                0x6c3d363f
                                                0x6c3d363f
                                                0x6c3d3642
                                                0x00000000
                                                0x6c3d3642
                                                0x6c3cc1c9
                                                0x6c3d3655
                                                0x6c3d365c
                                                0x6c3d3662
                                                0x6c3d3664
                                                0x00000000
                                                0x00000000
                                                0x6c3d3676
                                                0x6c3d3678
                                                0x6c3d367d
                                                0x6c3d367f
                                                0x00000000
                                                0x00000000
                                                0x6c3d3685
                                                0x6c3d3689
                                                0x00000000
                                                0x00000000
                                                0x6c3d368f
                                                0x6c3d3690
                                                0x6c3d3695
                                                0x00000000
                                                0x6c3d3695
                                                0x6c3cc1cf
                                                0x6c3cc1d2
                                                0x6c3d36a6
                                                0x6c3d36ac
                                                0x6c3d36ae
                                                0x00000000
                                                0x00000000
                                                0x6c3d36c0
                                                0x6c3d36c2
                                                0x6c3d36c7
                                                0x6c3d36c9
                                                0x00000000
                                                0x00000000
                                                0x6c3d36cf
                                                0x6c3d36d3
                                                0x00000000
                                                0x00000000
                                                0x6c3d36d9
                                                0x6c3d36da
                                                0x6c3d36df
                                                0x00000000
                                                0x6c3d36df
                                                0x6c3cc1d8
                                                0x6c3cc1db
                                                0x6c3d36e6
                                                0x6c3d36e6
                                                0x6c3cc1e3
                                                0x6c3cc1f4
                                                0x6c3cc1fc
                                                0x6c3cc1fe
                                                0x6c3cc203
                                                0x6c3cc206
                                                0x6c3d36fe
                                                0x6c3d3700
                                                0x6c3d3705
                                                0x6c3d3707
                                                0x00000000
                                                0x00000000
                                                0x6c3d370d
                                                0x6c3d3711
                                                0x00000000
                                                0x00000000
                                                0x6c3d3717
                                                0x6c3d3718
                                                0x6c3d371d
                                                0x00000000
                                                0x6c3cc20c
                                                0x6c3cc21b
                                                0x6c3cc228
                                                0x6c3cc22c
                                                0x6c3d3724
                                                0x6c3d3729
                                                0x6c3d372b
                                                0x00000000
                                                0x00000000
                                                0x6c3d3731
                                                0x6c3d3735
                                                0x00000000
                                                0x00000000
                                                0x6c3d373b
                                                0x6c3d373c
                                                0x6c3d3741
                                                0x00000000
                                                0x6c3d3741
                                                0x6c3cc232
                                                0x6c3cc239
                                                0x6c3d3758
                                                0x6c3d375b
                                                0x6c3d375e
                                                0x6c3d375e
                                                0x6c3cc25e
                                                0x6c3cc262
                                                0x6c3d3768
                                                0x6c3d376d
                                                0x6c3d376f
                                                0x00000000
                                                0x00000000
                                                0x6c3d3775
                                                0x6c3d3779
                                                0x00000000
                                                0x00000000
                                                0x6c3d377f
                                                0x6c3d3780
                                                0x6c3d3785
                                                0x00000000
                                                0x6c3cc268
                                                0x6c3cc268
                                                0x00000000
                                                0x6c3cc268
                                                0x6c3cc262
                                                0x6c3cc0e9
                                                0x6c3cc0f7
                                                0x6c3cc0ff
                                                0x6c3cc101
                                                0x6c3d34df
                                                0x6c3d34e1
                                                0x6c3d34e6
                                                0x6c3d34e8
                                                0x6c3d34ea
                                                0x6c3d34ee
                                                0x6c3d34f8
                                                0x6c3d34fb
                                                0x6c3d34fe
                                                0x6c3d34fe
                                                0x6c3d34ee
                                                0x6c3d3503
                                                0x6c3d3506
                                                0x6c3cc26a
                                                0x6c3cc26d
                                                0x6c3cc275
                                                0x6c3cc281
                                                0x6c3cc281
                                                0x6c3cc107
                                                0x6c3cc10c
                                                0x6c3cc10d
                                                0x6c3cc10f
                                                0x6c3cc118
                                                0x6c3d351c
                                                0x6c3d351e
                                                0x6c3d3523
                                                0x6c3d3525
                                                0x00000000
                                                0x00000000
                                                0x6c3d3527
                                                0x6c3d352b
                                                0x00000000
                                                0x00000000
                                                0x6c3d352d
                                                0x6c3d352e
                                                0x6c3d3533
                                                0x6c3d3535
                                                0x6c3d3535
                                                0x6c3d3535
                                                0x6c3d3538
                                                0x6c3d3538
                                                0x6c3d353b
                                                0x00000000
                                                0x6c3d353b
                                                0x6c3cc11e
                                                0x6c3cc123
                                                0x6c3cc124
                                                0x6c3cc126
                                                0x6c3cc128
                                                0x6c3cc137
                                                0x6c3d354e
                                                0x6c3d3550
                                                0x6c3d3555
                                                0x6c3d3557
                                                0x00000000
                                                0x00000000
                                                0x6c3d3559
                                                0x6c3d355d
                                                0x00000000
                                                0x00000000
                                                0x6c3d355f
                                                0x6c3d3560
                                                0x6c3d3565
                                                0x00000000
                                                0x6c3d3565
                                                0x6c3cc140
                                                0x00000000
                                                0x00000000
                                                0x6c3cc142
                                                0x6c3cc147
                                                0x6c3cc148
                                                0x6c3cc14a
                                                0x6c3cc154
                                                0x6c3d3575
                                                0x6c3d3577
                                                0x6c3d357c
                                                0x6c3d357e
                                                0x00000000
                                                0x00000000
                                                0x6c3d3580
                                                0x6c3d3584
                                                0x00000000
                                                0x00000000
                                                0x6c3d358a
                                                0x6c3d358b
                                                0x6c3d3590
                                                0x00000000
                                                0x6c3d3590
                                                0x00000000
                                                0x6c3cc154
                                                0x6c3cc0e7

                                                APIs
                                                • ResetEvent.KERNEL32(?,0000003C), ref: 6C3CC165
                                                • ResetEvent.KERNEL32(?), ref: 6C3CC16E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: EventReset
                                                • String ID: MSDW
                                                • API String ID: 2632953641-1205502275
                                                • Opcode ID: 77339a48c595399aada57f113578b3e71bbc62cb66fbfe17b6b02bf2bf6a3ef3
                                                • Instruction ID: 90595d2cc97027c89b4a5d28dd9f8fd3b573dce38bed10de6db30cd2007b85ab
                                                • Opcode Fuzzy Hash: 77339a48c595399aada57f113578b3e71bbc62cb66fbfe17b6b02bf2bf6a3ef3
                                                • Instruction Fuzzy Hash: 1BD1BE71780244ABDF91EFA5D884FED3BBABB08708F110419F61596A90CB76DD84CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C776D99 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C776DA0
                                                  • Part of subcall function 6C775F12: __EH_prolog3.LIBCMT ref: 6C775F19
                                                  • Part of subcall function 6C775F12: PathIsDirectoryW.SHLWAPI(?), ref: 6C775F56
                                                Strings
                                                • %s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6C776E4A
                                                • : ERROR_SUCCESS_RESTART_REQUIRED, xrefs: 6C776EF7
                                                • : ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product), xrefs: 6C77704D
                                                • %s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>, xrefs: 6C776FF1
                                                • %s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>, xrefs: 6C776EC3
                                                • : ERROR_SUCCESS_REBOOT_INITIATED, xrefs: 6C777025
                                                • : ERROR_SUCCESS_REBOOT_REQUIRED, xrefs: 6C776F87
                                                • Return value - 0x%X, xrefs: 6C776DD6
                                                • %s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>, xrefs: 6C776F53
                                                • %s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6C7770A9
                                                • : no error, xrefs: 6C7770DD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DirectoryPath
                                                • String ID: %s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>$: ERROR_SUCCESS_REBOOT_INITIATED$: ERROR_SUCCESS_REBOOT_REQUIRED$: ERROR_SUCCESS_RESTART_REQUIRED$: no error$: ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product)$Return value - 0x%X
                                                • API String ID: 529697523-3126805711
                                                • Opcode ID: 13c30974a8f79e5a3f7eaab7cb4ff53fdbdb752b105a8e5828a3875cc646d3e5
                                                • Instruction ID: bc10db24582b3306585d449efad868ac1a21636c5b1c9971bb2008b19558d131
                                                • Opcode Fuzzy Hash: 13c30974a8f79e5a3f7eaab7cb4ff53fdbdb752b105a8e5828a3875cc646d3e5
                                                • Instruction Fuzzy Hash: 2EC18031A00249EFCF11CFE8CA48ADDBBB2BF09308F148545F511AB7A1C771AA55EB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7758B6 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 65libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetProductInfo,?,?,6C7755D9), ref: 6C7758D4
                                                • GetProcAddress.KERNEL32(00000000), ref: 6C7758DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: Compute Cluster Edition$Datacenter Edition$Enterprise Edition$GetProductInfo$Home Edition$Professional$Standard Edition$Storage Edition$Web Edition$kernel32.dll
                                                • API String ID: 1646373207-2428100242
                                                • Opcode ID: 95fdc7db8b79e2ac7cc8c63cf25798173a794caafa5e285ef80487f75c7b377c
                                                • Instruction ID: 4f2b6e9a9f3258db61fbca51a4f31ab29367f057478552b76a973eb4cbfbbeef
                                                • Opcode Fuzzy Hash: 95fdc7db8b79e2ac7cc8c63cf25798173a794caafa5e285ef80487f75c7b377c
                                                • Instruction Fuzzy Hash: 3E11BF3000520CF6EFB44B96EF05BE73FA49B12329F504D2AA95A60C40DF34A621EEB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79182B Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 448COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C791832
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C779703: __EH_prolog3.LIBCMT ref: 6C77970A
                                                  • Part of subcall function 6C779703: VariantInit.OLEAUT32(?), ref: 6C77971B
                                                  • Part of subcall function 6C779703: SysFreeString.OLEAUT32(6C76A794), ref: 6C779751
                                                  • Part of subcall function 6C779703: VariantClear.OLEAUT32(?), ref: 6C77978E
                                                  • Part of subcall function 6C778F47: __EH_prolog3.LIBCMT ref: 6C778F4E
                                                  • Part of subcall function 6C778F47: SysFreeString.OLEAUT32(?), ref: 6C778F98
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$FreeStringVariant$ClearInit
                                                • String ID: For upgradecode %s, [%d] related products were found.$ProductCode$RelatedProducts item %s has %d related products.$Relation$SkipProduct$UpgradeCode$VersionMax$VersionMaxInclusive$VersionMin$VersionMinInclusive
                                                • API String ID: 2081811287-792701010
                                                • Opcode ID: f5eb393afc0a6be3844ae2249ef67a13e8aa9006cd97b8e19db78fe4f78798ce
                                                • Instruction ID: 8ccd59353dea3d817912eea03d8791add9cd1e98c113b2d2da234a29b1a72744
                                                • Opcode Fuzzy Hash: f5eb393afc0a6be3844ae2249ef67a13e8aa9006cd97b8e19db78fe4f78798ce
                                                • Instruction Fuzzy Hash: 89022871A01259EFCB01DFE8CA88AEDBBB9AF09718F144559F014EB751C734EA05CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C1B52 Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 408fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,?,6C76AB18,?,?,?,?,?,?), ref: 6C7C1F7C
                                                • GetLastError.KERNEL32 ref: 6C7C1F86
                                                Strings
                                                • BITS service not available, xrefs: 6C7C1E73
                                                • User cancelled download attempt %d of %d for %s using %s, xrefs: 6C7C2050
                                                • Starting download attempt %d of %d for %s using %s, xrefs: 6C7C1D41
                                                • Download succeeded at attempt %d of %d for %s using %s, xrefs: 6C7C208E
                                                • complete, xrefs: 6C7C1C2B
                                                • Downloading Item , xrefs: 6C7C1C3A
                                                • Download failed at attempt %d of %d for %s using %s, xrefs: 6C7C1FF0
                                                • Failed to delete invalid file, xrefs: 6C7C1F91
                                                • Action, xrefs: 6C7C1C68
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: complete$Action$BITS service not available$Download failed at attempt %d of %d for %s using %s$Download succeeded at attempt %d of %d for %s using %s$Downloading Item $Failed to delete invalid file$Starting download attempt %d of %d for %s using %s$User cancelled download attempt %d of %d for %s using %s
                                                • API String ID: 2018770650-2175310925
                                                • Opcode ID: 386a883c920fa4e1bca5d6d1b401d293a62fed74471216eb4e33e0a872db0e4f
                                                • Instruction ID: 44aca8f182b4811e94b411d5396ceb97c1f2f4bc3e3a80e1fa74610f0a5ee7d5
                                                • Opcode Fuzzy Hash: 386a883c920fa4e1bca5d6d1b401d293a62fed74471216eb4e33e0a872db0e4f
                                                • Instruction Fuzzy Hash: 65027F712083419FDB25CF14CA88B9ABBE8FF85318F048959F9959B792C731D948CB63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C787FB3 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 319COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • When Rollback is true for item , xrefs: 6C788036
                                                • schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like , xrefs: 6C78836E
                                                • schema validation failure: , xrefs: 6C78816D
                                                • ", xrefs: 6C7883BD
                                                • ParameterInfo.xml, xrefs: 6C787F63, 6C788026, 6C78815D, 6C788246, 6C78835E
                                                • schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like , xrefs: 6C788256
                                                • a valid UninstallCommandLine is required., xrefs: 6C78804B
                                                • has invalid LogFileHint, xrefs: 6C788182
                                                • must be empty., xrefs: 6C78826B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw
                                                • String ID: a valid UninstallCommandLine is required.$ has invalid LogFileHint$ must be empty.$"$ParameterInfo.xml$When Rollback is true for item $schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like $schema validation failure: $schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like
                                                • API String ID: 3670251406-573577147
                                                • Opcode ID: 72f73a2e190e4c04737329a6a8d4ac46c6691141536e54f5b9177a2e25998264
                                                • Instruction ID: d9dcbdc20896bfd0c2257c31976e714a7833cc6f9bf4481fbbc6f3cc9d475ebc
                                                • Opcode Fuzzy Hash: 72f73a2e190e4c04737329a6a8d4ac46c6691141536e54f5b9177a2e25998264
                                                • Instruction Fuzzy Hash: A3D15331901149EFDB10DBF8CA4CBDDBBB4AF05328F544266E121B7B81DB74AA49CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C56B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 157fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E6C3C56B0(void* __edx, void** _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, struct _SECURITY_ATTRIBUTES* _a24, long _a28, signed int _a32) {
				signed int _v8;
				short _v528;
				char _v1048;
				signed int _v1052;
				short _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				void** _v1068;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				intOrPtr _t61;
				intOrPtr _t62;
				signed int _t63;
				WCHAR* _t69;
				void** _t73;
				intOrPtr _t83;
				signed int _t86;
				intOrPtr _t87;
				struct _SECURITY_ATTRIBUTES* _t89;
				signed int _t94;
				void* _t95;
				WCHAR* _t96;
				signed int _t97;

				_t93 = __edx;
				_t57 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t57 ^ _t97;
				_t89 = _a24;
				_v1068 = _a4;
				_t96 = _a8;
				_v1060 = _a12;
				_t61 = _a16;
				_t95 = _t94 | 0xffffffff;
				_v1064 = _t61;
				_v1056 = 0;
				_v1052 = 0x80004005;
				if(_t61 == 0 || _a20 < 0x104) {
					_t62 =  *0x6c3e0088; // 0x6c3e0088
					if(_t62 != 0x6c3e0088 && ( *(_t62 + 0x1c) & 0x00000001) != 0) {
						_t55 = _t62 + 0x14; // 0x0
						_t56 = _t62 + 0x10; // 0x1
						E6C3D5F11( *_t56,  *_t55, 0xd, 0x6c3d5b28);
					}
					_t63 = 0x80070057;
					goto L16;
				} else {
					_v1048 = 0;
					_v528 = 0;
					if(_t96 != 0) {
						do {
							L5:
							if(GetTempFileNameW(_t96, ?str?, 0,  &_v528) == 0) {
								goto L23;
							}
							if(_v1060 != 0) {
								DeleteFileW( &_v528);
								if(E6C3C48B0( &_v528, 0x104, _v1060) < 0) {
									_t83 =  *0x6c3e0088; // 0x6c3e0088
									if(_t83 != 0x6c3e0088 && ( *(_t83 + 0x1c) & 0x00000001) != 0) {
										_t45 = _t83 + 0x14; // 0x0
										_t46 = _t83 + 0x10; // 0x1
										E6C3D99F8( *_t46,  *_t45, 0xf, 0x6c3d5b28, _v1052);
									}
								}
							}
							_t95 = CreateFileW( &_v528, 0xc0000000, _a28, _t89, 2, _a32 | 0x00002080, 0);
							if(_t95 == 0xffffffff) {
								goto L23;
							}
							L9:
							_t69 =  &_v528;
							__imp__GetLongPathNameW(_t69, _v1064, _a20);
							if(_t69 == 0) {
								_v1052 = E6C3D9546(GetLastError());
								goto L14;
							} else {
								_t73 = _v1068;
								if(_t73 != 0) {
									 *_t73 = _t95;
								} else {
									if(_t95 != 0xffffffff) {
										CloseHandle(_t95);
										_t95 = _t95 | 0xffffffff;
									}
								}
								_v1052 = _v1052 & 0x00000000;
								L14:
								if(_v1052 < 0) {
									if(_t95 != 0xffffffff) {
										CloseHandle(_t95);
									}
								}
								L15:
								_t63 = _v1052;
								L16:
								return E6C3C171F(_t63, _t89, _v8 ^ _t97, _t93, _t95, _t96);
							}
							L23:
							_v1056 = _v1056 + 1;
							Sleep(0x64);
						} while (_v1056 < 0x32);
						if(_t95 != 0xffffffff) {
							goto L9;
						}
						_v1052 = 0x80004005;
						goto L15;
					}
					_t86 = E6C3C583D(_t89, __edx,  &_v1048, 0x104);
					_v1052 = _t86;
					if(_t86 < 0) {
						_t87 =  *0x6c3e0088; // 0x6c3e0088
						if(_t87 != 0x6c3e0088 && ( *(_t87 + 0x1c) & 0x00000001) != 0) {
							_t39 = _t87 + 0x14; // 0x0
							_t40 = _t87 + 0x10; // 0x1
							E6C3D99F8( *_t40,  *_t39, 0xe, 0x6c3d5b28, _v1052);
						}
						goto L14;
					} else {
						_t96 =  &_v1048;
						goto L5;
					}
				}
			}




























                                                0x6c3c56b0
                                                0x6c3c56bb
                                                0x6c3c56c2
                                                0x6c3c56c9
                                                0x6c3c56cc
                                                0x6c3c56d6
                                                0x6c3c56d9
                                                0x6c3c56df
                                                0x6c3c56e5
                                                0x6c3c56ea
                                                0x6c3c56f0
                                                0x6c3c56f6
                                                0x6c3c5700
                                                0x6c3d2de0
                                                0x6c3d2dea
                                                0x6c3d2df9
                                                0x6c3d2dfc
                                                0x6c3d2dff
                                                0x6c3d2dff
                                                0x6c3d2e04
                                                0x00000000
                                                0x6c3c5714
                                                0x6c3c5716
                                                0x6c3c571d
                                                0x6c3c5724
                                                0x6c3c5747
                                                0x6c3c5747
                                                0x6c3c575e
                                                0x00000000
                                                0x00000000
                                                0x6c3c576b
                                                0x6c3c5774
                                                0x6c3c5793
                                                0x6c3d2d43
                                                0x6c3d2d4d
                                                0x6c3d2d6a
                                                0x6c3d2d6d
                                                0x6c3d2d70
                                                0x6c3d2d70
                                                0x6c3d2d4d
                                                0x6c3c5793
                                                0x6c3c57bc
                                                0x6c3c57c1
                                                0x00000000
                                                0x00000000
                                                0x6c3c57c7
                                                0x6c3c57ca
                                                0x6c3c57d7
                                                0x6c3c57df
                                                0x6c3d2db9
                                                0x00000000
                                                0x6c3c57e5
                                                0x6c3c57e5
                                                0x6c3c57ed
                                                0x6c3d2dc4
                                                0x6c3c57f3
                                                0x6c3c57f6
                                                0x6c3c57f9
                                                0x6c3c57ff
                                                0x6c3c57ff
                                                0x6c3c57f6
                                                0x6c3c5802
                                                0x6c3c5809
                                                0x6c3c5810
                                                0x6c3d2dce
                                                0x6c3d2dd5
                                                0x6c3d2dd5
                                                0x6c3d2dce
                                                0x6c3c5816
                                                0x6c3c5816
                                                0x6c3c581c
                                                0x6c3c582a
                                                0x6c3c582a
                                                0x6c3d2d7a
                                                0x6c3d2d7a
                                                0x6c3d2d82
                                                0x6c3d2d88
                                                0x6c3d2d98
                                                0x00000000
                                                0x00000000
                                                0x6c3d2d9e
                                                0x00000000
                                                0x6c3d2d9e
                                                0x6c3c572e
                                                0x6c3c5735
                                                0x6c3c573b
                                                0x6c3d2d0c
                                                0x6c3d2d16
                                                0x6c3d2d33
                                                0x6c3d2d36
                                                0x6c3d2d39
                                                0x6c3d2d39
                                                0x00000000
                                                0x6c3c5741
                                                0x6c3c5741
                                                0x00000000
                                                0x6c3c5741
                                                0x6c3c573b

                                                APIs
                                                • GetTempFileNameW.KERNEL32(00000000,WER,00000000,?,00000000,00000000,?), ref: 6C3C5756
                                                • DeleteFileW.KERNEL32(?), ref: 6C3C5774
                                                • CreateFileW.KERNEL32(?,C0000000,?,00000104,00000002,?,00000000), ref: 6C3C57B6
                                                • GetLongPathNameW.KERNEL32(?,?,00000000), ref: 6C3C57D7
                                                • CloseHandle.KERNEL32(00000000), ref: 6C3C57F9
                                                  • Part of subcall function 6C3C583D: GetTempPathW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C3C5875
                                                  • Part of subcall function 6C3C583D: GetLongPathNameW.KERNEL32(00000000,?,00000104), ref: 6C3C58A7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: FileNamePath$LongTemp$CloseCreateDeleteHandle
                                                • String ID: 2$Fm*$WER
                                                • API String ID: 1638618745-1532480788
                                                • Opcode ID: 9491fea22761d4037dd43c65c64925878b18dc8091c726f55e10c282fbc1c5aa
                                                • Instruction ID: b70957fd1553e9b469e1306f54954d374a237e8a8034b4b99caba1cab75a8394
                                                • Opcode Fuzzy Hash: 9491fea22761d4037dd43c65c64925878b18dc8091c726f55e10c282fbc1c5aa
                                                • Instruction Fuzzy Hash: 7951A0B2B013189BDB508F24CD84BCD77B8AB09318F1142A5F628E7590D735EED4AF66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D6327 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 122COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 19%
                                                			E6C3D6327(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void _v86;
				char _v88;
				long _v92;
				int _v96;
				int _v100;
				int _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void** _t51;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t61;
				intOrPtr _t63;
				void* _t69;
				void* _t70;
				void* _t73;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				signed int _t80;

				_t73 = __edx;
				_t44 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t44 ^ _t80;
				_t78 = _a4;
				_v88 = 0;
				memset( &_v86, 0, 0x4c);
				_v108 = 0;
				asm("stosd");
				_v92 = 0x54f;
				_v96 = 0;
				asm("stosd");
				if(_t78 != 0) {
					_push(0x27);
					_push( &_v88);
					_push(_t78);
					_v108 = 0xc;
					_v100 = 0;
					_v104 = 0;
					if( *0x6c3e0004() != 0) {
						_push(0);
						_t51 =  &_v104;
						_push(_t51);
						_push(1);
						_push(L"D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD)");
						L6C3CB783();
						_v96 = _t51;
						if(_t51 != 0) {
							_t54 = E6C3D7DFE(_t70, 0x80000002, L"Software\\Microsoft\\SQMClient",  &_v108, L"MachineId",  &_v88);
							_v92 = _t54;
							if(_t54 != 0) {
								_t55 =  *0x6c3e0088; // 0x6c3e0088
								if(_t55 != 0x6c3e0088 && ( *(_t55 + 0x1c) & 1) != 0) {
									_push(_v92);
									_push(0x6c3d5a6c);
									_push(0x6f);
									goto L18;
								}
							} else {
								_v96 = 1;
							}
						} else {
							_v92 = GetLastError();
							_t55 =  *0x6c3e0088; // 0x6c3e0088
							if(_t55 != 0x6c3e0088 && ( *(_t55 + 0x1c) & 1) != 0) {
								_push(_v92);
								_push(0x6c3d5a6c);
								_push(0x6e);
								goto L18;
							}
						}
					} else {
						_t61 =  *0x6c3e0088; // 0x6c3e0088
						if(_t61 != 0x6c3e0088 && ( *(_t61 + 0x1c) & 0x00000001) != 0) {
							_push(GetLastError());
							_t55 =  *0x6c3e0088; // 0x6c3e0088
							_push(0x6c3d5a6c);
							_push(0x6d);
							L18:
							_t37 = _t55 + 0x14; // 0x0
							_push( *_t37);
							_t38 = _t55 + 0x10; // 0x1
							_push( *_t38);
							E6C3D99F8();
						}
					}
				} else {
					_t63 =  *0x6c3e0088; // 0x6c3e0088
					if(_t63 != 0x6c3e0088 && ( *(_t63 + 0x1c) & 0x00000001) != 0) {
						_t12 = _t63 + 0x14; // 0x0
						_t13 = _t63 + 0x10; // 0x1
						E6C3D5F11( *_t13,  *_t12, 0x6c, 0x6c3d5a6c);
					}
					_v92 = 0x57;
				}
				_pop(_t76);
				_pop(_t79);
				_pop(_t69);
				if(_v104 != 0) {
					LocalFree(_v104);
				}
				SetLastError(_v92);
				return E6C3C171F(_v96, _t69, _v8 ^ _t80, _t73, _t76, _t79);
			}



























                                                0x6c3d6327
                                                0x6c3d632f
                                                0x6c3d6336
                                                0x6c3d633b
                                                0x6c3d6348
                                                0x6c3d634c
                                                0x6c3d6353
                                                0x6c3d6359
                                                0x6c3d635f
                                                0x6c3d6366
                                                0x6c3d6369
                                                0x6c3d636a
                                                0x6c3d639c
                                                0x6c3d63a1
                                                0x6c3d63a2
                                                0x6c3d63a3
                                                0x6c3d63aa
                                                0x6c3d63ad
                                                0x6c3d63b8
                                                0x6c3d63ec
                                                0x6c3d63ed
                                                0x6c3d63f0
                                                0x6c3d63f4
                                                0x6c3d63f5
                                                0x6c3d63fa
                                                0x6c3d6401
                                                0x6c3d6404
                                                0x6c3d6443
                                                0x6c3d644a
                                                0x6c3d644d
                                                0x6c3d6454
                                                0x6c3d645e
                                                0x6c3d6465
                                                0x6c3d6468
                                                0x6c3d646d
                                                0x00000000
                                                0x6c3d646d
                                                0x6c3d644f
                                                0x6c3d644f
                                                0x6c3d644f
                                                0x6c3d6406
                                                0x6c3d640c
                                                0x6c3d640f
                                                0x6c3d6419
                                                0x6c3d6420
                                                0x6c3d6423
                                                0x6c3d6428
                                                0x00000000
                                                0x6c3d6428
                                                0x6c3d6419
                                                0x6c3d63ba
                                                0x6c3d63ba
                                                0x6c3d63c4
                                                0x6c3d63da
                                                0x6c3d63db
                                                0x6c3d63e0
                                                0x6c3d63e5
                                                0x6c3d646f
                                                0x6c3d646f
                                                0x6c3d646f
                                                0x6c3d6472
                                                0x6c3d6472
                                                0x6c3d6475
                                                0x6c3d6475
                                                0x6c3d63c4
                                                0x6c3d636c
                                                0x6c3d636c
                                                0x6c3d6376
                                                0x6c3d6385
                                                0x6c3d6388
                                                0x6c3d638b
                                                0x6c3d638b
                                                0x6c3d6390
                                                0x6c3d6390
                                                0x6c3d647e
                                                0x6c3d647f
                                                0x6c3d6480
                                                0x6c3d6481
                                                0x6c3d6486
                                                0x6c3d6486
                                                0x6c3d648f
                                                0x6c3d64a3

                                                APIs
                                                • memset.MSVCRT ref: 6C3D634C
                                                • GetLastError.KERNEL32 ref: 6C3D63D4
                                                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD),00000001,?,00000000), ref: 6C3D63FA
                                                • GetLastError.KERNEL32(D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD),00000001,?,00000000), ref: 6C3D6406
                                                  • Part of subcall function 6C3D5F11: EtwTraceMessage.NTDLL ref: 6C3D5F26
                                                  • Part of subcall function 6C3D7DFE: RegCloseKey.ADVAPI32(00000001,?,?,?,6C3D6448,80000002,Software\Microsoft\SQMClient,0000000C,MachineId,?,D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD),00000001,?,00000000), ref: 6C3D7F28
                                                • LocalFree.KERNEL32(00000000,MachineId,?,D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD),00000001,?,00000000), ref: 6C3D6486
                                                • SetLastError.KERNEL32(0000054F,MachineId,?,D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD),00000001,?,00000000), ref: 6C3D648F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$DescriptorSecurity$CloseConvertFreeLocalMessageStringTracememset
                                                • String ID: D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GR;;;WD)$Fm*$MachineId$Software\Microsoft\SQMClient$W
                                                • API String ID: 2649899325-1225922448
                                                • Opcode ID: d7be699fdf76bd2dfc38f46a8eba27721ef582488e3939ff7087b472b38956bb
                                                • Instruction ID: 82d277c5cdbab1ae1cc8636e0a5624334b587f443652f2453b35f33f02cff860
                                                • Opcode Fuzzy Hash: d7be699fdf76bd2dfc38f46a8eba27721ef582488e3939ff7087b472b38956bb
                                                • Instruction Fuzzy Hash: 66417F72A01288AFDB40DFD4C884BDD7BB8AB08309F12042AE515EB951D736ED48DF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBB55 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E6C3CBB55(intOrPtr* __ecx, void* __edi, intOrPtr _a4, signed char _a8) {
				int _v8;
				void* _v12;
				int _v16;
				void* __ebx;
				void* __esi;
				intOrPtr _t38;
				void* _t47;
				void* _t52;
				signed int _t55;
				intOrPtr _t56;
				void* _t63;
				intOrPtr* _t65;

				_t65 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if( *__ecx == 0) {
					_t38 =  *0x6c3e0088; // 0x6c3e0088
					if(_t38 != 0x6c3e0088 && ( *(_t38 + 0x1c) & 0x00000001) != 0) {
						_t21 = _t38 + 0x14; // 0x0
						_t22 = _t38 + 0x10; // 0x1
						E6C3D5F11( *_t22,  *_t21, 0x1a, 0x6c3c7af4);
					}
					return 0;
				}
				_push(__edi);
				_t4 = _t65 + 0x30; // 0x30
				EnterCriticalSection(_t4);
				if( *(_t65 + 0x50) == 0 ||  *((intOrPtr*)(_t65 + 4)) == 0) {
					_v8 = 0;
				} else {
					_t52 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(),  *(_t65 + 0x50), _t52,  &_v12, 0x100000, 0, 0) == 0) {
						_t55 = GetLastError();
						if(_t55 > 0) {
							_t55 = _t55 & 0x0000ffff | 0x80070000;
						}
						_v8 = _t55;
						_t56 =  *0x6c3e0088; // 0x6c3e0088
						if(_t56 != 0x6c3e0088 && ( *(_t56 + 0x1c) & 0x00000001) != 0) {
							_t28 = _t56 + 0x14; // 0x0
							_t29 = _t56 + 0x10; // 0x1
							E6C3D99F8( *_t29,  *_t28, 0x1b, 0x6c3c7af4, _v8);
						}
					} else {
						_v16 = 1;
					}
				}
				_t10 = _t65 + 0x30; // 0x30
				LeaveCriticalSection(_t10);
				if(_v16 != 0) {
					_t63 = SetEvent;
					if((_a8 & 0x00000002) == 0) {
						SetEvent( *(_t65 + 0x4c));
					}
					_t47 = E6C3C87B7(0, _t63, _t65, L"Upload Completion", 1,  &_v12, 0, _a4);
					if(_t47 != 0x102) {
						_v8 = 0;
					} else {
						SetEvent( *(_t65 + 0x48));
						E6C3C87B7(0, _t63, _t65, L"Upload Thread Exit", 1,  &_v12, 0, 0xffffffff);
						_v8 = 0x90080109;
					}
				}
				if(_v12 != 0) {
					CloseHandle(_v12);
				}
				return _v8;
			}















                                                0x6c3cbb61
                                                0x6c3cbb65
                                                0x6c3cbb68
                                                0x6c3cbb6b
                                                0x6c3cbb6e
                                                0x6c3d0076
                                                0x6c3d0080
                                                0x6c3d008f
                                                0x6c3d0092
                                                0x6c3d0095
                                                0x6c3d0095
                                                0x00000000
                                                0x6c3d009a
                                                0x6c3cbb74
                                                0x6c3cbb75
                                                0x6c3cbb79
                                                0x6c3cbb82
                                                0x6c3cbbf4
                                                0x6c3cbb89
                                                0x6c3cbb9a
                                                0x6c3cbbab
                                                0x6c3d00a1
                                                0x6c3d00a9
                                                0x6c3d00b0
                                                0x6c3d00b0
                                                0x6c3d00b5
                                                0x6c3d00b8
                                                0x6c3d00c2
                                                0x6c3d00dc
                                                0x6c3d00df
                                                0x6c3d00e2
                                                0x6c3d00e2
                                                0x6c3cbbb1
                                                0x6c3cbbb1
                                                0x6c3cbbb1
                                                0x6c3cbbab
                                                0x6c3cbbb8
                                                0x6c3cbbbc
                                                0x6c3cbbc5
                                                0x6c3cbbcf
                                                0x6c3cbbd5
                                                0x6c3d00ef
                                                0x6c3d00ef
                                                0x6c3cbbea
                                                0x6c3d00fb
                                                0x6c3d011e
                                                0x6c3d00fd
                                                0x6c3d0100
                                                0x6c3d0110
                                                0x6c3d0115
                                                0x6c3d0115
                                                0x6c3d00fb
                                                0x6c3d0125
                                                0x6c3d012a
                                                0x6c3d012a
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(00000030,?,00000000), ref: 6C3CBB79
                                                • GetCurrentProcess.KERNEL32(?,00100000,00000000,00000000,?,00000000), ref: 6C3CBB9A
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 6C3CBBA0
                                                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 6C3CBBA3
                                                • LeaveCriticalSection.KERNEL32(00000030,?,00000000), ref: 6C3CBBBC
                                                • GetLastError.KERNEL32(?,00000000), ref: 6C3D00A1
                                                • SetEvent.KERNEL32(?,Upload Completion,00000001,?,00000000,?,?,00000000), ref: 6C3D0100
                                                • CloseHandle.KERNEL32(?,00000000), ref: 6C3D012A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CriticalCurrentHandleProcessSection$CloseDuplicateEnterErrorEventLastLeave
                                                • String ID: Upload Completion$Upload Thread Exit
                                                • API String ID: 3688531783-3056875662
                                                • Opcode ID: 4ecd8371951960dbf261f78f358004e4f519d432554a07d108322e66a6dd37d9
                                                • Instruction ID: 96a92eba1a18f80b2420378d68200cd09c1421c86e80ec1ee7873704383fdb77
                                                • Opcode Fuzzy Hash: 4ecd8371951960dbf261f78f358004e4f519d432554a07d108322e66a6dd37d9
                                                • Instruction Fuzzy Hash: 6141BF76A00288FFDF10DFA4CC84EDEBBB9BB01308F214469E551A6950C776EA84DF52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A6DCB Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 351COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7ABE94: _free.LIBCMT ref: 6C7ABEBC
                                                  • Part of subcall function 6C7ABE94: _free.LIBCMT ref: 6C7ABECD
                                                • GetCommandLineW.KERNEL32(342C82DB,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6C7A6E16
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C7A8FC3: _calloc.LIBCMT ref: 6C7A8FE1
                                                  • Part of subcall function 6C7AEBE9: __recalloc.LIBCMT ref: 6C7AEBFA
                                                Strings
                                                • " switch has been disallowed for this package., xrefs: 6C7A7004
                                                • Command-line option error: unrecognized switch(es) ", xrefs: 6C7A716B
                                                • quiet, xrefs: 6C7A6F35
                                                • Command-line option error: the ", xrefs: 6C7A6FF1
                                                • The ", xrefs: 6C7A7051, 6C7A7277
                                                • Setup, xrefs: 6C7A6E7D
                                                • " switch is disallowed for this package., xrefs: 6C7A7064
                                                • Unrecognized switch(es) ", xrefs: 6C7A71CF
                                                • " switch cannot be disabled, but is specified in the DisabledCommandLineSwitches., xrefs: 6C7A728A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: _free$CommandH_prolog3Line__recalloc_calloc
                                                • String ID: " switch cannot be disabled, but is specified in the DisabledCommandLineSwitches.$" switch has been disallowed for this package.$" switch is disallowed for this package.$Command-line option error: the "$Command-line option error: unrecognized switch(es) "$Setup$The "$Unrecognized switch(es) "$quiet
                                                • API String ID: 1533339410-3701387627
                                                • Opcode ID: 4a8c2aa6aed46a3a9bf03d2466578bbb23aad931868d52be6b84efd952a7fc14
                                                • Instruction ID: 1640e0ad4e097e975a9caaf6f7156cc528d224d7c5d54290914d0c0482d6a97a
                                                • Opcode Fuzzy Hash: 4a8c2aa6aed46a3a9bf03d2466578bbb23aad931868d52be6b84efd952a7fc14
                                                • Instruction Fuzzy Hash: 3AE14D321083859FC710DFA8C948B8EBBE4BF85318F144A59F5A4D7791DB70E9498BA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C4611 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 215COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 49%
                                                			E6C3C4611(int* __ecx, signed int __edx, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void _v4418;
				char _v4420;
				struct _SECURITY_ATTRIBUTES* _v4424;
				int* _v4428;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				signed int _t84;
				intOrPtr _t91;
				signed int _t92;
				intOrPtr _t96;
				void* _t98;
				intOrPtr _t99;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr* _t111;
				signed int _t117;
				signed int _t118;
				intOrPtr _t120;
				void* _t123;
				signed int _t125;
				signed int _t134;
				intOrPtr _t141;
				void* _t143;
				signed int _t144;
				void* _t147;
				int* _t149;
				void* _t150;
				signed int _t151;

				_t142 = __edx;
				_push(0xffffffff);
				_push(E6C3DDCBB);
				_push( *[fs:0x0]);
				E6C3C45B4(0x113c);
				_t83 =  *0x6c3e01a0; // 0xeb2a6d46
				_t84 = _t83 ^ _t151;
				_v20 = _t84;
				_push(_t84);
				 *[fs:0x0] =  &_v16;
				_t149 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				_v4428 = __ecx;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0x1f;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = _a4;
				_v8 = 1;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				_v4424 = 0;
				_v4420 = 0;
				memset( &_v4418, 0, 0x112e);
				 *_t149 = 0;
				if(InitializeCriticalSectionAndSpinCount( &(_t149[0xc]), 0xfa0) == 0) {
					_t91 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t91 - 0x6c3e0088;
					if(_t91 == 0x6c3e0088) {
						L7:
						if( *_t149 == 0) {
							_t92 = _t149[0x19];
							__eflags = _t92;
							if(_t92 != 0) {
								_push(_t92);
								E6C3C4994();
								_t149[0x19] = 0;
							}
						}
						 *[fs:0x0] = _v16;
						_pop(_t147);
						_pop(_t150);
						_pop(_t123);
						return E6C3C171F(_t149, _t123, _v20 ^ _t151, _t142, _t147, _t150);
					}
					__eflags =  *(_t91 + 0x1c) & 0x00000001;
					if(( *(_t91 + 0x1c) & 0x00000001) == 0) {
						goto L7;
					}
					_push(GetLastError());
					_push(0x6c3c7af4);
					_push(0xd);
					L12:
					_t96 =  *0x6c3e0088; // 0x6c3e0088
					_t36 = _t96 + 0x14; // 0x0
					_push( *_t36);
					_t37 = _t96 + 0x10; // 0x1
					_push( *_t37);
					E6C3D99F8();
					goto L7;
				}
				_t98 = CreateEventW(0, 1, 0, 0);
				_t149[0x12] = _t98;
				if(_t98 == 0) {
					_t99 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t99 - 0x6c3e0088;
					if(_t99 == 0x6c3e0088) {
						goto L7;
					}
					__eflags =  *(_t99 + 0x1c) & 0x00000001;
					if(( *(_t99 + 0x1c) & 0x00000001) == 0) {
						goto L7;
					}
					_push(GetLastError());
					_push(0x6c3c7af4);
					_push(0xe);
					goto L12;
				}
				_t101 = CreateEventW(0, 1, 0, 0);
				_t149[0x13] = _t101;
				if(_t101 == 0) {
					_t102 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t102 - 0x6c3e0088;
					if(_t102 == 0x6c3e0088) {
						goto L7;
					}
					__eflags =  *(_t102 + 0x1c) & 0x00000001;
					if(( *(_t102 + 0x1c) & 0x00000001) == 0) {
						goto L7;
					}
					_push(GetLastError());
					_push(0x6c3c7af4);
					_push(0xf);
					goto L12;
				}
				if(E6C3C3E29(_t149, 0x80000002, L"Software\\Microsoft\\SQMClient", L"SamplingInterval",  &_v4424) == 0) {
					_t106 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t106 - 0x6c3e0088;
					if(_t106 != 0x6c3e0088) {
						__eflags =  *(_t106 + 0x1c) & 0x00000004;
						if(( *(_t106 + 0x1c) & 0x00000004) != 0) {
							_t48 = _t106 + 0x14; // 0x0
							_t49 = _t106 + 0x10; // 0x1
							E6C3D99F8( *_t49,  *_t48, 0x10, 0x6c3c7af4, _v4424);
						}
					}
					_t107 = _v4424;
					_t142 = _t107 * 0x989680 >> 0x20;
					_t149[0x16] = _t107 * 0x989680;
					_t149[0x17] = _t107 * 0x989680 >> 0x20;
				} else {
					_t149[0x16] = 0x51c88000;
					_t149[0x17] = 0xb00;
				}
				if(E6C3C478B(_t149,  &_v4420, 0x898) != 0) {
					_t111 =  &_v4420;
					_t143 = _t111 + 2;
					do {
						_t134 =  *_t111;
						_t111 = _t111 + 2;
						__eflags = _t134;
					} while (_t134 != 0);
					_t125 = (_t111 - _t143 >> 1) + 1;
					_t144 = 2;
					_t142 = _t125 * _t144 >> 0x20;
					_t117 = E6C3C1967(_t149,  ~(0 | __eflags > 0x00000000) | _t125 * _t144);
					__eflags = _t117;
					_t149[0x19] = _t117;
					if(_t117 != 0) {
						_t118 = E6C3C173D(_t117, _t125,  &_v4420);
						__eflags = _t118;
						if(_t118 >= 0) {
							goto L6;
						}
						_t141 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t141 - 0x6c3e0088;
						if(_t141 == 0x6c3e0088) {
							goto L7;
						}
						__eflags =  *(_t141 + 0x1c) & 0x00000001;
						if(( *(_t141 + 0x1c) & 0x00000001) == 0) {
							goto L7;
						}
						_push(_t118);
						_push(0x6c3c7af4);
						_push(0x12);
						_t76 = _t141 + 0x14; // 0x0
						_push( *_t76);
						_t77 = _t141 + 0x10; // 0x1
						_push( *_t77);
						L29:
						E6C3D99F8();
						goto L7;
					}
					_t120 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t120 - 0x6c3e0088;
					if(_t120 == 0x6c3e0088) {
						goto L7;
					}
					__eflags =  *(_t120 + 0x1c) & 0x00000001;
					if(( *(_t120 + 0x1c) & 0x00000001) == 0) {
						goto L7;
					}
					_push(_t125);
					_push(0x6c3c7af4);
					_push(0x11);
					_t70 = _t120 + 0x14; // 0x0
					_push( *_t70);
					_t71 = _t120 + 0x10; // 0x1
					_push( *_t71);
					goto L29;
				} else {
					L6:
					 *_t149 = 1;
					goto L7;
				}
			}







































                                                0x6c3c4611
                                                0x6c3c4616
                                                0x6c3c4618
                                                0x6c3c4623
                                                0x6c3c4629
                                                0x6c3c462e
                                                0x6c3c4633
                                                0x6c3c4635
                                                0x6c3c463b
                                                0x6c3c463f
                                                0x6c3c4645
                                                0x6c3c4649
                                                0x6c3c464c
                                                0x6c3c464f
                                                0x6c3c4652
                                                0x6c3c4655
                                                0x6c3c465b
                                                0x6c3c465e
                                                0x6c3c4661
                                                0x6c3c4664
                                                0x6c3c4667
                                                0x6c3c466a
                                                0x6c3c4671
                                                0x6c3c467c
                                                0x6c3c4687
                                                0x6c3c468b
                                                0x6c3c468e
                                                0x6c3c4691
                                                0x6c3c4694
                                                0x6c3c469a
                                                0x6c3c46a1
                                                0x6c3c46b2
                                                0x6c3c46bc
                                                0x6c3d0a3c
                                                0x6c3d0a41
                                                0x6c3d0a46
                                                0x6c3c473e
                                                0x6c3c4740
                                                0x6c3d0bbb
                                                0x6c3d0bbe
                                                0x6c3d0bc0
                                                0x6c3d0bc6
                                                0x6c3d0bc7
                                                0x6c3d0bcd
                                                0x6c3d0bcd
                                                0x6c3d0bc0
                                                0x6c3c474b
                                                0x6c3c4753
                                                0x6c3c4754
                                                0x6c3c4755
                                                0x6c3c4761
                                                0x6c3c4761
                                                0x6c3d0a4c
                                                0x6c3d0a50
                                                0x00000000
                                                0x00000000
                                                0x6c3d0a5c
                                                0x6c3d0a5d
                                                0x6c3d0a62
                                                0x6c3d0a64
                                                0x6c3d0a64
                                                0x6c3d0a69
                                                0x6c3d0a69
                                                0x6c3d0a6c
                                                0x6c3d0a6c
                                                0x6c3d0a6f
                                                0x00000000
                                                0x6c3d0a6f
                                                0x6c3c46cd
                                                0x6c3c46d1
                                                0x6c3c46d4
                                                0x6c3d0a79
                                                0x6c3d0a7e
                                                0x6c3d0a83
                                                0x00000000
                                                0x00000000
                                                0x6c3d0a89
                                                0x6c3d0a8d
                                                0x00000000
                                                0x00000000
                                                0x6c3d0a99
                                                0x6c3d0a9a
                                                0x6c3d0a9f
                                                0x00000000
                                                0x6c3d0a9f
                                                0x6c3c46df
                                                0x6c3c46e3
                                                0x6c3c46e6
                                                0x6c3d0aa3
                                                0x6c3d0aa8
                                                0x6c3d0aad
                                                0x00000000
                                                0x00000000
                                                0x6c3d0ab3
                                                0x6c3d0ab7
                                                0x00000000
                                                0x00000000
                                                0x6c3d0ac3
                                                0x6c3d0ac4
                                                0x6c3d0ac9
                                                0x00000000
                                                0x6c3d0ac9
                                                0x6c3c4709
                                                0x6c3d0acd
                                                0x6c3d0ad2
                                                0x6c3d0ad7
                                                0x6c3d0ad9
                                                0x6c3d0add
                                                0x6c3d0aec
                                                0x6c3d0aef
                                                0x6c3d0af2
                                                0x6c3d0af2
                                                0x6c3d0add
                                                0x6c3d0af7
                                                0x6c3d0b02
                                                0x6c3d0b04
                                                0x6c3d0b07
                                                0x6c3c470f
                                                0x6c3c470f
                                                0x6c3c4716
                                                0x6c3c4716
                                                0x6c3c4732
                                                0x6c3d0b0f
                                                0x6c3d0b15
                                                0x6c3d0b18
                                                0x6c3d0b18
                                                0x6c3d0b1c
                                                0x6c3d0b1d
                                                0x6c3d0b1d
                                                0x6c3d0b26
                                                0x6c3d0b2d
                                                0x6c3d0b30
                                                0x6c3d0b3a
                                                0x6c3d0b3f
                                                0x6c3d0b42
                                                0x6c3d0b45
                                                0x6c3d0b82
                                                0x6c3d0b87
                                                0x6c3d0b89
                                                0x00000000
                                                0x00000000
                                                0x6c3d0b8f
                                                0x6c3d0b95
                                                0x6c3d0b9b
                                                0x00000000
                                                0x00000000
                                                0x6c3d0ba1
                                                0x6c3d0ba5
                                                0x00000000
                                                0x00000000
                                                0x6c3d0bab
                                                0x6c3d0bac
                                                0x6c3d0bb1
                                                0x6c3d0bb3
                                                0x6c3d0bb3
                                                0x6c3d0bb6
                                                0x6c3d0bb6
                                                0x6c3d0b6f
                                                0x6c3d0b6f
                                                0x00000000
                                                0x6c3d0b6f
                                                0x6c3d0b47
                                                0x6c3d0b4c
                                                0x6c3d0b51
                                                0x00000000
                                                0x00000000
                                                0x6c3d0b57
                                                0x6c3d0b5b
                                                0x00000000
                                                0x00000000
                                                0x6c3d0b61
                                                0x6c3d0b62
                                                0x6c3d0b67
                                                0x6c3d0b69
                                                0x6c3d0b69
                                                0x6c3d0b6c
                                                0x6c3d0b6c
                                                0x00000000
                                                0x6c3c4738
                                                0x6c3c4738
                                                0x6c3c4738
                                                0x00000000
                                                0x6c3c4738

                                                APIs
                                                • memset.MSVCRT ref: 6C3C46A1
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 6C3C46B4
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6C3C46CD
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6C3C46DF
                                                  • Part of subcall function 6C3C3E29: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                  • Part of subcall function 6C3C3E29: RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                  • Part of subcall function 6C3C3E29: RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                • GetLastError.KERNEL32 ref: 6C3D0A56
                                                • GetLastError.KERNEL32 ref: 6C3D0A93
                                                • GetLastError.KERNEL32 ref: 6C3D0ABD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateEvent$CloseCountCriticalInitializeOpenQuerySectionSpinValuememset
                                                • String ID: Fm*$SamplingInterval$Software\Microsoft\SQMClient
                                                • API String ID: 171072326-2739559386
                                                • Opcode ID: c00c12c88604b9a317c6009910b998e695e1475792fc4eded15971194d569c07
                                                • Instruction ID: 1674062146f756c30f3a302bd581027db98018f13a36ddf79e0fe9a8a98ea789
                                                • Opcode Fuzzy Hash: c00c12c88604b9a317c6009910b998e695e1475792fc4eded15971194d569c07
                                                • Instruction Fuzzy Hash: 02817071600784AFD764CF15C884BEABBF8AF45B08F10045EE6A5D6A90D7B5ED44CF12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79C998 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 119COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79C99F
                                                • #171.MSI(00000000,?,?,?,?,00000018,6C79BFBC,?), ref: 6C79C9DC
                                                • #171.MSI(00000000,?,00000000,00000000,00000000,?,00000018,6C79BFBC,?), ref: 6C79CA14
                                                • #115.MSI(?,?,00000018,6C79BFBC,?), ref: 6C79CA3E
                                                • #116.MSI(?,00000001,?,00000018,6C79BFBC,?), ref: 6C79CA5E
                                                • #116.MSI(?,00000002,?,00000018,6C79BFBC,?), ref: 6C79CA71
                                                Strings
                                                • IronMan::MsiExternalUiHandler::InstallMessageCommonDataHandler, xrefs: 6C79CAAA
                                                • Cannot display error: Failed to get message in MSI Record, xrefs: 6C79CA2C
                                                • INSTALLMESSAGE_COMMONDATA, xrefs: 6C79CA9C
                                                • Cannot display error: No message in MSI Record, xrefs: 6C79C9E5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #116#171$#115H_prolog3
                                                • String ID: Cannot display error: Failed to get message in MSI Record$Cannot display error: No message in MSI Record$INSTALLMESSAGE_COMMONDATA$IronMan::MsiExternalUiHandler::InstallMessageCommonDataHandler
                                                • API String ID: 3491990910-3775927459
                                                • Opcode ID: 40522a09c3235571c05fb8a5096f0d997f159b9b1607362f9cc1e4bfde645a34
                                                • Instruction ID: 912845c53364603c72c59acbecc1580370e55fe4369d00a95891bb6f6d3da8f4
                                                • Opcode Fuzzy Hash: 40522a09c3235571c05fb8a5096f0d997f159b9b1607362f9cc1e4bfde645a34
                                                • Instruction Fuzzy Hash: 8241A031600109AFDF00EFA4CE89BDEB7B5BF04358F248566E524AB681DB74DA448B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79CC30 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 210COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79CC37
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C79B9EE: __EH_prolog3.LIBCMT ref: 6C79B9F5
                                                • GetTickCount.KERNEL32 ref: 6C79CE49
                                                  • Part of subcall function 6C7739AD: __EH_prolog3.LIBCMT ref: 6C7739B4
                                                Strings
                                                • INSTALLMESSAGE_PROGRESS [%s] (Action Info), xrefs: 6C79CD96
                                                • INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d), xrefs: 6C79CE56
                                                • INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero, xrefs: 6C79CCF0
                                                • INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d), xrefs: 6C79CD0E
                                                • INSTALLMESSAGE_PROGRESS [%s] (Progress Addition), xrefs: 6C79CCB2
                                                • INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d), xrefs: 6C79CD3B
                                                • INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!, xrefs: 6C79CD48
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CountTick
                                                • String ID: INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero$INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d)$INSTALLMESSAGE_PROGRESS [%s] (Action Info)$INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Addition)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!
                                                • API String ID: 194692712-1811215275
                                                • Opcode ID: 1eef39ec5a5b2fc3a612df359af19300de99026efb1d9cd77c2c1d735781e103
                                                • Instruction ID: aacff8a0a1e574210044bf87b18b63cedabd5749e340f9cca77c32ad2da89033
                                                • Opcode Fuzzy Hash: 1eef39ec5a5b2fc3a612df359af19300de99026efb1d9cd77c2c1d735781e103
                                                • Instruction Fuzzy Hash: 0A71E372600A59AFEF109BA4DA4ABEDBB68BF05319F104125E611DBE90C730E954CBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C4D3F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143commemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C4D46
                                                  • Part of subcall function 6C7C8859: SysStringByteLen.OLEAUT32(00000000), ref: 6C7C8860
                                                  • Part of subcall function 6C7C8859: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 6C7C8869
                                                • CoInitialize.OLE32(00000000), ref: 6C7C4D5F
                                                • CoCreateInstance.OLE32(6C76A974,00000000,00000017,6C76A9A4,?,?,?,00000000), ref: 6C7C4D7D
                                                • SysAllocString.OLEAUT32(.//MsiXmlBlob), ref: 6C7C4DE2
                                                • SysFreeString.OLEAUT32(00000000), ref: 6C7C4E1A
                                                • SysFreeString.OLEAUT32(?), ref: 6C7C4E7E
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                • CoUninitialize.OLE32(?,?,00000000), ref: 6C7C4ECA
                                                • SysFreeString.OLEAUT32(6C76970C), ref: 6C7C4ED3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$Free$AllocByte$CreateException@8H_prolog3InitializeInstanceThrowUninitialize
                                                • String ID: .//MsiXmlBlob
                                                • API String ID: 4093593479-2641887801
                                                • Opcode ID: f738792e3b2b1c150ba4b18b0c1de81c018770e8e851fe8121afcbf1cdd67b47
                                                • Instruction ID: a5b7281bd73a37887390a073f4b0031c10cce59e5c35a4b0cf3e4fafbb81dbbb
                                                • Opcode Fuzzy Hash: f738792e3b2b1c150ba4b18b0c1de81c018770e8e851fe8121afcbf1cdd67b47
                                                • Instruction Fuzzy Hash: FD516F70E0125ADFCB01CBE4CA8CAEEBBB9BF49708F258458E105EB641C7759A05DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BCEC8 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 111libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(msi.dll,MsiSetExternalUIRecord,342C82DB,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C7AFA6E,?,6C76A794,-00000960), ref: 6C7BCF07
                                                • GetProcAddress.KERNEL32(00000000), ref: 6C7BCF0E
                                                Strings
                                                • MSI31, xrefs: 6C7BCF9E
                                                • CreateMsi31RequiredDialog, xrefs: 6C7BCF59
                                                • IUiFactory::CreateMsi31RequiredDialog() failed with error hr = %d, xrefs: 6C7BCF73
                                                • Windows Installer version is less than 3.1, xrefs: 6C7BCF28
                                                • msi.dll, xrefs: 6C7BCF02
                                                • MsiSetExternalUIRecord, xrefs: 6C7BCEFD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: CreateMsi31RequiredDialog$IUiFactory::CreateMsi31RequiredDialog() failed with error hr = %d$MSI31$MsiSetExternalUIRecord$Windows Installer version is less than 3.1$msi.dll
                                                • API String ID: 1646373207-1012198820
                                                • Opcode ID: fefb54af6d48030e2fe3eb3153ddbd4ff900fd7aaa6c020f7b1299491cd7994b
                                                • Instruction ID: c906e1c1cfabde7e8b0a15159d44807a9a753ee9739e9b1d27a2e191b0627d02
                                                • Opcode Fuzzy Hash: fefb54af6d48030e2fe3eb3153ddbd4ff900fd7aaa6c020f7b1299491cd7994b
                                                • Instruction Fuzzy Hash: F7416DB5208341AFC704DF65C988E5ABBE8FB89354F004A2DF955D3B51DB34DA09CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79C870 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79C877
                                                • #171.MSI(00000000,?,?,?,?,00000018,6C79BFBC,?), ref: 6C79C8BF
                                                • #171.MSI(00000000,?,00000000,00000000,00000000,?,00000018,6C79BFBC,?), ref: 6C79C8F0
                                                • #115.MSI(?,?,00000018,6C79BFBC,?), ref: 6C79C919
                                                • #116.MSI(?,00000001,?,00000018,6C79BFBC,?), ref: 6C79C926
                                                Strings
                                                • INSTALLMESSAGE_ERROR, xrefs: 6C79C932
                                                • IronMan::MsiExternalUiHandler::InstallMessageErrorHandler, xrefs: 6C79C940
                                                • Cannot display error: Failed to get message in MSI Record, xrefs: 6C79C909
                                                • Cannot display error: No message in MSI Record, xrefs: 6C79C8C8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #171$#115#116H_prolog3
                                                • String ID: Cannot display error: Failed to get message in MSI Record$Cannot display error: No message in MSI Record$INSTALLMESSAGE_ERROR$IronMan::MsiExternalUiHandler::InstallMessageErrorHandler
                                                • API String ID: 2137429955-3242538907
                                                • Opcode ID: 19bde60e352c81d9232fe4b903f031a59e9089461a6cd9fe1afc763291ec44cf
                                                • Instruction ID: d4b162f621889ec12eb3c7ffe5de1727409af26c03c3f8b244564e0eac7b87e5
                                                • Opcode Fuzzy Hash: 19bde60e352c81d9232fe4b903f031a59e9089461a6cd9fe1afc763291ec44cf
                                                • Instruction Fuzzy Hash: 5C318231A0010AAFDB00DFA4CA49FEE77B9BF05314F508526F525EB781CB74EA0987A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C798DBF Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C798DC6
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • PathIsRelativeW.SHLWAPI(?,?,?,00000024,6C7C2414), ref: 6C798DE4
                                                • PathFileExistsW.SHLWAPI(?), ref: 6C798E1F
                                                  • Part of subcall function 6C775D3F: __EH_prolog3.LIBCMT ref: 6C775D46
                                                  • Part of subcall function 6C775D3F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104,?,6C7A831D,00000000), ref: 6C775D93
                                                  • Part of subcall function 6C7A8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C7B99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C7A8E6E
                                                  • Part of subcall function 6C798EB8: CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6C798F00
                                                  • Part of subcall function 6C798EB8: GetWindowLongW.USER32(?,000000F0), ref: 6C798F15
                                                  • Part of subcall function 6C798EB8: SetWindowLongW.USER32(?,000000F0,00000000), ref: 6C798F25
                                                  • Part of subcall function 6C798EB8: LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6C798F32
                                                  • Part of subcall function 6C798EB8: GetDesktopWindow.USER32 ref: 6C798F44
                                                  • Part of subcall function 6C798EB8: ShowWindow.USER32(?,00000001), ref: 6C798F57
                                                • ShowWindow.USER32(?,00000005), ref: 6C798E4E
                                                • UpdateWindow.USER32(?), ref: 6C798E57
                                                • TranslateMessage.USER32(?), ref: 6C798E78
                                                • DispatchMessageW.USER32(?), ref: 6C798E82
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C798E8F
                                                Strings
                                                • Splash screen file '%s' not found, xrefs: 6C798E2F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Window$H_prolog3MessagePath$FileLongShow$AppendCreateDesktopDispatchExistsImageLoadModuleNameRelativeTranslateUpdate
                                                • String ID: Splash screen file '%s' not found
                                                • API String ID: 301856859-2590370906
                                                • Opcode ID: f1d40c9a42e764e014c27c719543260ea67bb39ddf9a43878a7e2de92d422e7a
                                                • Instruction ID: ddebfa8890648340e758eae7f9eba52e4c933687b75d96332f77c27e927e7e4c
                                                • Opcode Fuzzy Hash: f1d40c9a42e764e014c27c719543260ea67bb39ddf9a43878a7e2de92d422e7a
                                                • Instruction Fuzzy Hash: 0F215C32A00219AFDF109FE4CE4CADE7B79BF04359F044526E521AB750DB35DA558B21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79D81D Relevance: 15.1, APIs: 10, Instructions: 134fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • #115.MSI(?,00000000,?,00000000), ref: 6C79D837
                                                • #118.MSI(?,00000000,?,00000000,00000000,?,00000000), ref: 6C79D85F
                                                • #118.MSI(?,00000000,?,00000000,00000000,?,00000000), ref: 6C79D8D1
                                                • #118.MSI(?,00000000,?,00000000,?,00000000), ref: 6C79D8F8
                                                • ResetEvent.KERNEL32(?,00000000,?,00000000), ref: 6C79D920
                                                • WriteFile.KERNEL32(?,?,0000000C,00000000,?,?,00000000), ref: 6C79D933
                                                • GetLastError.KERNEL32(?,00000000), ref: 6C79D943
                                                • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 6C79D95D
                                                • GetLastError.KERNEL32(?,00000000), ref: 6C79D967
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C79D979
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #118$ErrorLast$#115CloseEventFileHandleOverlappedResetResultWrite
                                                • String ID:
                                                • API String ID: 3234195651-0
                                                • Opcode ID: a56fead3698a4640ef23c04e5c3f5f7c8a29fcca4856cc9ff1f4047daa132780
                                                • Instruction ID: 7a6bfa7136f29b7b10078b26e3326dbb7fceaec2ae7cc0fc8aa0da633ee076ed
                                                • Opcode Fuzzy Hash: a56fead3698a4640ef23c04e5c3f5f7c8a29fcca4856cc9ff1f4047daa132780
                                                • Instruction Fuzzy Hash: 2C519931A00209EFDB11DFA9C984B9EBBB5FF54355F408529E819DB610D730EA80CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C1A6B Relevance: 15.1, APIs: 10, Instructions: 133sleepCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 49%
                                                			E6C3C1A6B(intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				long _t20;
				long _t21;
				void* _t22;
				void* _t28;
				long _t29;
				signed int _t44;
				void* _t45;
				long _t47;
				intOrPtr _t59;

				if(_a8 == 0) {
					__eflags =  *0x6c3e00b0; // 0x0
					if(__eflags <= 0) {
						return 0;
					}
					 *0x6c3e00b0 =  *0x6c3e00b0 - 1;
				}
				 *0x6c3e00b8 =  *_adjust_fdiv;
				if(1 != 0) {
					__eflags = _a8 - 1;
					if(_a8 != 1) {
						goto L12;
					}
					_push(1);
					while(1) {
						_t15 = InterlockedCompareExchange(0x6c3e0164, 1, ??);
						__eflags = _t15;
						if(_t15 == 0) {
							break;
						}
						Sleep(0x3e8);
						_push(0);
					}
					_t16 =  *0x6c3e00bc; // 0x0
					__eflags = _t16 - 2;
					if(_t16 != 2) {
						_push(0x1f);
						L6C3DA3F9();
						goto L12;
					}
					_t28 =  *0x6c3e00c4; // 0x0
					__eflags = _t28;
					if(_t28 == 0) {
						L26:
						 *0x6c3e00bc = 0;
						InterlockedExchange(0x6c3e0164, 0);
						goto L12;
					}
					_t44 =  *0x6c3e00c0; // 0x0
					_t45 = _t44 + 0xfffffffc;
					__eflags = _t45;
					while(1) {
						__eflags = _t45 - _t28;
						if(_t45 < _t28) {
							break;
						}
						_t18 =  *_t45;
						__eflags = _t18;
						if(_t18 != 0) {
							 *_t18();
						}
						_t45 = _t45 - 4;
					}
					free(_t28);
					 *0x6c3e00c0 =  *0x6c3e00c0 & 0x00000000;
					 *0x6c3e00c4 =  *0x6c3e00c4 & 0x00000000;
					__eflags =  *0x6c3e00c4;
					goto L26;
				} else {
					_t29 =  *( *[fs:0x18] + 4);
					_a8 = 1;
					_push(1);
					while(1) {
						_t20 = InterlockedCompareExchange(0x6c3e0164, _t29, ??);
						if(_t20 == 0) {
							break;
						}
						__eflags = _t20 - _t29;
						if(__eflags == 0) {
							_a8 = 1;
							break;
						}
						Sleep(0x3e8);
						_push(0);
					}
					_t21 =  *0x6c3e00bc; // 0x0
					_t47 = 2;
					if(_t21 != 0) {
						_push(0x1f);
						L6C3DA3F9();
						L8:
						if(_a8 == 0) {
							InterlockedExchange(0x6c3e0164, 0);
						}
						_t59 =  *0x6c3e04e0; // 0x0
						if(_t59 != 0) {
							_push(0x6c3e04e0);
							_t22 = E6C3DA362(0, _t47, 0x6c3e0164, __eflags);
							__eflags = _t22;
							if(_t22 != 0) {
								 *0x6c3e04e0(_a4, _t47, _a12);
							}
						}
						 *0x6c3e00b0 =  *0x6c3e00b0 + 1;
						L12:
						_t14 = 1;
						L13:
						return _t14;
					}
					 *0x6c3e00bc = 1;
					if(E6C3C25D6(0x6c3c1b38, E6C3C1B40) != 0) {
						_t14 = 0;
						goto L13;
					}
					_push(0x6c3c1b34);
					_push(0x6c3c1b30);
					L6C3C2563();
					 *0x6c3e00bc = _t47;
					goto L8;
				}
			}




















                                                0x6c3c1a75
                                                0x6c3c1d14
                                                0x6c3c1d1a
                                                0x00000000
                                                0x6c3c1d27
                                                0x6c3c1d1c
                                                0x6c3c1d1c
                                                0x6c3c1a8a
                                                0x6c3c1a90
                                                0x6c3c1d2e
                                                0x6c3c1d31
                                                0x00000000
                                                0x00000000
                                                0x6c3c1d3d
                                                0x6c3c1d43
                                                0x6c3c1d46
                                                0x6c3c1d48
                                                0x6c3c1d4a
                                                0x00000000
                                                0x00000000
                                                0x6c3d4571
                                                0x6c3d4577
                                                0x6c3d4577
                                                0x6c3c1d50
                                                0x6c3c1d55
                                                0x6c3c1d58
                                                0x6c3d457e
                                                0x6c3d4580
                                                0x00000000
                                                0x6c3d4585
                                                0x6c3c1d5e
                                                0x6c3c1d64
                                                0x6c3c1d66
                                                0x6c3c1d8f
                                                0x6c3c1d92
                                                0x6c3c1d9c
                                                0x00000000
                                                0x6c3c1d9c
                                                0x6c3c1d68
                                                0x6c3c1d6e
                                                0x6c3c1d6e
                                                0x6c3c1d71
                                                0x6c3c1d71
                                                0x6c3c1d73
                                                0x00000000
                                                0x00000000
                                                0x6c3d458b
                                                0x6c3d458d
                                                0x6c3d458f
                                                0x6c3d4591
                                                0x6c3d4591
                                                0x6c3d4593
                                                0x6c3d4593
                                                0x6c3c1d7a
                                                0x6c3c1d80
                                                0x6c3c1d87
                                                0x6c3c1d87
                                                0x00000000
                                                0x6c3c1a96
                                                0x6c3c1a9d
                                                0x6c3c1aa6
                                                0x6c3c1aa9
                                                0x6c3c1aaf
                                                0x6c3c1ab1
                                                0x6c3c1ab5
                                                0x00000000
                                                0x00000000
                                                0x6c3d4512
                                                0x6c3d4514
                                                0x6c3d4528
                                                0x00000000
                                                0x6c3d4528
                                                0x6c3d451b
                                                0x6c3d4521
                                                0x6c3d4521
                                                0x6c3c1abb
                                                0x6c3c1ac4
                                                0x6c3c1ac5
                                                0x6c3d4534
                                                0x6c3d4536
                                                0x6c3c1b04
                                                0x6c3c1b0a
                                                0x6c3c1b0e
                                                0x6c3c1b0e
                                                0x6c3c1b14
                                                0x6c3c1b1a
                                                0x6c3d4547
                                                0x6c3d454c
                                                0x6c3d4551
                                                0x6c3d4554
                                                0x6c3d4561
                                                0x6c3d4561
                                                0x6c3d4554
                                                0x6c3c1b20
                                                0x6c3c1b26
                                                0x6c3c1b28
                                                0x6c3c1b29
                                                0x00000000
                                                0x6c3c1b2b
                                                0x6c3c1ad5
                                                0x6c3c1ae8
                                                0x6c3d4540
                                                0x00000000
                                                0x6c3d4540
                                                0x6c3c1aee
                                                0x6c3c1af3
                                                0x6c3c1af8
                                                0x6c3c1afe
                                                0x00000000
                                                0x6c3c1afe

                                                APIs
                                                • InterlockedCompareExchange.KERNEL32(6C3E0164,?,00000000), ref: 6C3C1AB1
                                                • _initterm.MSVCRT ref: 6C3C1AF8
                                                • InterlockedExchange.KERNEL32(6C3E0164,00000000), ref: 6C3C1B0E
                                                • InterlockedCompareExchange.KERNEL32(6C3E0164,00000001,00000000), ref: 6C3C1D46
                                                • free.MSVCRT(00000000,?,00000000,?,?,6C3C1DDB,?,00000001,?,?,?,?,6C3C1C70,0000002C), ref: 6C3C1D7A
                                                • InterlockedExchange.KERNEL32(6C3E0164,00000000), ref: 6C3C1D9C
                                                • Sleep.KERNEL32(000003E8,?,00000000,?,?,6C3C1DDB,?,00000001,?,?,?,?,6C3C1C70,0000002C), ref: 6C3D451B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ExchangeInterlocked$Compare$Sleep_inittermfree
                                                • String ID:
                                                • API String ID: 546057305-0
                                                • Opcode ID: 19153ebd2a595b2fb6a4c9a5edc8cbcd83fe71c76cd1f051448077c66ccd3561
                                                • Instruction ID: 07cf69a6bb2bd42d97e261406b0e8a0cc8dd365f320e6982291b9be7e661e219
                                                • Opcode Fuzzy Hash: 19153ebd2a595b2fb6a4c9a5edc8cbcd83fe71c76cd1f051448077c66ccd3561
                                                • Instruction Fuzzy Hash: 7A41CF32304241EBEBA09B65C844B9D737EFB0A35DF11412AE5118A990EB35ED41BF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B49A1 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 326COMMON
                                                Download Yara Rule
                                                Strings
                                                • There are no patches to uninstall during rollback for product, xrefs: 6C7B4AD2
                                                • MsiInstallProduct returned 0x%X, xrefs: 6C7B4D18
                                                • Install, xrefs: 6C7B4DC7
                                                • GetMsiLocalCachedPackagePath returned 0x%X, xrefs: 6C7B4D3A
                                                • IronMan::MspInstallerT<class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::Rollback, xrefs: 6C7B49EB
                                                • MSIPATCHREMOVE="%s", xrefs: 6C7B4CF8
                                                • about to call MsiInstallProduct with MSIPATCHREMOVE="%s" on product %s(%s) to remove patches., xrefs: 6C7B4CBE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: GetMsiLocalCachedPackagePath returned 0x%X$Install$IronMan::MspInstallerT<class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::Rollback$MSIPATCHREMOVE="%s"$MsiInstallProduct returned 0x%X$There are no patches to uninstall during rollback for product$about to call MsiInstallProduct with MSIPATCHREMOVE="%s" on product %s(%s) to remove patches.
                                                • API String ID: 431132790-1026096532
                                                • Opcode ID: 143e11e3f2e318649e8a6c2001d42106cd103d92e8126142a90af8edcbca4d54
                                                • Instruction ID: 5bda99cbe8ce63f7b79e86cea022a10f1a9d7e0783bb7ab36ef2606cb86627ad
                                                • Opcode Fuzzy Hash: 143e11e3f2e318649e8a6c2001d42106cd103d92e8126142a90af8edcbca4d54
                                                • Instruction Fuzzy Hash: 37D18D722083419FD704DF68C988A4EBBE5BF85328F140A5DF5A59B7A1C730E949CB93
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C790B4A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 294COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C790B54
                                                • _memset.LIBCMT ref: 6C790B98
                                                • #246.MSI(00000000,00000000,00000004,00000000,?,00000000,00000000,00000000,6C79F880), ref: 6C790BAC
                                                • #244.MSI(?,?,00000000,00000004,LocalPackage,00000000,?,00000000), ref: 6C790C26
                                                • #244.MSI(?,?,00000000,00000004,LocalPackage,00000000,00000000,00000000), ref: 6C790C79
                                                  • Part of subcall function 6C7A8FC3: _calloc.LIBCMT ref: 6C7A8FE1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #244$#246H_prolog3__calloc_memset
                                                • String ID: LocalPackage
                                                • API String ID: 113209346-4154802423
                                                • Opcode ID: d75842418486f0c991b50de8287d505d6237f06c720d20b7041ef63755de57c6
                                                • Instruction ID: 3f6f0971495c6cf6fac3290e2175125f2bfd65b5758b9a52a1c7293810319318
                                                • Opcode Fuzzy Hash: d75842418486f0c991b50de8287d505d6237f06c720d20b7041ef63755de57c6
                                                • Instruction Fuzzy Hash: 92C15171A00258DFDF10DFA4CE88BDD77B9BF49314F144669E518EB642DB309A49CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78784C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 199COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C787853
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C787A82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: ActionTable$InstallAction$ParameterInfo.xml$RepairAction$UninstallAction$schema validation failure: wrong number of ActionTable child nodes!
                                                • API String ID: 2489616738-4108169080
                                                • Opcode ID: 9fa994cdd534037504f7a6a1b056532bdea020614c84f5f5824bc46c447947b5
                                                • Instruction ID: f48cc9214d64f77171ecb49f014d0469f4cd0a9629d279d700e4ee1bfea38cd3
                                                • Opcode Fuzzy Hash: 9fa994cdd534037504f7a6a1b056532bdea020614c84f5f5824bc46c447947b5
                                                • Instruction Fuzzy Hash: 2D713171A012499FDB04DFE8CA89AEEB7B9BF05318F244659F125E7780DB30DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CE442 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 186timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E6C3CE442(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v38;
				char _v40;
				void _v558;
				char _v560;
				struct _FILETIME _v568;
				intOrPtr _v572;
				void* _v586;
				struct _SYSTEMTIME _v588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t66;
				void* _t83;
				signed int _t91;
				intOrPtr _t95;
				void* _t96;
				void* _t99;
				intOrPtr* _t100;
				intOrPtr _t101;
				signed int _t102;

				_t96 = __edx;
				_t66 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t66 ^ _t102;
				_t101 = _a4;
				_v568.dwLowDateTime = 0;
				asm("stosd");
				_v588.wYear = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v572 = __ecx;
				_v560 = 0;
				memset( &_v558, 0, 0x206);
				_v40 = 0;
				_t91 = 7;
				_t99 =  &_v38;
				memset(_t99, 0, _t91 << 2);
				_t100 = _t99 + _t91;
				asm("stosw");
				if(_t101 == 0) {
					_t73 =  *0x6c3e0088; // 0x6c3e0088
					if(_t73 != 0x6c3e0088 && ( *(_t73 + 0x1c) & 0x00000001) != 0) {
						_t26 = _t73 + 0x14; // 0x0
						_t27 = _t73 + 0x10; // 0x1
						_t73 = E6C3D5F11( *_t27,  *_t26, 0x3b, 0x6c3c7af4);
					}
					L6:
					return E6C3C171F(_t73, 0, _v8 ^ _t102, _t96, _t100, _t101);
				}
				_push(L"Sampling");
				_push(_t101);
				_t73 = E6C3C18E5( &_v560, 0x104, L"%s\\%s\\%s", L"Software\\Microsoft\\SQMClient");
				if(_t73 < 0) {
					_t95 =  *0x6c3e0088; // 0x6c3e0088
					if(_t95 != 0x6c3e0088 && ( *(_t95 + 0x1c) & 0x00000001) != 0) {
						_push(_t73);
						_push(0x6c3c7af4);
						_push(0x3c);
						L13:
						_t31 = _t95 + 0x14; // 0x0
						_push( *_t31);
						_t32 = _t95 + 0x10; // 0x1
						_push( *_t32);
						L33:
						_t73 = E6C3D99F8();
					}
					goto L6;
				}
				_t73 = E6C3C18E5( &_v40, 0x10, 0x6c3c7b04, _a8);
				if(_t73 < 0) {
					_t95 =  *0x6c3e0088; // 0x6c3e0088
					if(_t95 == 0x6c3e0088 || ( *(_t95 + 0x1c) & 0x00000001) == 0) {
						goto L6;
					} else {
						_push(_t73);
						_push(0x6c3c7af4);
						_push(0x3d);
						goto L13;
					}
				}
				if(_a12 != 0xc8) {
					if(_a12 != 0x193) {
						goto L6;
					}
					GetSystemTime( &_v588);
					SystemTimeToFileTime( &_v588,  &_v568);
					_push(_v568.dwHighDateTime);
					_t83 = E6C3D7985(0, _t101, 0x80000001,  &_v560, 0,  &_v40, _v568.dwLowDateTime);
					_t101 = 0x6c3c7af4;
					_t100 = 0x6c3e0088;
					if(_t83 == 0) {
						L22:
						_t95 =  *0x6c3e0088; // 0x6c3e0088
						L23:
						_t73 = _v572;
						if( *((intOrPtr*)(_v572 + 0x68)) == 0) {
							L29:
							if(_t95 == _t100 || ( *(_t95 + 0x1c) & 0x00000004) == 0) {
								goto L6;
							} else {
								_push(_a8);
								_push(_t101);
								_push(0x41);
								goto L13;
							}
						}
						_push(_v568.dwHighDateTime);
						if(E6C3D7985(_t95, _t101, 0x80000002, L"Software\\Microsoft\\SQMClient\\Windows\\DisabledSessions", 0,  &_v40, _v568.dwLowDateTime) == 0) {
							L28:
							_t95 =  *0x6c3e0088; // 0x6c3e0088
							goto L29;
						}
						_t95 =  *0x6c3e0088; // 0x6c3e0088
						if(_t95 == _t100) {
							goto L6;
						}
						if(( *(_t95 + 0x1c) & 0x00000001) == 0) {
							goto L29;
						}
						_t57 = _t95 + 0x14; // 0x0
						_t58 = _t95 + 0x10; // 0x1
						_t73 = E6C3D99F8( *_t58,  *_t57, 0x40, _t101, _t73);
						goto L28;
					}
					_t95 =  *0x6c3e0088; // 0x6c3e0088
					if(_t95 == 0x6c3e0088 || ( *(_t95 + 0x1c) & 0x00000001) == 0) {
						goto L23;
					} else {
						_t47 = _t95 + 0x14; // 0x0
						_t48 = _t95 + 0x10; // 0x1
						E6C3D99F8( *_t48,  *_t47, 0x3f, 0x6c3c7af4, _t83);
						goto L22;
					}
				}
				E6C3CE552(0, 0, 0x80000001,  &_v560,  &_v40);
				_t73 =  *0x6c3e0088; // 0x6c3e0088
				if(_t73 == 0x6c3e0088 || ( *(_t73 + 0x1c) & 0x00000004) == 0) {
					goto L6;
				} else {
					_push(_a8);
					_push(0x6c3c7af4);
					_push(0x3e);
					_t64 = _t73 + 0x14; // 0x0
					_push( *_t64);
					_t65 = _t73 + 0x10; // 0x1
					_push( *_t65);
					goto L33;
				}
			}
























                                                0x6c3ce442
                                                0x6c3ce44d
                                                0x6c3ce454
                                                0x6c3ce459
                                                0x6c3ce467
                                                0x6c3ce46d
                                                0x6c3ce46e
                                                0x6c3ce47b
                                                0x6c3ce47c
                                                0x6c3ce47d
                                                0x6c3ce483
                                                0x6c3ce48d
                                                0x6c3ce493
                                                0x6c3ce49a
                                                0x6c3ce4a8
                                                0x6c3ce4ac
                                                0x6c3ce4ad
                                                0x6c3ce4b0
                                                0x6c3ce4b0
                                                0x6c3ce4b2
                                                0x6c3ce4b4
                                                0x6c3d0543
                                                0x6c3d054d
                                                0x6c3d0564
                                                0x6c3d0567
                                                0x6c3d056a
                                                0x6c3d056a
                                                0x6c3ce53c
                                                0x6c3ce54a
                                                0x6c3ce54a
                                                0x6c3ce4ba
                                                0x6c3ce4bf
                                                0x6c3ce4d6
                                                0x6c3ce4e0
                                                0x6c3d0574
                                                0x6c3d0580
                                                0x6c3d0590
                                                0x6c3d0591
                                                0x6c3d0596
                                                0x6c3d0598
                                                0x6c3d0598
                                                0x6c3d0598
                                                0x6c3d059b
                                                0x6c3d059b
                                                0x6c3d06d1
                                                0x6c3d06d1
                                                0x6c3d06d1
                                                0x00000000
                                                0x6c3d0580
                                                0x6c3ce4f4
                                                0x6c3ce4fe
                                                0x6c3d05a3
                                                0x6c3d05af
                                                0x00000000
                                                0x6c3d05bf
                                                0x6c3d05bf
                                                0x6c3d05c0
                                                0x6c3d05c5
                                                0x00000000
                                                0x6c3d05c5
                                                0x6c3d05af
                                                0x6c3ce50b
                                                0x6c3d05d0
                                                0x00000000
                                                0x00000000
                                                0x6c3d05dd
                                                0x6c3d05f1
                                                0x6c3d05f7
                                                0x6c3d0614
                                                0x6c3d061b
                                                0x6c3d0620
                                                0x6c3d0625
                                                0x6c3d0646
                                                0x6c3d0646
                                                0x6c3d064c
                                                0x6c3d064c
                                                0x6c3d0655
                                                0x6c3d06a4
                                                0x6c3d06a6
                                                0x00000000
                                                0x6c3d06b6
                                                0x6c3d06b6
                                                0x6c3d06b9
                                                0x6c3d06ba
                                                0x00000000
                                                0x6c3d06ba
                                                0x6c3d06a6
                                                0x6c3d0657
                                                0x6c3d0679
                                                0x6c3d069e
                                                0x6c3d069e
                                                0x00000000
                                                0x6c3d069e
                                                0x6c3d067b
                                                0x6c3d0683
                                                0x00000000
                                                0x00000000
                                                0x6c3d068d
                                                0x00000000
                                                0x00000000
                                                0x6c3d0693
                                                0x6c3d0696
                                                0x6c3d0699
                                                0x00000000
                                                0x6c3d0699
                                                0x6c3d0627
                                                0x6c3d062f
                                                0x00000000
                                                0x6c3d0637
                                                0x6c3d063b
                                                0x6c3d063e
                                                0x6c3d0641
                                                0x00000000
                                                0x6c3d0641
                                                0x6c3d062f
                                                0x6c3ce521
                                                0x6c3ce526
                                                0x6c3ce530
                                                0x00000000
                                                0x6c3d06c1
                                                0x6c3d06c1
                                                0x6c3d06c4
                                                0x6c3d06c9
                                                0x6c3d06cb
                                                0x6c3d06cb
                                                0x6c3d06ce
                                                0x6c3d06ce
                                                0x00000000
                                                0x6c3d06ce

                                                APIs
                                                • memset.MSVCRT ref: 6C3CE49A
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,Function_00007AF4), ref: 6C3D05DD
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,Function_00007AF4), ref: 6C3D05F1
                                                  • Part of subcall function 6C3CE552: RegOpenKeyExW.ADVAPI32(?,80000001,00000000,-00020005,?,00000000,?,?,?,?,6C3CE526,80000001,?,?), ref: 6C3CE5A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Time$System$FileOpen_vsnwprintfmemset
                                                • String ID: %s\%s\%s$Fm*$Sampling$Software\Microsoft\SQMClient$Software\Microsoft\SQMClient\Windows\DisabledSessions
                                                • API String ID: 3792293845-3986388417
                                                • Opcode ID: 62cec686934a9d57626b94413241c20a2ad79ac3dba0f64f0dc96ea704ac33a9
                                                • Instruction ID: 2e8c612b1e65c193ad0f3739e2cf4806438140474735e685a9352e4b8d2b5df3
                                                • Opcode Fuzzy Hash: 62cec686934a9d57626b94413241c20a2ad79ac3dba0f64f0dc96ea704ac33a9
                                                • Instruction Fuzzy Hash: 1261D032601288ABDF51DE50CC84FED7B79EF09318F200499EA14A6951D772EE89CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A1804 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 186COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: to $$shtdwn$.req$::CopyFile failed with last error: %i, when copying from %s to %s$Copying
                                                • API String ID: 431132790-1590783879
                                                • Opcode ID: 2bc4d1a1c6927d55b1142b3ed1f30dc2d23dfc515cd3f8f1074ed31240957b46
                                                • Instruction ID: c6a5cacca53217ac807e4537cf01f86977a9ab777fd9a4021d54f969c9a1993f
                                                • Opcode Fuzzy Hash: 2bc4d1a1c6927d55b1142b3ed1f30dc2d23dfc515cd3f8f1074ed31240957b46
                                                • Instruction Fuzzy Hash: 92715F7290014ADFDF00DFE8CA89ADEBBB5BF05318F144695E464AB795CB30DA05CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CE1A5 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169threadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 29%
                                                			E6C3CE1A5(intOrPtr __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v4104;
				char _v4108;
				char _v4112;
				intOrPtr _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				intOrPtr _v4128;
				int _v4132;
				intOrPtr _v4140;
				intOrPtr _v4144;
				char _v4148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				intOrPtr _t67;
				void* _t74;
				intOrPtr _t85;
				void* _t89;
				void* _t106;
				void* _t108;
				intOrPtr _t109;
				intOrPtr* _t110;
				signed int _t111;
				void* _t113;
				void* _t119;

				_t106 = __edx;
				E6C3C45B4(0x1030);
				_t57 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t57 ^ _t111;
				_t110 = _a4;
				_v4120 = _a8;
				_v4116 = __ecx;
				_v4128 = _a12;
				_v4112 = 0;
				_v4108 = 0;
				_v4132 = GetThreadPriority(GetCurrentThread());
				SetThreadPriority(GetCurrentThread(), 0xffffffff);
				_t108 =  *((intOrPtr*)( *_t110 + 0xc))(0, 0, 0);
				if(_t108 < 0) {
					_t67 =  *0x6c3e0088; // 0x6c3e0088
					if(_t67 != 0x6c3e0088 && ( *(_t67 + 0x1c) & 0x00000001) != 0) {
						_push(_t108);
						_push(0x6c3ccad8);
						_push(0x3d);
						goto L30;
					}
				} else {
					_t74 =  *((intOrPtr*)( *_t110 + 0x14))();
					_t113 = _t106;
					if(_t113 < 0 || _t113 <= 0 && _t74 <= 0) {
						L11:
						_t108 = 0;
					} else {
						while(1) {
							_t108 =  *((intOrPtr*)( *_t110 + 4))( &_v4104, 0x1000,  &_v4112,  *((intOrPtr*)(_v4116 + 0x10)));
							if(_t108 < 0) {
								break;
							}
							_t109 = _v4116;
							E6C3CC2FD(_t109);
							_v4124 =  *0x6c3e0038( *((intOrPtr*)(_t109 + 8)),  &_v4104, _v4112, 0);
							E6C3CC33D(_t109);
							if(_v4124 == 0) {
								_t108 = E6C3D9546(GetLastError());
								_t67 =  *0x6c3e0088; // 0x6c3e0088
								if(_t67 != 0x6c3e0088 && ( *(_t67 + 0x1c) & 0x00000001) != 0) {
									_push(_t108);
									_push(0x6c3ccad8);
									_push(0x3f);
									goto L30;
								}
							} else {
								_t108 = E6C3CC4B3(_t109, _t109);
								if(_t108 < 0) {
									_t67 =  *0x6c3e0088; // 0x6c3e0088
									if(_t67 != 0x6c3e0088 && ( *(_t67 + 0x1c) & 0x00000001) != 0) {
										_push(_t108);
										_push(0x6c3ccad8);
										_push(0x40);
										goto L30;
									}
								} else {
									_t85 = _v4108 + _v4112;
									_v4108 = _t85;
									_v4148 = 1;
									_v4144 = _v4128;
									_v4140 = _t85;
									if(_v4120 != 0) {
										_t108 = _v4120( &_v4148);
										if(_t108 >= 0) {
											goto L8;
										} else {
											_t67 =  *0x6c3e0088; // 0x6c3e0088
											if(_t67 != 0x6c3e0088 && ( *(_t67 + 0x1c) & 0x00000001) != 0) {
												_push(_t108);
												_push(0x6c3ccad8);
												_push(0x41);
												L30:
												_t53 = _t67 + 0x14; // 0x0
												_push( *_t53);
												_t54 = _t67 + 0x10; // 0x1
												_push( *_t54);
												E6C3D99F8();
											}
										}
									} else {
										L8:
										_t89 =  *((intOrPtr*)( *_t110 + 0x14))();
										_t119 = 0 - _t106;
										if(_t119 < 0 || _t119 <= 0 && _v4108 < _t89) {
											continue;
										} else {
											goto L11;
										}
									}
								}
							}
							goto L12;
						}
						_t67 =  *0x6c3e0088; // 0x6c3e0088
						if(_t67 != 0x6c3e0088 && ( *(_t67 + 0x1c) & 0x00000001) != 0) {
							_push(_t108);
							_push(0x6c3ccad8);
							_push(0x3e);
							goto L30;
						}
					}
				}
				L12:
				SetThreadPriority(GetCurrentThread(), _v4132);
				return E6C3C171F(_t108, 0, _v8 ^ _t111, _t106, _t108, _t110);
			}






























                                                0x6c3ce1a5
                                                0x6c3ce1af
                                                0x6c3ce1b4
                                                0x6c3ce1bb
                                                0x6c3ce1c3
                                                0x6c3ce1c6
                                                0x6c3ce1d8
                                                0x6c3ce1de
                                                0x6c3ce1e4
                                                0x6c3ce1ea
                                                0x6c3ce1fb
                                                0x6c3ce204
                                                0x6c3ce214
                                                0x6c3ce218
                                                0x6c3d38de
                                                0x6c3d38e8
                                                0x6c3d38f8
                                                0x6c3d38f9
                                                0x6c3d38fe
                                                0x00000000
                                                0x6c3d38fe
                                                0x6c3ce21e
                                                0x6c3ce222
                                                0x6c3ce225
                                                0x6c3ce227
                                                0x6c3ce30b
                                                0x6c3ce30b
                                                0x6c3ce237
                                                0x6c3ce237
                                                0x6c3ce25a
                                                0x6c3ce25e
                                                0x00000000
                                                0x00000000
                                                0x6c3ce264
                                                0x6c3ce26c
                                                0x6c3ce28a
                                                0x6c3ce290
                                                0x6c3ce29b
                                                0x6c3d394e
                                                0x6c3d3950
                                                0x6c3d395a
                                                0x6c3d396a
                                                0x6c3d396b
                                                0x6c3d3970
                                                0x00000000
                                                0x6c3d3970
                                                0x6c3ce2a1
                                                0x6c3ce2a8
                                                0x6c3ce2ac
                                                0x6c3d3974
                                                0x6c3d397e
                                                0x6c3d398e
                                                0x6c3d398f
                                                0x6c3d3994
                                                0x00000000
                                                0x6c3d3994
                                                0x6c3ce2b2
                                                0x6c3ce2b8
                                                0x6c3ce2ca
                                                0x6c3ce2d0
                                                0x6c3ce2da
                                                0x6c3ce2e0
                                                0x6c3ce2e6
                                                0x6c3d3912
                                                0x6c3d3916
                                                0x00000000
                                                0x6c3d391c
                                                0x6c3d3998
                                                0x6c3d39a2
                                                0x6c3d39b2
                                                0x6c3d39b3
                                                0x6c3d39b8
                                                0x6c3d39ba
                                                0x6c3d39ba
                                                0x6c3d39ba
                                                0x6c3d39bd
                                                0x6c3d39bd
                                                0x6c3d39c0
                                                0x6c3d39c0
                                                0x6c3d39a2
                                                0x6c3ce2ec
                                                0x6c3ce2ec
                                                0x6c3ce2f0
                                                0x6c3ce2f5
                                                0x6c3ce2f7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3ce2f7
                                                0x6c3ce2e6
                                                0x6c3ce2ac
                                                0x00000000
                                                0x6c3ce29b
                                                0x6c3d391e
                                                0x6c3d3928
                                                0x6c3d3938
                                                0x6c3d3939
                                                0x6c3d393e
                                                0x00000000
                                                0x6c3d393e
                                                0x6c3d3928
                                                0x6c3ce227
                                                0x6c3ce30d
                                                0x6c3ce31a
                                                0x6c3ce330

                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 6C3CE1F0
                                                • GetThreadPriority.KERNEL32(00000000,?,6C3CBFF6,?,00000000,00000000,?,?,?,PUT,00000000,?,Function_00007AF4), ref: 6C3CE1F3
                                                • GetCurrentThread.KERNEL32 ref: 6C3CE201
                                                • SetThreadPriority.KERNEL32(00000000,?,6C3CBFF6,?,00000000,00000000,?,?,?,PUT,00000000,?,Function_00007AF4), ref: 6C3CE204
                                                • GetCurrentThread.KERNEL32 ref: 6C3CE313
                                                • SetThreadPriority.KERNEL32(00000000,?,6C3CBFF6,?,00000000,00000000,?,?,?,PUT,00000000,?,Function_00007AF4), ref: 6C3CE31A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Thread$CurrentPriority
                                                • String ID: Fm*
                                                • API String ID: 1343868529-3000852143
                                                • Opcode ID: b31bf45dc0cdae23a2823658f5163583f6b5ea1ead46db3bfbd78303c638991e
                                                • Instruction ID: d9ebea785b080889f422da10c46f595f4371554d65d0304e478061393b4b874f
                                                • Opcode Fuzzy Hash: b31bf45dc0cdae23a2823658f5163583f6b5ea1ead46db3bfbd78303c638991e
                                                • Instruction Fuzzy Hash: 6251B035B002949BCB61DF24C888BDD77BABB48349F110099E19997A50CB74EEC4CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C787C1F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C787C26
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C787DCC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: Cartman$ExeType$HotIron$IronMan$LocalExe$MsuPackage
                                                • API String ID: 2489616738-3730881327
                                                • Opcode ID: 2aa083d45c8d9effa30875012959d1b7c7e9c6f1cca280e133744f3413f5b3c0
                                                • Instruction ID: 283362e702a6b48d12eb30c6a8bd3af6fe11091a9132cf3026578faebd344dee
                                                • Opcode Fuzzy Hash: 2aa083d45c8d9effa30875012959d1b7c7e9c6f1cca280e133744f3413f5b3c0
                                                • Instruction Fuzzy Hash: 385196717056058FCB10DFA9CA896AA7BB8BF0536CF540239F925D7781D730CA44CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C791EBF Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C791EC6
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • __CxxThrowException@8.LIBCMT ref: 6C79202D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: Continue$OnSubFailureAction$ParameterInfo.xml$Rollback$Stop$schema validation failure: invalid attribute value for - OnSubFailureAction
                                                • API String ID: 2489616738-3344869707
                                                • Opcode ID: 88e07cb97956eadefd4c5503e763835726c3c31bd8b718a9506ecbeb94c47447
                                                • Instruction ID: ab387d3ef293e2e7fbcc2e2e28c47f2bd742becef5bbbea3410ecceed82aad1a
                                                • Opcode Fuzzy Hash: 88e07cb97956eadefd4c5503e763835726c3c31bd8b718a9506ecbeb94c47447
                                                • Instruction Fuzzy Hash: FE41B431A001499FCB00DBE8CB4DBEE77BDAF05318F544669E521E7B80DB30DA098B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2885 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 127synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E6C3C2885(signed int __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				void _v2054;
				char _v2056;
				struct _SECURITY_ATTRIBUTES* _v2060;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				intOrPtr _t38;
				struct _SECURITY_ATTRIBUTES* _t39;
				int _t43;
				intOrPtr _t45;
				struct _SECURITY_ATTRIBUTES* _t50;
				intOrPtr _t51;
				void* _t53;
				void* _t54;
				intOrPtr _t56;
				void* _t62;
				WCHAR* _t63;
				signed int _t64;
				signed int _t66;

				_t62 = __edx;
				_t36 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t36 ^ _t66;
				_t64 = __ecx;
				_t63 = _a4;
				_v2060 = 0;
				if( *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					_t38 =  *0x6c3e0088; // 0x6c3e0088
					if(_t38 != 0x6c3e0088 && ( *(_t38 + 0x1c) & 0x00000002) != 0) {
						_t17 = _t38 + 0x14; // 0x0
						_t18 = _t38 + 0x10; // 0x1
						E6C3D5F11( *_t18,  *_t17, 0xa, 0x6c3d5b64);
					}
					_t39 = 0;
					L4:
					return E6C3C171F(_t39, 0, _v8 ^ _t66, _t62, _t63, _t64);
				}
				if(_t63 != 0) {
					if( *_t63 == 0) {
						goto L2;
					}
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_t50 = E6C3C18E5( &_v2056, 0x400, L"Local\\SqmLock_%s", _t63);
					_v2060 = _t50;
					if(_t50 < 0) {
						_t51 =  *0x6c3e0088; // 0x6c3e0088
						if(_t51 != 0x6c3e0088 && ( *(_t51 + 0x1c) & 0x00000001) != 0) {
							_t23 = _t51 + 0x14; // 0x0
							_t24 = _t51 + 0x10; // 0x1
							E6C3D99F8( *_t24,  *_t23, 0xb, 0x6c3d5b64, _v2060);
						}
						_t39 = 0x80080057;
						goto L4;
					}
					_t53 = OpenMutexW(0x100000, 0, _t63);
					 *_t64 = _t53;
					if(_t53 != 0) {
						L9:
						 *(_t64 + 0x1c) = 1;
						L3:
						_t39 = _v2060;
						goto L4;
					}
					_t54 = CreateMutexW(0, 0, _t63);
					 *_t64 = _t54;
					if(_t54 == 0) {
						_t64 = GetLastError();
						_t56 =  *0x6c3e0088; // 0x6c3e0088
						if(_t56 != 0x6c3e0088 && ( *(_t56 + 0x1c) & 0x00000001) != 0) {
							_t28 = _t56 + 0x14; // 0x0
							_t29 = _t56 + 0x10; // 0x1
							E6C3D77B8( *_t29,  *_t28, 0xc, 0x6c3d5b64, _t63, _t64);
						}
						L24:
						if(_t64 > 0) {
							_t64 = _t64 & 0x1000ffff | 0x80080000;
						}
						_v2060 = _t64;
						goto L3;
					}
					goto L9;
				}
				L2:
				_t5 = _t64 + 4; // 0x4
				_t43 = InitializeCriticalSectionAndSpinCount(_t5, 0xfa0);
				 *(_t64 + 0x1c) = _t43;
				if(_t43 == 0) {
					_t64 = GetLastError();
					_t45 =  *0x6c3e0088; // 0x6c3e0088
					if(_t45 != 0x6c3e0088 && ( *(_t45 + 0x1c) & 0x00000001) != 0) {
						_t33 = _t45 + 0x14; // 0x0
						_t34 = _t45 + 0x10; // 0x1
						E6C3D99F8( *_t34,  *_t33, 0xd, 0x6c3d5b64, _t64);
					}
					goto L24;
				}
				goto L3;
			}
























                                                0x6c3c2885
                                                0x6c3c2890
                                                0x6c3c2897
                                                0x6c3c289e
                                                0x6c3c28a4
                                                0x6c3c28a7
                                                0x6c3c28ad
                                                0x6c3d3d9a
                                                0x6c3d3da4
                                                0x6c3d3db3
                                                0x6c3d3db6
                                                0x6c3d3db9
                                                0x6c3d3db9
                                                0x6c3d3dbe
                                                0x6c3c28db
                                                0x6c3c28e9
                                                0x6c3c28e9
                                                0x6c3c28b5
                                                0x6c3c3c63
                                                0x00000000
                                                0x00000000
                                                0x6c3c3c76
                                                0x6c3c3c7d
                                                0x6c3c3c94
                                                0x6c3c3c9e
                                                0x6c3c3ca4
                                                0x6c3d3dc5
                                                0x6c3d3dcf
                                                0x6c3d3de4
                                                0x6c3d3de7
                                                0x6c3d3dea
                                                0x6c3d3dea
                                                0x6c3d3def
                                                0x00000000
                                                0x6c3d3def
                                                0x6c3c3cb1
                                                0x6c3c3cb9
                                                0x6c3c3cbb
                                                0x6c3c3cd0
                                                0x6c3c3cd0
                                                0x6c3c28d5
                                                0x6c3c28d5
                                                0x00000000
                                                0x6c3c28d5
                                                0x6c3c3cc0
                                                0x6c3c3cc8
                                                0x6c3c3cca
                                                0x6c3d3dff
                                                0x6c3d3e01
                                                0x6c3d3e0b
                                                0x6c3d3e1c
                                                0x6c3d3e1f
                                                0x6c3d3e22
                                                0x6c3d3e22
                                                0x6c3d3e56
                                                0x6c3d3e58
                                                0x6c3d3e60
                                                0x6c3d3e60
                                                0x6c3d3e66
                                                0x00000000
                                                0x6c3d3e66
                                                0x00000000
                                                0x6c3c3cca
                                                0x6c3c28bb
                                                0x6c3c28c0
                                                0x6c3c28c4
                                                0x6c3c28cc
                                                0x6c3c28cf
                                                0x6c3d3e2f
                                                0x6c3d3e31
                                                0x6c3d3e3b
                                                0x6c3d3e4b
                                                0x6c3d3e4e
                                                0x6c3d3e51
                                                0x6c3d3e51
                                                0x00000000
                                                0x6c3d3e3b
                                                0x00000000

                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,00000000), ref: 6C3C28C4
                                                • memset.MSVCRT ref: 6C3C3C7D
                                                • OpenMutexW.KERNEL32(00100000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6C3C3CB1
                                                • CreateMutexW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6C3C3CC0
                                                • GetLastError.KERNEL32 ref: 6C3D3E29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Mutex$CountCreateCriticalErrorInitializeLastOpenSectionSpinmemset
                                                • String ID: Fm*$Local\SqmLock_%s
                                                • API String ID: 435864437-3364906167
                                                • Opcode ID: 64e3753d7d7633bbba71c1ac709871781d6bb1b4d211332a16b3550b51a04f22
                                                • Instruction ID: 3ae52f4468352731f7fe802c5c0bf8f236b145a237aff0ca74b6200066b52704
                                                • Opcode Fuzzy Hash: 64e3753d7d7633bbba71c1ac709871781d6bb1b4d211332a16b3550b51a04f22
                                                • Instruction Fuzzy Hash: FE41B576640345EFC7A09F558CC4F997BB8FB05348F124469E584A7990CB31ED889F62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C583D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 56%
                                                			E6C3C583D(void* __ebx, void* __edx, WCHAR* _a4, long _a8) {
				signed int _v8;
				char _v528;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t35;
				WCHAR* _t36;
				intOrPtr _t40;
				long _t41;
				long _t43;
				intOrPtr _t44;
				char* _t48;
				intOrPtr _t51;
				intOrPtr _t55;
				void* _t57;
				void* _t60;
				WCHAR* _t62;
				signed int _t64;

				_t60 = __edx;
				_t57 = __ebx;
				_t33 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t33 ^ _t64;
				_t62 = _a4;
				_v528 = 0;
				if(_t62 == 0 || _a8 == 0) {
					_t35 =  *0x6c3e0088; // 0x6c3e0088
					if(_t35 != 0x6c3e0088 && ( *(_t35 + 0x1c) & 0x00000001) != 0) {
						_t31 = _t35 + 0x14; // 0x0
						_t32 = _t35 + 0x10; // 0x1
						E6C3D5F11( *_t32,  *_t31, 0x10, 0x6c3d5b28);
					}
					_t36 = 0x80070057;
					goto L9;
				} else {
					if(GetTempPathW(_a8, _t62) == 0 ||  *_t62 == 0) {
						_t40 =  *0x6c3e0088; // 0x6c3e0088
						if(_t40 != 0x6c3e0088 && ( *(_t40 + 0x1c) & 0x00000001) != 0) {
							_t43 = GetLastError();
							_t44 =  *0x6c3e0088; // 0x6c3e0088
							_t26 = _t44 + 0x14; // 0x0
							_t27 = _t44 + 0x10; // 0x1
							E6C3D99F8( *_t27,  *_t26, 0x11, 0x6c3d5b28, _t43);
						}
						_t41 = GetLastError();
						goto L26;
					} else {
						if(E6C3C58E8(_t62) == 0) {
							if(CreateDirectoryW(_t62, 0) != 0) {
								goto L5;
							}
							_t55 =  *0x6c3e0088; // 0x6c3e0088
							if(_t55 != 0x6c3e0088 && ( *(_t55 + 0x1c) & 0x00000001) != 0) {
								_t13 = _t55 + 0x14; // 0x0
								_t14 = _t55 + 0x10; // 0x1
								E6C3D774A( *_t14,  *_t13, 0x12, 0x6c3d5b28, _t62);
							}
							 *_t62 = 0;
							_t41 = GetLastError();
							L26:
							_t62 = E6C3D9546(_t41);
							L8:
							_t36 = _t62;
							L9:
							return E6C3C171F(_t36, _t57, _v8 ^ _t64, _t60, 0, _t62);
						}
						L5:
						_t48 =  &_v528;
						__imp__GetLongPathNameW(_t62, _t48, 0x104);
						if(_t48 == 0) {
							_t62 = E6C3D9546(GetLastError());
							_t51 =  *0x6c3e0088; // 0x6c3e0088
							if(_t51 != 0x6c3e0088 && ( *(_t51 + 0x1c) & 0x00000001) != 0) {
								_push(_t62);
								_push(0x6c3d5b28);
								_push(0x13);
								L21:
								_t21 = _t51 + 0x14; // 0x0
								_push( *_t21);
								_t22 = _t51 + 0x10; // 0x1
								_push( *_t22);
								E6C3D99F8();
							}
							goto L8;
						}
						_t62 = E6C3C173D(_t62, _a8,  &_v528);
						if(_t62 < 0) {
							_t51 =  *0x6c3e0088; // 0x6c3e0088
							if(_t51 == 0x6c3e0088 || ( *(_t51 + 0x1c) & 0x00000001) == 0) {
								goto L8;
							} else {
								_push(_t62);
								_push(0x6c3d5b28);
								_push(0x14);
								goto L21;
							}
						}
						_t62 = 0;
						goto L8;
					}
				}
			}





















                                                0x6c3c583d
                                                0x6c3c583d
                                                0x6c3c5848
                                                0x6c3c584f
                                                0x6c3c5853
                                                0x6c3c585b
                                                0x6c3c5862
                                                0x6c3d2976
                                                0x6c3d2980
                                                0x6c3d298f
                                                0x6c3d2992
                                                0x6c3d2995
                                                0x6c3d2995
                                                0x6c3d299a
                                                0x00000000
                                                0x6c3c5871
                                                0x6c3c587d
                                                0x6c3d2935
                                                0x6c3d2945
                                                0x6c3d294d
                                                0x6c3d2950
                                                0x6c3d295c
                                                0x6c3d295f
                                                0x6c3d2962
                                                0x6c3d2962
                                                0x6c3d2967
                                                0x00000000
                                                0x6c3c588c
                                                0x6c3c5894
                                                0x6c3d2898
                                                0x00000000
                                                0x00000000
                                                0x6c3d289e
                                                0x6c3d28a8
                                                0x6c3d28b8
                                                0x6c3d28bb
                                                0x6c3d28be
                                                0x6c3d28be
                                                0x6c3d28c3
                                                0x6c3d28c6
                                                0x6c3d2969
                                                0x6c3d296f
                                                0x6c3c58d1
                                                0x6c3c58d1
                                                0x6c3c58d3
                                                0x6c3c58e0
                                                0x6c3c58e0
                                                0x6c3c589a
                                                0x6c3c589f
                                                0x6c3c58a7
                                                0x6c3c58af
                                                0x6c3d28dd
                                                0x6c3d28df
                                                0x6c3d28e9
                                                0x6c3d28f9
                                                0x6c3d28fa
                                                0x6c3d28ff
                                                0x6c3d2925
                                                0x6c3d2925
                                                0x6c3d2925
                                                0x6c3d2928
                                                0x6c3d2928
                                                0x6c3d292b
                                                0x6c3d292b
                                                0x00000000
                                                0x6c3d28e9
                                                0x6c3c58c5
                                                0x6c3c58c9
                                                0x6c3d2903
                                                0x6c3d290d
                                                0x00000000
                                                0x6c3d291d
                                                0x6c3d291d
                                                0x6c3d291e
                                                0x6c3d2923
                                                0x00000000
                                                0x6c3d2923
                                                0x6c3d290d
                                                0x6c3c58cf
                                                0x00000000
                                                0x6c3c58cf
                                                0x6c3c587d

                                                APIs
                                                • GetTempPathW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C3C5875
                                                • GetLongPathNameW.KERNEL32(00000000,?,00000104), ref: 6C3C58A7
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 6C3D2890
                                                • GetLastError.KERNEL32(00000001,00000000,00000012,6C3D5B28,00000000), ref: 6C3D28C6
                                                • GetLastError.KERNEL32 ref: 6C3D28D1
                                                • GetLastError.KERNEL32 ref: 6C3D294D
                                                • GetLastError.KERNEL32(00000001,00000000,00000011,6C3D5B28,00000000), ref: 6C3D2967
                                                  • Part of subcall function 6C3C58E8: GetFileAttributesW.KERNEL32(6C3C5892,?,6C3C5892,00000000), ref: 6C3C58F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Path$AttributesCreateDirectoryFileLongNameTemp
                                                • String ID: Fm*
                                                • API String ID: 4207547965-3000852143
                                                • Opcode ID: a6c43b26ee2c8bd512ca253836b7fbd21de4df59f26202013fd56ef30664894f
                                                • Instruction ID: 61be705ee58ecede2b7dabf552929e633f2253f448f34792ea27cc59355c26c2
                                                • Opcode Fuzzy Hash: a6c43b26ee2c8bd512ca253836b7fbd21de4df59f26202013fd56ef30664894f
                                                • Instruction Fuzzy Hash: F941C432741314ABCB519F258988FDE3BA8EF09358F220055F854DB951CB72ED94AFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C786F73 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C786F7A
                                                  • Part of subcall function 6C7A8608: __wcsicoll.LIBCMT ref: 6C7A8626
                                                • __CxxThrowException@8.LIBCMT ref: 6C787087
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw__wcsicoll
                                                • String ID: False$ParameterInfo.xml$True$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
                                                • API String ID: 1238845444-4159781073
                                                • Opcode ID: fdf1bc887b4801d3b95dbc309137783c3b4ba3c265b4aacdfa19532a1741d824
                                                • Instruction ID: 9555578ec5deca469705966218b41c7fc093fa2e7301f3f90bcbde6525b7333a
                                                • Opcode Fuzzy Hash: fdf1bc887b4801d3b95dbc309137783c3b4ba3c265b4aacdfa19532a1741d824
                                                • Instruction Fuzzy Hash: 9631A171900148AFDB00DFA8CB0DBDE77B8AF18318F548655E524EBB80DB34DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79CB30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79CB37
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Returning $IDCANCEL$IDIGNORE$IDNO$IDOK$IDRETRY$unknown return type
                                                • API String ID: 431132790-446421279
                                                • Opcode ID: 65a46a7618c1d52b2b03fae58ed3bf21b82d54f32975c386870ff72f5b767e54
                                                • Instruction ID: d26c948f3c1436d8226864c4cc4ff87382809132520e43a132c7603ec1b8b156
                                                • Opcode Fuzzy Hash: 65a46a7618c1d52b2b03fae58ed3bf21b82d54f32975c386870ff72f5b767e54
                                                • Instruction Fuzzy Hash: 7E216D3165450DAAEF11EF94DF49FED73A4BB06309F804D22B560BAED0CB74EA188B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77AB58 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77AB5F
                                                • SysAllocString.OLEAUT32(Parse failed for some unknown reason), ref: 6C77ABB9
                                                • SysFreeString.OLEAUT32(?), ref: 6C77AC0E
                                                • SysFreeString.OLEAUT32(?), ref: 6C77AC20
                                                • SysFreeString.OLEAUT32(00000738), ref: 6C77AC36
                                                Strings
                                                • Parse failed for some unknown reason, xrefs: 6C77ABB4
                                                • spDoc->get_parseError failed with hr = 0x%08x, xrefs: 6C77AB8D
                                                • spParseError->get_reason failed with hr = 0x%08x, xrefs: 6C77ABA6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$Free$AllocH_prolog3
                                                • String ID: Parse failed for some unknown reason$spDoc->get_parseError failed with hr = 0x%08x$spParseError->get_reason failed with hr = 0x%08x
                                                • API String ID: 402383297-1327361504
                                                • Opcode ID: 9c267c2bdd1413f52a081665bd4fcec53015988ce6ecbba5b99c4a8d6c7c95ea
                                                • Instruction ID: 24e6e8dfb648cb51dd73d31e213515dbfef5a15fd5e1a432fcbab85b4d021872
                                                • Opcode Fuzzy Hash: 9c267c2bdd1413f52a081665bd4fcec53015988ce6ecbba5b99c4a8d6c7c95ea
                                                • Instruction Fuzzy Hash: 77318EB190020EDFEF00DF94CA88AAEBBB5BF04318F504569E515BB650C7759A49CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBA44 Relevance: 13.6, APIs: 9, Instructions: 144COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 31%
                                                			E6C3CBA44(void* __ecx, intOrPtr _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _t49;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t59;
				void* _t61;
				intOrPtr _t64;
				void* _t66;
				void* _t69;
				void* _t83;

				_push(__ecx);
				_t83 = __ecx;
				_t1 = _t83 + 0x2c; // 0x2c
				_t49 = E6C3CBAE2(_t1);
				_v8 = _t49;
				if(_t49 < 0) {
					_t50 =  *0x6c3e0088; // 0x6c3e0088
					if(_t50 == 0x6c3e0088 || ( *(_t50 + 0x1c) & 0x00000001) == 0) {
						L9:
						if(_v8 < 0) {
							_t51 =  *(_t83 + 0xc);
							if(_t51 != 0) {
								CloseHandle(_t51);
								 *(_t83 + 0xc) = 0;
							}
							_t52 =  *(_t83 + 0x10);
							if(_t52 != 0) {
								CloseHandle(_t52);
								 *(_t83 + 0x10) = 0;
							}
							_t53 =  *(_t83 + 0x18);
							if(_t53 != 0) {
								CloseHandle(_t53);
								 *(_t83 + 0x18) = 0;
							}
						}
						return _v8;
					} else {
						_push(_v8);
						_push(0x6c3ccad8);
						_push(0xb);
						L17:
						_t24 = _t50 + 0x14; // 0x0
						_push( *_t24);
						_t25 = _t50 + 0x10; // 0x1
						_push( *_t25);
						E6C3D99F8();
						goto L9;
					}
				}
				_t3 = _t83 + 0x54; // 0x54
				_t59 = E6C3CBAE2(_t3);
				_v8 = _t59;
				if(_t59 < 0) {
					_t50 =  *0x6c3e0088; // 0x6c3e0088
					if(_t50 == 0x6c3e0088 || ( *(_t50 + 0x1c) & 0x00000001) == 0) {
						goto L9;
					} else {
						_push(_v8);
						_push(0x6c3ccad8);
						_push(0xc);
						goto L17;
					}
				}
				if( *((intOrPtr*)(__ecx + 0xc)) != 0) {
					L4:
					if( *(_t83 + 0x10) != 0) {
						L6:
						if( *(_t83 + 0x18) != 0) {
							L8:
							 *((intOrPtr*)(_t83 + 0x14)) = _a4;
							_v8 = 0;
							goto L9;
						}
						_t61 = CreateEventW(0, 1, 0, 0);
						 *(_t83 + 0x18) = _t61;
						if(_t61 == 0) {
							_v8 = E6C3D9546(GetLastError());
							_t64 =  *0x6c3e0088; // 0x6c3e0088
							if(_t64 != 0x6c3e0088 && ( *(_t64 + 0x1c) & 0x00000001) != 0) {
								_push(_v8);
								_push(0x6c3ccad8);
								_push(0xf);
								L27:
								_t41 = _t64 + 0x14; // 0x0
								_push( *_t41);
								_t42 = _t64 + 0x10; // 0x1
								_push( *_t42);
								E6C3D99F8();
							}
							goto L9;
						}
						goto L8;
					}
					_t66 = CreateEventW(0, 1, 0, 0);
					 *(_t83 + 0x10) = _t66;
					if(_t66 == 0) {
						_v8 = E6C3D9546(GetLastError());
						_t64 =  *0x6c3e0088; // 0x6c3e0088
						if(_t64 == 0x6c3e0088 || ( *(_t64 + 0x1c) & 0x00000001) == 0) {
							goto L9;
						} else {
							_push(_v8);
							_push(0x6c3ccad8);
							_push(0xe);
							goto L27;
						}
					}
					goto L6;
				}
				_t69 = CreateEventW(0, 0, 0, 0);
				 *(_t83 + 0xc) = _t69;
				if(_t69 == 0) {
					_v8 = E6C3D9546(GetLastError());
					_t64 =  *0x6c3e0088; // 0x6c3e0088
					if(_t64 == 0x6c3e0088 || ( *(_t64 + 0x1c) & 0x00000001) == 0) {
						goto L9;
					} else {
						_push(_v8);
						_push(0x6c3ccad8);
						_push(0xd);
						goto L27;
					}
				}
				goto L4;
			}















                                                0x6c3cba49
                                                0x6c3cba4c
                                                0x6c3cba4f
                                                0x6c3cba52
                                                0x6c3cba5b
                                                0x6c3cba5e
                                                0x6c3d26df
                                                0x6c3d26e9
                                                0x6c3cbaca
                                                0x6c3cbacd
                                                0x6c3d27e6
                                                0x6c3d27f1
                                                0x6c3d27f4
                                                0x6c3d27f6
                                                0x6c3d27f6
                                                0x6c3d27f9
                                                0x6c3d27fe
                                                0x6c3d2801
                                                0x6c3d2803
                                                0x6c3d2803
                                                0x6c3d2806
                                                0x6c3d280b
                                                0x6c3d2812
                                                0x6c3d2814
                                                0x6c3d2814
                                                0x6c3d280b
                                                0x6c3cbada
                                                0x6c3d26f9
                                                0x6c3d26f9
                                                0x6c3d26fc
                                                0x6c3d2701
                                                0x6c3d2729
                                                0x6c3d2729
                                                0x6c3d2729
                                                0x6c3d272c
                                                0x6c3d272c
                                                0x6c3d272f
                                                0x00000000
                                                0x6c3d272f
                                                0x6c3d26e9
                                                0x6c3cba64
                                                0x6c3cba67
                                                0x6c3cba6e
                                                0x6c3cba71
                                                0x6c3d2705
                                                0x6c3d270f
                                                0x00000000
                                                0x6c3d271f
                                                0x6c3d271f
                                                0x6c3d2722
                                                0x6c3d2727
                                                0x00000000
                                                0x6c3d2727
                                                0x6c3d270f
                                                0x6c3cba80
                                                0x6c3cba93
                                                0x6c3cba96
                                                0x6c3cbaaa
                                                0x6c3cbaad
                                                0x6c3cbac1
                                                0x6c3cbac4
                                                0x6c3cbac7
                                                0x00000000
                                                0x6c3cbac7
                                                0x6c3cbab4
                                                0x6c3cbab8
                                                0x6c3cbabb
                                                0x6c3d27af
                                                0x6c3d27b2
                                                0x6c3d27bc
                                                0x6c3d27cc
                                                0x6c3d27cf
                                                0x6c3d27d4
                                                0x6c3d27d6
                                                0x6c3d27d6
                                                0x6c3d27d6
                                                0x6c3d27d9
                                                0x6c3d27d9
                                                0x6c3d27dc
                                                0x6c3d27dc
                                                0x00000000
                                                0x6c3d27bc
                                                0x00000000
                                                0x6c3cbabb
                                                0x6c3cba9d
                                                0x6c3cbaa1
                                                0x6c3cbaa4
                                                0x6c3d277a
                                                0x6c3d277d
                                                0x6c3d2787
                                                0x00000000
                                                0x6c3d2797
                                                0x6c3d2797
                                                0x6c3d279a
                                                0x6c3d279f
                                                0x00000000
                                                0x6c3d279f
                                                0x6c3d2787
                                                0x00000000
                                                0x6c3cbaa4
                                                0x6c3cba86
                                                0x6c3cba8a
                                                0x6c3cba8d
                                                0x6c3d2745
                                                0x6c3d2748
                                                0x6c3d2752
                                                0x00000000
                                                0x6c3d2762
                                                0x6c3d2762
                                                0x6c3d2765
                                                0x6c3d276a
                                                0x00000000
                                                0x6c3d276a
                                                0x6c3d2752
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 6C3CBAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,80000040,00000000,00000000,6C3CBA57,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3CBAFB
                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3CBA86
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3CBA9D
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3CBAB4
                                                • GetLastError.KERNEL32(?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D2739
                                                • GetLastError.KERNEL32(?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D276E
                                                • CloseHandle.KERNEL32(?,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D27F4
                                                • CloseHandle.KERNEL32(?,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D2801
                                                • CloseHandle.KERNEL32(?,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D2812
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseCreateEventHandle$ErrorLast$CountCriticalInitializeSectionSpin
                                                • String ID:
                                                • API String ID: 2704725777-0
                                                • Opcode ID: 5e84238156137698165545d968838dbfb4493bd08a3b7a023d3076beb0e090d4
                                                • Instruction ID: 06d6a095f5b64be7bb0e304dc9676b725d14a47643d76f095c46db4fb7f8a0fb
                                                • Opcode Fuzzy Hash: 5e84238156137698165545d968838dbfb4493bd08a3b7a023d3076beb0e090d4
                                                • Instruction Fuzzy Hash: 6F519079640344EFCB60DF69C9C4B9EB7B8BB0438CB210869E191D6D51C772ED449F62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A394E Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7A378C: GetSecurityDescriptorControl.ADVAPI32(00000002,00000000,?,|tzl,6C7A37E0,?,6C76A590,?,?,?,?,?,|tzl,6C7A367C,6C76A5CC,10000000), ref: 6C7A37AA
                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?,?,?), ref: 6C7A398A
                                                • GetSecurityDescriptorGroup.ADVAPI32(?,?,?), ref: 6C7A39A4
                                                • _free.LIBCMT ref: 6C7A39AD
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,00000002,?), ref: 6C7A39C2
                                                • _free.LIBCMT ref: 6C7A39D1
                                                • GetSecurityDescriptorSacl.ADVAPI32(?,00000000,?,?), ref: 6C7A39E6
                                                • _free.LIBCMT ref: 6C7A39F5
                                                • _free.LIBCMT ref: 6C7A3993
                                                  • Part of subcall function 6C7CBE0E: HeapFree.KERNEL32(00000000,00000000,?,6C7CD3BD,00000000,?,6C7A831D,6C7CBD2E,6C7CC03C,00000000), ref: 6C7CBE24
                                                  • Part of subcall function 6C7CBE0E: GetLastError.KERNEL32(00000000,?,6C7CD3BD,00000000,?,6C7A831D,6C7CBD2E,6C7CC03C,00000000), ref: 6C7CBE36
                                                • _free.LIBCMT ref: 6C7A39FE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DescriptorSecurity_free$ControlDaclErrorFreeGroupHeapLastOwnerSacl
                                                • String ID:
                                                • API String ID: 1545777859-0
                                                • Opcode ID: ae05f5f6776dd8461e684afcd5727af00ff129b8ad74a37ba57df4f29c99a666
                                                • Instruction ID: 9e318014c55fead691e2f34e0425fb35175f418883096bff3f67c2291626cc2e
                                                • Opcode Fuzzy Hash: ae05f5f6776dd8461e684afcd5727af00ff129b8ad74a37ba57df4f29c99a666
                                                • Instruction Fuzzy Hash: 8121DE72900109AFDF019F90DA49AEFBBBDEF04705F104576E556A2850DB31EA49DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B6E8C Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 495COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0x%x$Crash$HKLM\Software\Microsoft\Internet Explorer\Registration\DigitalProductID$VSSetup
                                                • API String ID: 0-732999933
                                                • Opcode ID: 173b3e223fc2861de906f283d5995fab7d2431620d061390f1930b331775fe16
                                                • Instruction ID: 5126c30061dd71e4a7dd3f3024cf5c81c68ce65fd8367265c03b36a4bb0c96ee
                                                • Opcode Fuzzy Hash: 173b3e223fc2861de906f283d5995fab7d2431620d061390f1930b331775fe16
                                                • Instruction Fuzzy Hash: 052282712087419FC720CF68C988B9BB7E5AF85318F044A2EF59897791DB70E949CB63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C5E53 Relevance: 12.6, APIs: 10, Instructions: 124COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6C3C5E53(intOrPtr* _a4) {
				signed int _t55;
				signed int _t72;
				signed int _t89;
				signed int _t90;
				intOrPtr* _t103;

				_t103 = _a4;
				memset( *(_t103 + 8), 0, 0x40000);
				_t55 =  *(_t103 + 4);
				 *_t103 =  *(_t103 + 0x4334) - _t55;
				 *(_t103 + 0x458) = _t55;
				 *(_t103 + 0x86c) = _t55;
				_t89 = _t55 << 2;
				 *((intOrPtr*)(_t103 + 0xc)) =  *((intOrPtr*)(_t103 + 0x4338)) - _t89;
				_t13 = _t103 + 0x3964; // 0x3964
				 *((intOrPtr*)(_t103 + 0x10)) =  *((intOrPtr*)(_t103 + 0x433c)) - _t89;
				 *((intOrPtr*)(_t103 + 0x44)) = 1;
				 *((intOrPtr*)(_t103 + 0x48)) = 1;
				 *((intOrPtr*)(_t103 + 0x4c)) = 1;
				 *((intOrPtr*)(_t103 + 0x38)) = 1;
				 *((intOrPtr*)(_t103 + 0x3c)) = 1;
				 *((intOrPtr*)(_t103 + 0x40)) = 1;
				 *((char*)(_t103 + 0x981)) = 1;
				 *((intOrPtr*)(_t103 + 0x984)) = 1;
				 *((char*)(_t103 + 0x18)) = 0x20;
				 *((intOrPtr*)(_t103 + 0x14)) = 0;
				 *((intOrPtr*)(_t103 + 0x1c)) = 0;
				memset(_t13, 0, 0x100 +  *(_t103 + 0x870) * 8);
				_t26 = _t103 + 0x41f8; // 0x41f8
				memset(_t26, 0, 0xf9);
				_t27 = _t103 + 0x2544; // 0x2544
				memset(_t27, 8, 0x100);
				_t29 = _t103 + 0x2644; // 0x2644
				memset(_t29, 9,  *(_t103 + 0x870) << 3);
				_t30 = _t103 + 0x2801; // 0x2801
				memset(_t30, 6, 0xf9);
				asm("stosd");
				asm("stosd");
				E6C3C545E(_t103);
				_t72 =  *(_t103 + 0x458);
				 *(_t103 + 0x994) = _t72;
				 *(_t103 + 0x990) = _t72;
				 *((intOrPtr*)(_t103 + 0x868)) = 0;
				 *((intOrPtr*)(_t103 + 0x988)) = 1;
				memset( *(_t103 + 0x34), 0, 0x2000);
				 *((intOrPtr*)(_t103 + 0x24)) = 0;
				 *((intOrPtr*)(_t103 + 0x28)) = 0;
				 *((char*)(_t103 + 0x880)) = 0;
				 *((intOrPtr*)(_t103 + 0x38)) = 1;
				 *((intOrPtr*)(_t103 + 0x3c)) = 1;
				 *((intOrPtr*)(_t103 + 0x40)) = 1;
				E6C3C5FFD(_t103);
				_t44 = _t103 + 0x28fc; // 0x28fc
				 *((intOrPtr*)(_t103 + 0x4340)) = 0;
				memset(_t44, 0, 0xaf0);
				_t46 = _t103 + 0x3c22; // 0x3c22
				memset(_t46, 0, 0x3e4);
				_t90 = 8;
				_t47 = _t103 + 0x42f2; // 0x42f2
				memset(_t47, 0, _t90 << 2);
				return memset( *(_t103 + 0x4334), 0,  *((intOrPtr*)(_t103 + 0x98c)) +  *(_t103 + 4) + 0x1101);
			}








                                                0x6c3c5e5a
                                                0x6c3c5e69
                                                0x6c3c5e6e
                                                0x6c3c5e7f
                                                0x6c3c5e83
                                                0x6c3c5e89
                                                0x6c3c5e95
                                                0x6c3c5ea2
                                                0x6c3c5eae
                                                0x6c3c5eb8
                                                0x6c3c5ebb
                                                0x6c3c5ebe
                                                0x6c3c5ec1
                                                0x6c3c5ec4
                                                0x6c3c5ec7
                                                0x6c3c5eca
                                                0x6c3c5ecd
                                                0x6c3c5ed3
                                                0x6c3c5ed9
                                                0x6c3c5edd
                                                0x6c3c5ee0
                                                0x6c3c5ee3
                                                0x6c3c5eee
                                                0x6c3c5ef7
                                                0x6c3c5f01
                                                0x6c3c5f0a
                                                0x6c3c5f19
                                                0x6c3c5f22
                                                0x6c3c5f28
                                                0x6c3c5f31
                                                0x6c3c5f41
                                                0x6c3c5f46
                                                0x6c3c5f47
                                                0x6c3c5f4c
                                                0x6c3c5f59
                                                0x6c3c5f5f
                                                0x6c3c5f65
                                                0x6c3c5f6b
                                                0x6c3c5f75
                                                0x6c3c5f7e
                                                0x6c3c5f81
                                                0x6c3c5f84
                                                0x6c3c5f8b
                                                0x6c3c5f8e
                                                0x6c3c5f91
                                                0x6c3c5f94
                                                0x6c3c5f9e
                                                0x6c3c5fa6
                                                0x6c3c5fac
                                                0x6c3c5fb6
                                                0x6c3c5fbe
                                                0x6c3c5fc5
                                                0x6c3c5fc8
                                                0x6c3c5fce
                                                0x6c3c5ff5

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID:
                                                • API String ID: 2221118986-0
                                                • Opcode ID: 7e0159214f05f092813d7215edd18f8e7927451cd52de21e904934e0ab6ae338
                                                • Instruction ID: 7a184b24e8d80e42da84b9d95ca7558748ab1c584d8bcff50f0fb2c4647e68ef
                                                • Opcode Fuzzy Hash: 7e0159214f05f092813d7215edd18f8e7927451cd52de21e904934e0ab6ae338
                                                • Instruction Fuzzy Hash: EE411BB1641B009FD370CF2AC884A87FBE8BB98700F80492EA2DA97640DB71B509DF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D7AAB Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 238registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 98%
                                                			E6C3D7AAB(void* _a4, int* _a8) {
				int _v8;
				int* _v12;
				void* _v16;
				int _v20;
				void* __esi;
				void* __ebp;
				intOrPtr _t97;
				short* _t101;
				long _t102;
				intOrPtr _t103;
				signed int _t109;
				signed int _t112;
				short* _t115;
				intOrPtr _t116;
				signed int _t119;
				intOrPtr _t120;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t126;
				intOrPtr _t128;
				short** _t144;
				signed int _t147;
				signed int _t149;
				signed int _t151;
				int* _t152;
				int _t153;
				short* _t154;
				short** _t155;

				_t154 = _a8;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(_t154 == 0 ||  *_t154 == 0) {
					_a8 = 0x57;
					_t97 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t97 - 0x6c3e0088;
					if(_t97 == 0x6c3e0088) {
						goto L46;
					}
					__eflags =  *(_t97 + 0x1c) & 0x00000001;
					if(( *(_t97 + 0x1c) & 0x00000001) == 0) {
						goto L46;
					}
					_t76 = _t97 + 0x14; // 0x0
					_t77 = _t97 + 0x10; // 0x1
					E6C3D5F11( *_t77,  *_t76, 0x26, 0x6c3d5ab8);
					goto L35;
				} else {
					_t152 = RegOpenKeyExW(_a4, _t154, 0, 0xf003f,  &_v16);
					_a8 = _t152;
					if(_t152 == 0) {
						_t109 = RegQueryInfoKeyW(_v16, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
						__eflags = _t109;
						_a8 = _t109;
						if(_t109 == 0) {
							_t110 = _v8;
							__eflags = _v8;
							if(_v8 != 0) {
								_t147 = 4;
								_t112 = E6C3C1967(_t154,  ~(0 | __eflags > 0x00000000) | _t110 * _t147);
								__eflags = _t112;
								_v12 = _t112;
								if(_t112 != 0) {
									_t153 = 0;
									__eflags = _v8;
									if(_v8 <= 0) {
										L25:
										_a8 = 0;
										L35:
										__eflags = _v12;
										if(_v12 == 0) {
											goto L46;
										}
										_t151 = 0;
										__eflags = _v8;
										if(_v8 <= 0) {
											L45:
											_push(_v12);
											E6C3C4994();
											goto L46;
										} else {
											goto L37;
										}
										do {
											L37:
											_t155 =  &(_v12[_t151]);
											_t101 =  *_t155;
											__eflags = _t101;
											if(_t101 != 0) {
												_t102 = RegDeleteValueW(_v16, _t101);
												__eflags = _a8;
												_a4 = _t102;
												if(_a8 != 0) {
													_t103 =  *0x6c3e0088; // 0x6c3e0088
													__eflags = _t103 - 0x6c3e0088;
													if(_t103 != 0x6c3e0088) {
														__eflags =  *(_t103 + 0x1c) & 0x00000002;
														if(( *(_t103 + 0x1c) & 0x00000002) != 0) {
															_t90 = _t103 + 0x14; // 0x0
															_t91 = _t103 + 0x10; // 0x1
															E6C3D77B8( *_t91,  *_t90, 0x2d, 0x6c3d5ab8,  *_t155, _a8);
														}
													}
													_a8 = _a4;
												}
												_push( *_t155);
												E6C3C4994();
												 *_t155 = 0;
											}
											_t151 = _t151 + 1;
											__eflags = _t151 - _v8;
										} while (_t151 < _v8);
										goto L45;
									}
									while(1) {
										_t149 = 2;
										_v20 = 0x104;
										_t115 = E6C3C1967(0x104,  ~(0 | __eflags > 0x00000000) | 0x00000104 * _t149);
										__eflags = _t115;
										_t144 = _v12 + _t153 * 4;
										 *_t144 = _t115;
										if(_t115 == 0) {
											break;
										}
										 *_t115 = 0;
										_t119 = RegEnumValueW(_v16, _t153,  *_t144,  &_v20, 0, 0, 0, 0);
										__eflags = _t119;
										_a8 = _t119;
										if(_t119 != 0) {
											_t120 =  *0x6c3e0088; // 0x6c3e0088
											__eflags = _t120 - 0x6c3e0088;
											if(_t120 != 0x6c3e0088) {
												__eflags =  *(_t120 + 0x1c) & 0x00000001;
												if(( *(_t120 + 0x1c) & 0x00000001) != 0) {
													_t70 = _t120 + 0x14; // 0x0
													_t71 = _t120 + 0x10; // 0x1
													E6C3D99F8( *_t71,  *_t70, 0x2c, 0x6c3d5ab8, _a8);
												}
											}
											goto L35;
										}
										_t153 = _t153 + 1;
										__eflags = _t153 - _v8;
										if(_t153 < _v8) {
											continue;
										}
										goto L25;
									}
									_a8 = 0xe;
									_t116 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t116 - 0x6c3e0088;
									if(_t116 != 0x6c3e0088) {
										__eflags =  *(_t116 + 0x1c) & 0x00000001;
										if(( *(_t116 + 0x1c) & 0x00000001) != 0) {
											_t64 = _t116 + 0x14; // 0x0
											_t65 = _t116 + 0x10; // 0x1
											E6C3D782C( *_t65,  *_t64, 0x2b, 0x6c3d5ab8, 0x208, _t153);
										}
									}
									goto L35;
								}
								_a8 = 0xe;
								_t122 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t122 - 0x6c3e0088;
								if(_t122 != 0x6c3e0088) {
									__eflags =  *(_t122 + 0x1c) & 0x00000001;
									if(( *(_t122 + 0x1c) & 0x00000001) != 0) {
										_t42 = _t122 + 0x14; // 0x0
										_t43 = _t122 + 0x10; // 0x1
										E6C3D99F8( *_t43,  *_t42, 0x2a, 0x6c3d5ab8, _v8 << 2);
									}
								}
								goto L35;
							} else {
								_t124 =  *0x6c3e0088; // 0x6c3e0088
								__eflags = _t124 - 0x6c3e0088;
								if(_t124 != 0x6c3e0088) {
									__eflags =  *(_t124 + 0x1c) & 0x00000004;
									if(( *(_t124 + 0x1c) & 0x00000004) != 0) {
										_t28 = _t124 + 0x14; // 0x0
										_t29 = _t124 + 0x10; // 0x1
										E6C3D5F11( *_t29,  *_t28, 0x29, 0x6c3d5ab8);
									}
								}
								goto L7;
							}
						} else {
							_t126 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t126 - 0x6c3e0088;
							if(_t126 != 0x6c3e0088) {
								__eflags =  *(_t126 + 0x1c) & 0x00000001;
								if(( *(_t126 + 0x1c) & 0x00000001) != 0) {
									_t22 = _t126 + 0x14; // 0x0
									_t23 = _t126 + 0x10; // 0x1
									E6C3D99F8( *_t23,  *_t22, 0x28, 0x6c3d5ab8, _a8);
								}
							}
							goto L46;
						}
					} else {
						_t128 =  *0x6c3e0088; // 0x6c3e0088
						if(_t128 != 0x6c3e0088 && ( *(_t128 + 0x1c) & 0x00000004) != 0) {
							_t12 = _t128 + 0x14; // 0x0
							_t13 = _t128 + 0x10; // 0x1
							E6C3D77B8( *_t13,  *_t12, 0x27, 0x6c3d5ab8, _t154, _t152);
						}
						if(_t152 != 2) {
							L46:
							return _a8;
						}
						L7:
						_a8 = 0;
						goto L46;
					}
				}
			}































                                                0x6c3d7ab7
                                                0x6c3d7abd
                                                0x6c3d7ac0
                                                0x6c3d7ac3
                                                0x6c3d7ac6
                                                0x6c3d7ac9
                                                0x6c3d7cc3
                                                0x6c3d7cca
                                                0x6c3d7ccf
                                                0x6c3d7cd4
                                                0x00000000
                                                0x00000000
                                                0x6c3d7cda
                                                0x6c3d7cde
                                                0x00000000
                                                0x00000000
                                                0x6c3d7ceb
                                                0x6c3d7cee
                                                0x6c3d7cf1
                                                0x00000000
                                                0x6c3d7ad8
                                                0x6c3d7aec
                                                0x6c3d7af0
                                                0x6c3d7af3
                                                0x6c3d7b3d
                                                0x6c3d7b43
                                                0x6c3d7b45
                                                0x6c3d7b48
                                                0x6c3d7b7e
                                                0x6c3d7b81
                                                0x6c3d7b83
                                                0x6c3d7bb2
                                                0x6c3d7bbd
                                                0x6c3d7bc2
                                                0x6c3d7bc5
                                                0x6c3d7bc8
                                                0x6c3d7c09
                                                0x6c3d7c0b
                                                0x6c3d7c0e
                                                0x6c3d7c5f
                                                0x6c3d7c5f
                                                0x6c3d7cf6
                                                0x6c3d7cf6
                                                0x6c3d7cf9
                                                0x00000000
                                                0x00000000
                                                0x6c3d7cfb
                                                0x6c3d7cfd
                                                0x6c3d7d00
                                                0x6c3d7d5f
                                                0x6c3d7d5f
                                                0x6c3d7d62
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d7d02
                                                0x6c3d7d02
                                                0x6c3d7d05
                                                0x6c3d7d08
                                                0x6c3d7d0a
                                                0x6c3d7d0c
                                                0x6c3d7d12
                                                0x6c3d7d18
                                                0x6c3d7d1b
                                                0x6c3d7d1e
                                                0x6c3d7d20
                                                0x6c3d7d25
                                                0x6c3d7d2a
                                                0x6c3d7d2c
                                                0x6c3d7d30
                                                0x6c3d7d3e
                                                0x6c3d7d41
                                                0x6c3d7d44
                                                0x6c3d7d44
                                                0x6c3d7d30
                                                0x6c3d7d4c
                                                0x6c3d7d4c
                                                0x6c3d7d4f
                                                0x6c3d7d51
                                                0x6c3d7d57
                                                0x6c3d7d57
                                                0x6c3d7d59
                                                0x6c3d7d5a
                                                0x6c3d7d5a
                                                0x00000000
                                                0x6c3d7d02
                                                0x6c3d7c15
                                                0x6c3d7c19
                                                0x6c3d7c21
                                                0x6c3d7c29
                                                0x6c3d7c2e
                                                0x6c3d7c34
                                                0x6c3d7c37
                                                0x6c3d7c39
                                                0x00000000
                                                0x00000000
                                                0x6c3d7c3e
                                                0x6c3d7c4c
                                                0x6c3d7c52
                                                0x6c3d7c54
                                                0x6c3d7c57
                                                0x6c3d7c9a
                                                0x6c3d7c9f
                                                0x6c3d7ca4
                                                0x6c3d7ca6
                                                0x6c3d7caa
                                                0x6c3d7cb6
                                                0x6c3d7cb9
                                                0x6c3d7cbc
                                                0x6c3d7cbc
                                                0x6c3d7caa
                                                0x00000000
                                                0x6c3d7ca4
                                                0x6c3d7c59
                                                0x6c3d7c5a
                                                0x6c3d7c5d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d7c5d
                                                0x6c3d7c67
                                                0x6c3d7c6e
                                                0x6c3d7c73
                                                0x6c3d7c78
                                                0x6c3d7c7a
                                                0x6c3d7c7e
                                                0x6c3d7c8d
                                                0x6c3d7c90
                                                0x6c3d7c93
                                                0x6c3d7c93
                                                0x6c3d7c7e
                                                0x00000000
                                                0x6c3d7c78
                                                0x6c3d7bca
                                                0x6c3d7bd1
                                                0x6c3d7bd6
                                                0x6c3d7bdb
                                                0x6c3d7be1
                                                0x6c3d7be5
                                                0x6c3d7bf9
                                                0x6c3d7bfc
                                                0x6c3d7bff
                                                0x6c3d7bff
                                                0x6c3d7be5
                                                0x00000000
                                                0x6c3d7b85
                                                0x6c3d7b85
                                                0x6c3d7b8a
                                                0x6c3d7b8f
                                                0x6c3d7b91
                                                0x6c3d7b95
                                                0x6c3d7b9e
                                                0x6c3d7ba1
                                                0x6c3d7ba4
                                                0x6c3d7ba4
                                                0x6c3d7b95
                                                0x00000000
                                                0x6c3d7b8f
                                                0x6c3d7b4a
                                                0x6c3d7b4a
                                                0x6c3d7b4f
                                                0x6c3d7b54
                                                0x6c3d7b5a
                                                0x6c3d7b5e
                                                0x6c3d7b6e
                                                0x6c3d7b71
                                                0x6c3d7b74
                                                0x6c3d7b74
                                                0x6c3d7b5e
                                                0x00000000
                                                0x6c3d7b54
                                                0x6c3d7af5
                                                0x6c3d7af5
                                                0x6c3d7aff
                                                0x6c3d7b10
                                                0x6c3d7b13
                                                0x6c3d7b16
                                                0x6c3d7b16
                                                0x6c3d7b1e
                                                0x6c3d7d68
                                                0x6c3d7d6f
                                                0x6c3d7d6f
                                                0x6c3d7b24
                                                0x6c3d7b24
                                                0x00000000
                                                0x6c3d7b24
                                                0x6c3d7af3

                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,000F003F,?,Software\Microsoft\SQMClient\Windows,80000002,CabSessionAfterSize), ref: 6C3D7AE6
                                                • RegEnumValueW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 6C3D7C4C
                                                • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C3D7B3D
                                                  • Part of subcall function 6C3D77B8: EtwTraceMessage.NTDLL ref: 6C3D781A
                                                  • Part of subcall function 6C3C1967: malloc.MSVCRT(?,6C3E0554), ref: 6C3C1979
                                                • RegDeleteValueW.ADVAPI32(00000057,00000000,00000001,00000000,00000026,6C3D5AB8), ref: 6C3D7D12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Value$DeleteEnumInfoMessageOpenQueryTracemalloc
                                                • String ID: CabSessionAfterSize$Software\Microsoft\SQMClient\Windows$W
                                                • API String ID: 3944082161-4242814227
                                                • Opcode ID: 373e4f27b254ba0700e73d7ee6f794ec7fe8c19c1b92681a868a9f60b12a6207
                                                • Instruction ID: 79a6e410db5cfcc6a2610f61319217728610d2af509de4ec28c948843c604fc6
                                                • Opcode Fuzzy Hash: 373e4f27b254ba0700e73d7ee6f794ec7fe8c19c1b92681a868a9f60b12a6207
                                                • Instruction Fuzzy Hash: F281C272501248AFDB129F54D884EAD7BB9FF06348F2284A9F914AB9A4C732ED44DF10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C82AD Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E6C3C82AD(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				void _v4406;
				char _v4408;
				int _v4412;
				signed int _t80;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t110;
				void* _t111;
				long _t118;
				void* _t119;
				signed char _t120;
				WCHAR**** _t126;
				WCHAR** _t131;
				signed int _t135;
				void* _t138;
				void* _t140;
				void* _t141;
				signed int _t145;

				_t143 = _t145;
				E6C3C45B4(0x1138);
				_t80 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t80 ^ _t145;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t118 = 0;
				_t140 = __ecx;
				_v4412 = 0;
				_v4408 = 0;
				memset( &_v4406, 0, 0x112e);
				while(1) {
					EnterCriticalSection(_t140 + 0x30);
					if( *((intOrPtr*)(_t140 + 0x18)) <= _t118) {
						 *(_t140 + 0x2c) = _t118;
					} else {
						goto L2;
					}
					L4:
					LeaveCriticalSection(_t140 + 0x30);
					_t86 =  *(_t140 + 0x2c);
					if( *(_t140 + 0x2c) == _t118) {
						L16:
						_pop(_t138);
						_pop(_t141);
						_pop(_t119);
						return E6C3C171F(_v4412, _t119, _v8 ^ _t143, _t135, _t138, _t141);
					} else {
						if(E6C3C83E5( *_t86) == 0) {
							L18:
							E6C3CE3B3(_t140);
							continue;
						} else {
							_t91 =  *((intOrPtr*)(_t140 + 0xc));
							if(_t91 == _t118) {
								goto L18;
							} else {
								_t120 =  *(_t91 + 8);
								_t92 =  *((intOrPtr*)(_t91 + 0x18));
								if((_t120 & 0x00000008) != 0) {
									_t93 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t93 - 0x6c3e0088;
									if(_t93 != 0x6c3e0088) {
										__eflags =  *(_t93 + 0x1c) & 0x00000004;
										if(( *(_t93 + 0x1c) & 0x00000004) != 0) {
											_t36 = _t93 + 0x14; // 0x0
											_t37 = _t93 + 0x10; // 0x1
											E6C3D774A( *_t37,  *_t36, 0x23, 0x6c3c7af4,  *( *(_t140 + 0x2c)));
										}
									}
									DeleteFileW( *( *(_t140 + 0x2c)));
									goto L46;
								} else {
									if( *((intOrPtr*)(_t140 + 0x68)) != 0) {
										__eflags = E6C3D7F9B(_t135, _t92,  &_v4408, 0x898);
										if(__eflags != 0) {
											goto L9;
										} else {
											_t107 =  *0x6c3e0088; // 0x6c3e0088
											__eflags = _t107 - 0x6c3e0088;
											if(__eflags != 0) {
												__eflags =  *(_t107 + 0x1c) & 0x00000004;
												if(__eflags != 0) {
													_t45 = _t107 + 0x14; // 0x0
													_t46 = _t107 + 0x10; // 0x1
													E6C3D877C( *_t46,  *_t45, 0x24, 0x6c3c7af4,  *( *(_t140 + 0x2c)),  &_v4408);
												}
											}
											_push( &_v4408);
											goto L14;
										}
									} else {
										L9:
										_t131 =  *(_t140 + 0x2c);
										_t135 = _t131[2];
										if((_t120 & 0x00000004) == 0) {
											__eflags = _t135;
											if(_t135 == 0) {
												_t135 = _t131[1];
												__eflags = _t135;
												if(_t135 == 0) {
													_t98 =  *0x6c3e0088; // 0x6c3e0088
													__eflags = _t98 - 0x6c3e0088;
													if(_t98 == 0x6c3e0088) {
														goto L46;
													} else {
														__eflags =  *(_t98 + 0x1c) & 0x00000001;
														if(( *(_t98 + 0x1c) & 0x00000001) == 0) {
															goto L46;
														} else {
															_push( *_t131);
															_push(0x6c3c7af4);
															_push(0x29);
															goto L45;
														}
													}
												} else {
													_t100 =  *0x6c3e0088; // 0x6c3e0088
													__eflags = _t100 - 0x6c3e0088;
													if(__eflags != 0) {
														__eflags =  *(_t100 + 0x1c) & 0x00000004;
														if(__eflags != 0) {
															_t60 = _t100 + 0x14; // 0x0
															_t61 = _t100 + 0x10; // 0x1
															E6C3D877C( *_t61,  *_t60, 0x28, 0x6c3c7af4,  *_t131, _t135);
														}
													}
													_push(( *(_t140 + 0x2c))[1]);
													goto L14;
												}
											} else {
												_t104 =  *0x6c3e0088; // 0x6c3e0088
												__eflags = _t104 - 0x6c3e0088;
												if(__eflags == 0) {
													goto L13;
												} else {
													__eflags =  *(_t104 + 0x1c) & 0x00000004;
													if(__eflags == 0) {
														goto L13;
													} else {
														_push(_t135);
														_push( *_t131);
														_push(0x6c3c7af4);
														_push(0x27);
														goto L36;
													}
												}
												goto L15;
											}
										} else {
											if(_t135 == 0) {
												_t98 =  *0x6c3e0088; // 0x6c3e0088
												__eflags = _t98 - 0x6c3e0088;
												if(_t98 == 0x6c3e0088) {
													goto L46;
												} else {
													__eflags =  *(_t98 + 0x1c) & 0x00000001;
													if(( *(_t98 + 0x1c) & 0x00000001) == 0) {
														goto L46;
													} else {
														_push( *_t131);
														_push(0x6c3c7af4);
														_push(0x26);
														L45:
														_t67 = _t98 + 0x14; // 0x0
														_push( *_t67);
														_t68 = _t98 + 0x10; // 0x1
														_push( *_t68);
														E6C3D774A();
														goto L15;
													}
												}
											} else {
												_t104 =  *0x6c3e0088; // 0x6c3e0088
												if(_t104 != 0x6c3e0088) {
													_t159 =  *(_t104 + 0x1c) & 0x00000004;
													if(( *(_t104 + 0x1c) & 0x00000004) != 0) {
														_push(_t135);
														_push( *_t131);
														_push(0x6c3c7af4);
														_push(0x25);
														L36:
														_t54 = _t104 + 0x14; // 0x0
														_push( *_t54);
														_t55 = _t104 + 0x10; // 0x1
														_push( *_t55);
														E6C3D877C();
													}
												}
												L13:
												_push(( *(_t140 + 0x2c))[2]);
												L14:
												_v4412 = E6C3C62BF(_t140, _t159);
												L15:
												if(_v4412 == 0) {
													L46:
													_t118 = 0;
													goto L18;
												} else {
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					L54:
					L2:
					_t126 = _t140 + 0x14;
					_push(_t118);
					if(_t126[1] <= _t118) {
						RaiseException(0xc000008c, 1, _t118, ??);
						_t110 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t110 - 0x6c3e0088;
						if(_t110 != 0x6c3e0088) {
							__eflags =  *(_t110 + 0x1c) & 0x00000001;
							if(( *(_t110 + 0x1c) & 0x00000001) != 0) {
								_t72 = _t110 + 0x14; // 0x0
								_t73 = _t110 + 0x10; // 0x1
								E6C3D5F11( *_t73,  *_t72, 0x21, 0x6c3c7af4);
							}
						}
						 *((intOrPtr*)(_t140 + 4)) = 0x6c3c7af4;
						_t111 = E6C3D8C1F(_t140 + 0x20);
						_t128 =  *((intOrPtr*)(_t140 + 0x60));
						__eflags =  *((intOrPtr*)(_t140 + 0x60)) - 0x6c3c7af4;
						if(__eflags != 0) {
							_t111 = E6C3D8932(_t128, __eflags, 1);
							 *((intOrPtr*)(_t140 + 0x60)) = 0x6c3c7af4;
						}
						return E6C3C4821(_t111);
					} else {
						 *(_t140 + 0x2c) =  *( *_t126);
						E6C3C7C62(_t126);
						goto L4;
					}
					goto L54;
				}
			}



























                                                0x6c3c82b0
                                                0x6c3c82b7
                                                0x6c3c82bc
                                                0x6c3c82c3
                                                0x6c3c82c6
                                                0x6c3c82c7
                                                0x6c3c82c8
                                                0x6c3c82c9
                                                0x6c3c82d8
                                                0x6c3c82da
                                                0x6c3c82e0
                                                0x6c3c82e7
                                                0x6c3c82f4
                                                0x6c3c82f8
                                                0x6c3c8301
                                                0x6c3c83cc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3c8320
                                                0x6c3c8324
                                                0x6c3c832a
                                                0x6c3c832f
                                                0x6c3c83b7
                                                0x6c3c83c0
                                                0x6c3c83c1
                                                0x6c3c83c4
                                                0x6c3c83cb
                                                0x6c3c8335
                                                0x6c3c8340
                                                0x6c3c83d4
                                                0x6c3c83d6
                                                0x00000000
                                                0x6c3c8346
                                                0x6c3c8346
                                                0x6c3c834b
                                                0x00000000
                                                0x6c3c8351
                                                0x6c3c8351
                                                0x6c3c8357
                                                0x6c3c835a
                                                0x6c3d0bd5
                                                0x6c3d0bda
                                                0x6c3d0bdf
                                                0x6c3d0be1
                                                0x6c3d0be5
                                                0x6c3d0bef
                                                0x6c3d0bf2
                                                0x6c3d0bf5
                                                0x6c3d0bf5
                                                0x6c3d0be5
                                                0x6c3d0bff
                                                0x00000000
                                                0x6c3c8360
                                                0x6c3c8364
                                                0x6c3d0c1c
                                                0x6c3d0c1e
                                                0x00000000
                                                0x6c3d0c24
                                                0x6c3d0c24
                                                0x6c3d0c29
                                                0x6c3d0c2e
                                                0x6c3d0c30
                                                0x6c3d0c34
                                                0x6c3d0c45
                                                0x6c3d0c48
                                                0x6c3d0c4b
                                                0x6c3d0c4b
                                                0x6c3d0c34
                                                0x6c3d0c56
                                                0x00000000
                                                0x6c3d0c56
                                                0x6c3c836a
                                                0x6c3c836a
                                                0x6c3c836d
                                                0x6c3c8370
                                                0x6c3c8373
                                                0x6c3d0c88
                                                0x6c3d0c8a
                                                0x6c3d0cbc
                                                0x6c3d0cbf
                                                0x6c3d0cc1
                                                0x6c3d0cf1
                                                0x6c3d0cf6
                                                0x6c3d0cfb
                                                0x00000000
                                                0x6c3d0cfd
                                                0x6c3d0cfd
                                                0x6c3d0d01
                                                0x00000000
                                                0x6c3d0d03
                                                0x6c3d0d03
                                                0x6c3d0d05
                                                0x6c3d0d06
                                                0x00000000
                                                0x6c3d0d06
                                                0x6c3d0d01
                                                0x6c3d0cc3
                                                0x6c3d0cc3
                                                0x6c3d0cc8
                                                0x6c3d0ccd
                                                0x6c3d0ccf
                                                0x6c3d0cd3
                                                0x6c3d0cdb
                                                0x6c3d0cde
                                                0x6c3d0ce1
                                                0x6c3d0ce1
                                                0x6c3d0cd3
                                                0x6c3d0ce9
                                                0x00000000
                                                0x6c3d0ce9
                                                0x6c3d0c8c
                                                0x6c3d0c8c
                                                0x6c3d0c91
                                                0x6c3d0c96
                                                0x00000000
                                                0x6c3d0c9c
                                                0x6c3d0c9c
                                                0x6c3d0ca0
                                                0x00000000
                                                0x6c3d0ca6
                                                0x6c3d0ca6
                                                0x6c3d0ca7
                                                0x6c3d0ca9
                                                0x6c3d0caa
                                                0x00000000
                                                0x6c3d0caa
                                                0x6c3d0ca0
                                                0x00000000
                                                0x6c3d0c96
                                                0x6c3c8379
                                                0x6c3c837b
                                                0x6c3d0c64
                                                0x6c3d0c69
                                                0x6c3d0c6e
                                                0x00000000
                                                0x6c3d0c74
                                                0x6c3d0c74
                                                0x6c3d0c78
                                                0x00000000
                                                0x6c3d0c7e
                                                0x6c3d0c7e
                                                0x6c3d0c80
                                                0x6c3d0c81
                                                0x6c3d0d08
                                                0x6c3d0d08
                                                0x6c3d0d08
                                                0x6c3d0d0b
                                                0x6c3d0d0b
                                                0x6c3d0d0e
                                                0x00000000
                                                0x6c3d0d0e
                                                0x6c3d0c78
                                                0x6c3c8381
                                                0x6c3c8381
                                                0x6c3c838b
                                                0x6c3c838d
                                                0x6c3c8391
                                                0x6c3d0c5c
                                                0x6c3d0c5d
                                                0x6c3d0c5f
                                                0x6c3d0c60
                                                0x6c3d0cac
                                                0x6c3d0cac
                                                0x6c3d0cac
                                                0x6c3d0caf
                                                0x6c3d0caf
                                                0x6c3d0cb2
                                                0x6c3d0cb2
                                                0x6c3c8391
                                                0x6c3c8397
                                                0x6c3c839a
                                                0x6c3c839d
                                                0x6c3c83a4
                                                0x6c3c83aa
                                                0x6c3c83b1
                                                0x6c3d0d18
                                                0x6c3d0d18
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3c83b1
                                                0x6c3c837b
                                                0x6c3c8373
                                                0x6c3c8364
                                                0x6c3c835a
                                                0x6c3c834b
                                                0x6c3c8340
                                                0x00000000
                                                0x6c3c8307
                                                0x6c3c8307
                                                0x6c3c830d
                                                0x6c3c830e
                                                0x6c3d0d27
                                                0x6c3d0d2d
                                                0x6c3d0d32
                                                0x6c3d0d37
                                                0x6c3d0d39
                                                0x6c3d0d3d
                                                0x6c3d0d46
                                                0x6c3d0d49
                                                0x6c3d0d4c
                                                0x6c3d0d4c
                                                0x6c3d0d3d
                                                0x6c3d0d7d
                                                0x6c3d0d80
                                                0x6c3d0d85
                                                0x6c3d0d88
                                                0x6c3d0d8a
                                                0x6c3d0d8e
                                                0x6c3d0d93
                                                0x6c3d0d93
                                                0x6c3d0d9b
                                                0x6c3c8314
                                                0x6c3c8318
                                                0x6c3c831b
                                                0x00000000
                                                0x6c3c831b
                                                0x00000000
                                                0x6c3c830e

                                                APIs
                                                • memset.MSVCRT ref: 6C3C82E7
                                                • EnterCriticalSection.KERNEL32(?), ref: 6C3C82F8
                                                • LeaveCriticalSection.KERNEL32(?), ref: 6C3C8324
                                                • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 6C3D0D27
                                                • ctype.LIBCPMT ref: 6C3D0D8E
                                                  • Part of subcall function 6C3C7C62: memmove.MSVCRT ref: 6C3C7C93
                                                  • Part of subcall function 6C3CE3B3: EnterCriticalSection.KERNEL32(?,?,00000000,6C3C83DB,?), ref: 6C3CE3BD
                                                  • Part of subcall function 6C3CE3B3: ctype.LIBCPMT ref: 6C3CE3CC
                                                  • Part of subcall function 6C3CE3B3: LeaveCriticalSection.KERNEL32(?,?,00000000,6C3C83DB,?), ref: 6C3CE3EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeavectype$ExceptionRaisememmovememset
                                                • String ID: Fm*
                                                • API String ID: 1998214256-3000852143
                                                • Opcode ID: db9c7c12988562f9705459cce9e9c3b20e7e822d778a2df0148c1579767fd68a
                                                • Instruction ID: 2b5ebc8605355463acd4f80eb7b80119b53c47372c9a34f8e33ea75936fe4a0c
                                                • Opcode Fuzzy Hash: db9c7c12988562f9705459cce9e9c3b20e7e822d778a2df0148c1579767fd68a
                                                • Instruction Fuzzy Hash: CB81AF352002809FCB54DF54C884EDA3BB5FF49708F21449AE6558BAA0CB32FD48DF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AAB7A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 188COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AAB81
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77C5D4: __EH_prolog3.LIBCMT ref: 6C77C5DB
                                                  • Part of subcall function 6C77C5D4: GetLastError.KERNEL32 ref: 6C77C609
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                  • Part of subcall function 6C7776AC: __EH_prolog3.LIBCMT ref: 6C7776B3
                                                  • Part of subcall function 6C7776AC: GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 6C777711
                                                  • Part of subcall function 6C7776AC: GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 6C77772A
                                                  • Part of subcall function 6C7776AC: GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 6C777745
                                                  • Part of subcall function 6C7776AC: VerQueryValueW.VERSION(00000000,6C75496C,?,?), ref: 6C77775D
                                                  • Part of subcall function 6C7B07E4: __EH_prolog3.LIBCMT ref: 6C7B07EB
                                                  • Part of subcall function 6C7B07E4: GetLastError.KERNEL32 ref: 6C7B0809
                                                  • Part of subcall function 6C7B113C: __EH_prolog3.LIBCMT ref: 6C7B1143
                                                  • Part of subcall function 6C7AAF10: __EH_prolog3.LIBCMT ref: 6C7AAF17
                                                  • Part of subcall function 6C777F33: __EH_prolog3.LIBCMT ref: 6C777F3A
                                                  • Part of subcall function 6C7B0527: __EH_prolog3.LIBCMT ref: 6C7B052E
                                                  • Part of subcall function 6C7B0527: GetLastError.KERNEL32 ref: 6C7B054C
                                                Strings
                                                • Failed to record PackageName, xrefs: 6C7AABBF
                                                • Failed to record CurrentFlag, xrefs: 6C7AACF9
                                                • Failed to record Package Version, xrefs: 6C7AAC25
                                                • Failed to record Application Version, xrefs: 6C7AAC80
                                                • Failed to record msi error message, xrefs: 6C7AAD4F
                                                • Failed to record Current Item Step, xrefs: 6C7AADA6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorFileLast$InfoVersion$ModuleNameQuerySizeValue
                                                • String ID: Failed to record Application Version$Failed to record Current Item Step$Failed to record CurrentFlag$Failed to record Package Version$Failed to record PackageName$Failed to record msi error message
                                                • API String ID: 1277668817-952374492
                                                • Opcode ID: ee7676cf370cf1c130b991a3e252227412240b1f366a1e22c0ba2b1256a4dbcb
                                                • Instruction ID: fb10756b2690bb0c51ed595e353c367e49aee9a155b986eb5e88d691e7d4c623
                                                • Opcode Fuzzy Hash: ee7676cf370cf1c130b991a3e252227412240b1f366a1e22c0ba2b1256a4dbcb
                                                • Instruction Fuzzy Hash: 69712272600649AFDB10DBE8CF4CAEE77B9BF45318F144659E520A7B84CB709A09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C792AEA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 181COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C792AF1
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C792CD8
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: Dll$Name$ParameterInfo.xml$Version$schema validation failure: wrong number of UI child nodes!
                                                • API String ID: 3417717588-3832895198
                                                • Opcode ID: cfa86614d2025828e950754a0baa1418dfb154cd36749a72e7cf35c4d05af071
                                                • Instruction ID: 57d0f438b9da40899413df8e0e3b659707bfa7aba81fede8be34fc6aa23e9dc6
                                                • Opcode Fuzzy Hash: cfa86614d2025828e950754a0baa1418dfb154cd36749a72e7cf35c4d05af071
                                                • Instruction Fuzzy Hash: 5F61417160024AEFDF14DFA8DA49AEEBBB9AF05318F104559F415EB781CB30DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7869B7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7869BE
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                • Name, xrefs: 6C7869CA
                                                • ParameterInfo.xml, xrefs: 6C786B32
                                                • InstalledProductSize, xrefs: 6C786A7D
                                                • schema validation failure: Sum of SystemDriveSize and InstalledProductSize must be less than or equal to MaxULONGLONG., xrefs: 6C786B24
                                                • SystemDriveSize, xrefs: 6C786A2C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: InstalledProductSize$Name$ParameterInfo.xml$SystemDriveSize$schema validation failure: Sum of SystemDriveSize and InstalledProductSize must be less than or equal to MaxULONGLONG.
                                                • API String ID: 431132790-3576396425
                                                • Opcode ID: 04013a8c1f880435e0d507bff65826399a3abf03d7c91a29c196a792e37696e6
                                                • Instruction ID: c14b02e272709c868966a58f81428eab17dc5d66f296e17ed24c33dfd6533813
                                                • Opcode Fuzzy Hash: 04013a8c1f880435e0d507bff65826399a3abf03d7c91a29c196a792e37696e6
                                                • Instruction Fuzzy Hash: 40615070601249EFDF14DFA8CA48ADEBBB5BF04318F144569E525E7B81D730EA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7838A1 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7838A8
                                                  • Part of subcall function 6C778D44: __EH_prolog3.LIBCMT ref: 6C778D4B
                                                  • Part of subcall function 6C783480: __EH_prolog3.LIBCMT ref: 6C783487
                                                Strings
                                                • schema validation failure: More than 1 CustomError Mapping block defined., xrefs: 6C7838D1
                                                • The mapping element defined: , xrefs: 6C783951
                                                • Create CustomErrorMappingBase object, xrefs: 6C783A51
                                                • ParameterInfo.xml, xrefs: 6C7838E3
                                                • Create CustomErrorRetry object, xrefs: 6C78399C
                                                • Retry, xrefs: 6C783983, 6C7839B9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Create CustomErrorMappingBase object$Create CustomErrorRetry object$ParameterInfo.xml$Retry$The mapping element defined: $schema validation failure: More than 1 CustomError Mapping block defined.
                                                • API String ID: 431132790-1753673958
                                                • Opcode ID: fefb143d9db669a7fc981e3f3779c1f82d8e2b54ef19825c82abc0e70b74fa51
                                                • Instruction ID: 126ffb720e58aa4c39782c20fca673ba05d0999b586ce1efd8b9e2151d15003c
                                                • Opcode Fuzzy Hash: fefb143d9db669a7fc981e3f3779c1f82d8e2b54ef19825c82abc0e70b74fa51
                                                • Instruction Fuzzy Hash: 3D516F719012099FDF10DBE8CA4DBEEB7B8AF08318F144669E125EB780CB749A05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775A22 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C775A29
                                                • #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6C776D4B,?,?,?), ref: 6C775AF2
                                                • #8.MSI(00000000,?,?,6C7847C9,6C7AFA6E,?,6C7AFA6E,6C76A794,6C76A794,00000014,6C7B97FA,00000000,?,?,?,?), ref: 6C775B9C
                                                • #8.MSI(?,?,?,6C7847C9,6C7AFA6E,?,6C7AFA6E,6C76A794,6C76A794,00000014,6C7B97FA,00000000,?,?,?,?), ref: 6C775BB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: SELECT `$` FROM `$` WHERE
                                                • API String ID: 431132790-1231751523
                                                • Opcode ID: 354c4a4cebb700bcccfd8cc09e03fbad25079cdaaed68ea454896ddc37718fd9
                                                • Instruction ID: fcf8dcbae220d81ba9cc43e63439aa6adda079261f929bb68db398910245c856
                                                • Opcode Fuzzy Hash: 354c4a4cebb700bcccfd8cc09e03fbad25079cdaaed68ea454896ddc37718fd9
                                                • Instruction Fuzzy Hash: 0F51AC72500119EFCF11DFA4CA8CAEE7BB5BF48368F158655F825AB690CB30DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B8C5B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B8C62
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • lstrlenW.KERNEL32(</MsiXmlBlob>,</MsiXmlBlob>,342C82DB,<MsiXmlBlob,?,?,00000008,6C7B80B1,?,?,00000000,6C7B52B8,00000002,-000000F4,?,00000002), ref: 6C7B8CCC
                                                • SysAllocString.OLEAUT32(?), ref: 6C7B8D1D
                                                • __EH_prolog3.LIBCMT ref: 6C7B8D43
                                                • #270.MSI(?,00000000,00000007,00000007,00000000,00000010,00000000,00000000,00000000,00000000), ref: 6C7B8D91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$#270AllocStringlstrlen
                                                • String ID: </MsiXmlBlob>$<MsiXmlBlob
                                                • API String ID: 2868861991-3177253548
                                                • Opcode ID: 9fd071b988823fcb691cbd05f9f9a6b83c9248f404674af91df7cc6702e7c1c9
                                                • Instruction ID: 2528de58c7fe0e0ebbd86ed0a9a86bc7c8711b4935a1354592c70cbafbc62695
                                                • Opcode Fuzzy Hash: 9fd071b988823fcb691cbd05f9f9a6b83c9248f404674af91df7cc6702e7c1c9
                                                • Instruction Fuzzy Hash: A541837160014AEFCB04DFB4CA8DAED7775BF15328F10862AE825AB791DB30DA09CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C786E28 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C786E2F
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8608: __wcsicoll.LIBCMT ref: 6C7A8626
                                                • __CxxThrowException@8.LIBCMT ref: 6C786F68
                                                Strings
                                                • false, xrefs: 6C786E95
                                                • schema validation failure: invalid IgnoreDownloadFailure attribute value, xrefs: 6C786EDB
                                                • true, xrefs: 6C786E83
                                                • ParameterInfo.xml, xrefs: 6C786EE9
                                                • IgnoreDownloadFailure, xrefs: 6C786E38
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw__wcsicoll
                                                • String ID: IgnoreDownloadFailure$ParameterInfo.xml$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
                                                • API String ID: 3031948457-1650268905
                                                • Opcode ID: def6874092786e883b0a5ae88d4d54d15d6a9d2bdba80a9210009bb566519de1
                                                • Instruction ID: d6b05e73bb2bd70f27913d41cc19d0de8f5525a34163d4d13e24fb00eb4c0ba4
                                                • Opcode Fuzzy Hash: def6874092786e883b0a5ae88d4d54d15d6a9d2bdba80a9210009bb566519de1
                                                • Instruction Fuzzy Hash: 3A415071A01149AFDB10DBB8CA49BED77B8BF09318F144659E125EBB80DB34DA09C771
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C787ADF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 108COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • *?\, xrefs: 6C787B34
                                                • LogFileHint [%s] is invalid. First character must not be '*', '?' or '\'., xrefs: 6C787B69
                                                • LogFileHint [%s] is invalid. Too few characters passed in., xrefs: 6C787B11
                                                • LogFileHint [%s] is invalid. Log File hint extension is required., xrefs: 6C787BE7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_wcspbrk_wcsrchr
                                                • String ID: *?\$LogFileHint [%s] is invalid. First character must not be '*', '?' or '\'.$LogFileHint [%s] is invalid. Log File hint extension is required.$LogFileHint [%s] is invalid. Too few characters passed in.
                                                • API String ID: 2981567969-3369350866
                                                • Opcode ID: 825c237cf4c41cf5143079bea8ffdedcb37e967dc4a7f3f80d575dbd8b2fcec1
                                                • Instruction ID: e7b27c62fc9f494ddeeb885505eb453d2cc012ee237dec752f733dbf9778c68e
                                                • Opcode Fuzzy Hash: 825c237cf4c41cf5143079bea8ffdedcb37e967dc4a7f3f80d575dbd8b2fcec1
                                                • Instruction Fuzzy Hash: 82318471A1110ADFDB10DFA8CA4CAAEBBB6FF41318F144879E061EB741DB70E6098B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C793C17 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw
                                                • String ID: Bad product drive hint type!$ComponentHint$No product drive hints found!$ParameterInfo.xml$RegKeyHint
                                                • API String ID: 3670251406-217397854
                                                • Opcode ID: 5f8a2025bf6802482f9c5703698a21261cbe7cb837dd55acec5be837351352b3
                                                • Instruction ID: 141e402f50f05969600bd74ae7901be85632d3ece85f9f4bf64a49718610c509
                                                • Opcode Fuzzy Hash: 5f8a2025bf6802482f9c5703698a21261cbe7cb837dd55acec5be837351352b3
                                                • Instruction Fuzzy Hash: FC315271900149DFCB00DFE8CA88ADDBBB9BF09318F648569E125EB740D730EA49CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C5F0D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5F14
                                                • GetProcAddress.KERNEL32(00000006,GetProcessImageFileNameW), ref: 6C7C5F24
                                                • GetLastError.KERNEL32 ref: 6C7C5F32
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8380: __EH_prolog3.LIBCMT ref: 6C7A8387
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                  • Part of subcall function 6C7787EC: __EH_prolog3.LIBCMT ref: 6C7787F3
                                                • __CxxThrowException@8.LIBCMT ref: 6C7C5FE9
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$AddressDispatcherErrorExceptionException@8LastProcThrowUser_memcpy_s_wcsnlen
                                                • String ID: in $GetProcAddress looking for $GetProcessImageFileNameW
                                                • API String ID: 3164256213-2471920563
                                                • Opcode ID: 48f4a48369f383eb6d494e4db442d81db6aa5659d0e966d56b6c7092150e8ab7
                                                • Instruction ID: ac2aac9b0f9f349fc63ab4b792ea9ebe2ddd8899de08e54d9aedcc8d9bad4359
                                                • Opcode Fuzzy Hash: 48f4a48369f383eb6d494e4db442d81db6aa5659d0e966d56b6c7092150e8ab7
                                                • Instruction Fuzzy Hash: AA212A72900149AFCF00EBF8DE4DBEEB7B8AF09318F144655E510E7B81DB349A099765
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C798EB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6C798F00
                                                  • Part of subcall function 6C7C8244: GetWindowLongW.USER32(?,000000F0), ref: 6C7C826A
                                                  • Part of subcall function 6C7C8244: GetParent.USER32(?), ref: 6C7C827C
                                                  • Part of subcall function 6C7C8244: GetWindowRect.USER32(?,?), ref: 6C7C8296
                                                  • Part of subcall function 6C7C8244: GetWindowLongW.USER32(00000000,000000F0), ref: 6C7C82AC
                                                  • Part of subcall function 6C7C8244: MonitorFromWindow.USER32(?,00000002), ref: 6C7C82CB
                                                • GetWindowLongW.USER32(?,000000F0), ref: 6C798F15
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 6C798F25
                                                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6C798F32
                                                  • Part of subcall function 6C7ABC49: SendMessageW.USER32(?,00000172,00000000,?), ref: 6C7ABC5A
                                                • GetDesktopWindow.USER32 ref: 6C798F44
                                                  • Part of subcall function 6C7C8244: GetWindow.USER32(?,00000004), ref: 6C7C8288
                                                  • Part of subcall function 6C7C8244: GetMonitorInfoW.USER32(00000000,?), ref: 6C7C82E8
                                                  • Part of subcall function 6C7C8244: SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 6C7C83B8
                                                • ShowWindow.USER32(?,00000001), ref: 6C798F57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Window$Long$Monitor$CreateDesktopFromImageInfoLoadMessageParentRectSendShow
                                                • String ID: STATIC
                                                • API String ID: 4041997823-1882779555
                                                • Opcode ID: 723aaf3bb644df50fec99010ef0101b43e2425f42aa890ff0021e0bcc924c4f5
                                                • Instruction ID: e5b2498b2339bcf683e4aae60ae093c81d5d3ead382138abc127e62953fb741c
                                                • Opcode Fuzzy Hash: 723aaf3bb644df50fec99010ef0101b43e2425f42aa890ff0021e0bcc924c4f5
                                                • Instruction Fuzzy Hash: 7C1181317052117FDB205F258C0CEDB7FB9EF8A361F544629B829D2290DF319811CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C443B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E6C3C443B(void* __ecx) {
				char _v8;
				intOrPtr _t14;
				long _t16;
				intOrPtr _t17;
				_Unknown_base(*)()* _t19;
				intOrPtr _t20;
				long _t22;
				intOrPtr _t23;
				void* _t30;
				struct HINSTANCE__* _t33;

				_t30 = 1;
				_v8 = 3;
				_t33 = LoadLibraryW(L"SensApi.dll");
				if(_t33 == 0) {
					_t14 =  *0x6c3e0088; // 0x6c3e0088
					if(_t14 != 0x6c3e0088 && ( *(_t14 + 0x1c) & 0x00000001) != 0) {
						_t16 = GetLastError();
						_t17 =  *0x6c3e0088; // 0x6c3e0088
						_t6 = _t17 + 0x14; // 0x0
						_t7 = _t17 + 0x10; // 0x1
						E6C3D99F8( *_t7,  *_t6, 0x4d, 0x6c3d5ab8, _t16);
					}
				} else {
					_t19 = GetProcAddress(_t33, "IsNetworkAlive");
					if(_t19 == 0) {
						_t20 =  *0x6c3e0088; // 0x6c3e0088
						if(_t20 != 0x6c3e0088 && ( *(_t20 + 0x1c) & 0x00000001) != 0) {
							_t22 = GetLastError();
							_t23 =  *0x6c3e0088; // 0x6c3e0088
							_t11 = _t23 + 0x14; // 0x0
							_t12 = _t23 + 0x10; // 0x1
							E6C3D99F8( *_t12,  *_t11, 0x4e, 0x6c3d5ab8, _t22);
						}
					} else {
						_t30 =  *_t19( &_v8);
					}
					FreeLibrary(_t33);
				}
				return _t30;
			}













                                                0x6c3c444a
                                                0x6c3c444b
                                                0x6c3c4458
                                                0x6c3c445c
                                                0x6c3cf8bb
                                                0x6c3cf8c5
                                                0x6c3cf8d5
                                                0x6c3cf8dc
                                                0x6c3cf8e8
                                                0x6c3cf8eb
                                                0x6c3cf8ee
                                                0x6c3cf8ee
                                                0x6c3c4462
                                                0x6c3c4468
                                                0x6c3c4470
                                                0x6c3cf8f8
                                                0x6c3cf902
                                                0x6c3cf912
                                                0x6c3cf919
                                                0x6c3cf925
                                                0x6c3cf928
                                                0x6c3cf92b
                                                0x6c3cf92b
                                                0x6c3c4476
                                                0x6c3c447c
                                                0x6c3c447c
                                                0x6c3c447f
                                                0x6c3c447f
                                                0x6c3c448a

                                                APIs
                                                • LoadLibraryW.KERNEL32(SensApi.dll,00000000,?), ref: 6C3C4452
                                                • GetProcAddress.KERNEL32(00000000,IsNetworkAlive), ref: 6C3C4468
                                                • FreeLibrary.KERNEL32(00000000), ref: 6C3C447F
                                                • GetLastError.KERNEL32 ref: 6C3CF8D5
                                                • GetLastError.KERNEL32 ref: 6C3CF912
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                • String ID: IsNetworkAlive$SensApi.dll
                                                • API String ID: 1529210728-555838347
                                                • Opcode ID: 69395bdb6cd3036d3abce6c5df0afd45bd4381e4dd09344f94dcc19e27799b32
                                                • Instruction ID: 6930af5b59c13f5e854cd6d2f13cddde8febf75d5cfc6a63456e2eed6b74b1e3
                                                • Opcode Fuzzy Hash: 69395bdb6cd3036d3abce6c5df0afd45bd4381e4dd09344f94dcc19e27799b32
                                                • Instruction Fuzzy Hash: B311A032341250AFDB91DF95CD88FDD3ABDBB49258B210040F915C6951CB39DD45EFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2724 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E6C3C2724(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t14;
				long _t16;
				intOrPtr _t17;
				_Unknown_base(*)()* _t19;
				intOrPtr _t20;
				long _t22;
				intOrPtr _t23;
				void* _t26;
				struct HINSTANCE__* _t27;

				_t26 = 0;
				_t27 = LoadLibraryW(L"kernel32.dll");
				if(_t27 == 0) {
					_t14 =  *0x6c3e0088; // 0x6c3e0088
					if(_t14 != 0x6c3e0088 && ( *(_t14 + 0x1c) & 0x00000001) != 0) {
						_t16 = GetLastError();
						_t17 =  *0x6c3e0088; // 0x6c3e0088
						_t6 = _t17 + 0x14; // 0x0
						_t7 = _t17 + 0x10; // 0x1
						E6C3D99F8( *_t7,  *_t6, 0x51, 0x6c3d5ab8, _t16);
					}
				} else {
					_t19 = GetProcAddress(_t27, "IsWow64Process");
					if(_t19 == 0) {
						_t20 =  *0x6c3e0088; // 0x6c3e0088
						if(_t20 != 0x6c3e0088 && ( *(_t20 + 0x1c) & 0x00000002) != 0) {
							_t22 = GetLastError();
							_t23 =  *0x6c3e0088; // 0x6c3e0088
							_t11 = _t23 + 0x14; // 0x0
							_t12 = _t23 + 0x10; // 0x1
							E6C3D99F8( *_t12,  *_t11, 0x52, 0x6c3d5ab8, _t22);
						}
					} else {
						_t26 =  *_t19(_a4, _a8);
					}
					FreeLibrary(_t27);
				}
				return _t26;
			}












                                                0x6c3c2730
                                                0x6c3c2738
                                                0x6c3c273c
                                                0x6c3cf9b6
                                                0x6c3cf9c0
                                                0x6c3cf9d0
                                                0x6c3cf9d7
                                                0x6c3cf9e3
                                                0x6c3cf9e6
                                                0x6c3cf9e9
                                                0x6c3cf9e9
                                                0x6c3c2742
                                                0x6c3c2748
                                                0x6c3c2750
                                                0x6c3cf9f3
                                                0x6c3cf9fd
                                                0x6c3cfa0d
                                                0x6c3cfa14
                                                0x6c3cfa20
                                                0x6c3cfa23
                                                0x6c3cfa26
                                                0x6c3cfa26
                                                0x6c3c2756
                                                0x6c3c275e
                                                0x6c3c275e
                                                0x6c3c2761
                                                0x6c3c2761
                                                0x6c3c276c

                                                APIs
                                                • LoadLibraryW.KERNEL32(kernel32.dll,00000000,6C3E0180,?,6C3C270F,00000000,?,6C3C26C6,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30), ref: 6C3C2732
                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6C3C2748
                                                • FreeLibrary.KERNEL32(00000000,?,6C3C270F,00000000,?,6C3C26C6,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?), ref: 6C3C2761
                                                • GetLastError.KERNEL32(?,6C3C270F,00000000,?,6C3C26C6,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?), ref: 6C3CF9D0
                                                • GetLastError.KERNEL32(?,6C3C270F,00000000,?,6C3C26C6,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?), ref: 6C3CFA0D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                • String ID: IsWow64Process$kernel32.dll
                                                • API String ID: 1529210728-3024904723
                                                • Opcode ID: d6315090c0b5938c3ef3bd61eaa67018448ac944a54a8ee0383fd8de0a1c332c
                                                • Instruction ID: eb8205fbf527abdab7a57fe928e9a133a8c7ade0866fd85b705d6b07a3988871
                                                • Opcode Fuzzy Hash: d6315090c0b5938c3ef3bd61eaa67018448ac944a54a8ee0383fd8de0a1c332c
                                                • Instruction Fuzzy Hash: B511E1323012406BCB929E55CECCECE3B79FB4A348B110051FA14CA962CF36DD54AFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C774CB2 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C774CB9
                                                  • Part of subcall function 6C7A8380: __EH_prolog3.LIBCMT ref: 6C7A8387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Creating Layout$Error$Installing$Repairing$Uninstalling$Uninstalling Patch
                                                • API String ID: 431132790-1745000867
                                                • Opcode ID: b03ce291fa0e977f6cb08fec248ee15340e0abb4fea9b19de6324503b9a50eee
                                                • Instruction ID: 3ebaa2d375763cc9ac82674417ced1fa3d6083999038bf5206608440231ac392
                                                • Opcode Fuzzy Hash: b03ce291fa0e977f6cb08fec248ee15340e0abb4fea9b19de6324503b9a50eee
                                                • Instruction Fuzzy Hash: 7CF0C83168420EB7EF218A148F1AB6C7130A71471AF624C01E654ABED1CBB59624BA25
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C247C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3C247C() {
				struct HINSTANCE__* _t1;
				signed int _t2;
				_Unknown_base(*)()* _t4;
				struct HINSTANCE__* _t5;

				_t1 = LoadLibraryW(L"advapi32");
				_t5 = _t1;
				if(_t5 == 0) {
					 *0x6c3e0098 =  *0x6c3e0098 & 0x00000000;
					 *0x6c3e0080 = E6C3D5EC1;
					 *0x6c3e0084 = E6C3D5DAA;
					return _t1;
				} else {
					_t2 = GetProcAddress(_t5, "TraceMessage");
					 *0x6c3e0080 = _t2;
					if(_t2 == 0) {
						 *0x6c3e0098 =  *0x6c3e0098 & _t2;
						 *0x6c3e0080 = E6C3D5EC1;
						goto L5;
					} else {
						 *0x6c3e0098 = 1;
						_t4 = GetProcAddress(_t5, "TraceMessageVa");
						 *0x6c3e0084 = _t4;
						if(_t4 == 0) {
							L5:
							 *0x6c3e0084 = E6C3D5DAA;
						}
					}
					return FreeLibrary(_t5);
				}
			}







                                                0x6c3c2484
                                                0x6c3c248a
                                                0x6c3c248e
                                                0x6c3ce7f1
                                                0x6c3ce7f8
                                                0x6c3ce802
                                                0x6c3ce80d
                                                0x6c3c2494
                                                0x6c3c24a1
                                                0x6c3c24a5
                                                0x6c3c24aa
                                                0x6c3ce7d2
                                                0x6c3ce7d8
                                                0x00000000
                                                0x6c3c24b0
                                                0x6c3c24b6
                                                0x6c3c24c0
                                                0x6c3c24c4
                                                0x6c3c24c9
                                                0x6c3ce7e2
                                                0x6c3ce7e2
                                                0x6c3ce7e2
                                                0x6c3c24c9
                                                0x6c3c24d8
                                                0x6c3c24d8

                                                APIs
                                                • LoadLibraryW.KERNEL32(advapi32,?,6C3C19A1,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C2484
                                                • GetProcAddress.KERNEL32(00000000,TraceMessage), ref: 6C3C24A1
                                                • GetProcAddress.KERNEL32(00000000,TraceMessageVa), ref: 6C3C24C0
                                                • FreeLibrary.KERNEL32(00000000,?,6C3C19A1,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C24D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressLibraryProc$FreeLoad
                                                • String ID: TraceMessage$TraceMessageVa$advapi32
                                                • API String ID: 2256533930-3542275927
                                                • Opcode ID: d9db0f0ddc46f4b850a98edf26041ec28778fbf8067b3ea0bc5754dd87affe6c
                                                • Instruction ID: 0ef37b0d280164421e90af2f069754dd4e35f21a41d7a46f941038730e9dcef3
                                                • Opcode Fuzzy Hash: d9db0f0ddc46f4b850a98edf26041ec28778fbf8067b3ea0bc5754dd87affe6c
                                                • Instruction Fuzzy Hash: D1F036B37013419BCBD09F6899897DA3B7CF78A754B110117E504C2A05CB399C41BF71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D853A Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 110COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 27%
                                                			E6C3D853A(signed int __ecx, void* __edx) {
				signed int _v8;
				void _v526;
				char _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				signed int _t30;
				signed int _t32;
				intOrPtr _t38;
				signed int _t42;
				signed int _t43;
				signed int _t46;
				intOrPtr _t49;
				void* _t50;
				signed int _t53;

				_t50 = __edx;
				_t43 = __ecx;
				_t25 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t25 ^ _t53;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t42 = 0;
				_t30 = E6C3D8316(_t43, L"Microsoft\\Windows\\Sqm\\Sessions",  &_v528, 0, 0);
				if(_t30 < 0) {
					_t43 = _t30 & 0x1000ffff;
					if(_t43 == 3) {
						goto L9;
					} else {
						_t42 = _t43;
						_t49 =  *0x6c3e0088; // 0x6c3e0088
						if(_t49 != 0x6c3e0088 && ( *(_t49 + 0x1c) & 0x00000001) != 0) {
							_push(_t30);
							_push(0x6c3d5ab8);
							_push(0x65);
							goto L19;
						}
					}
				} else {
					_t42 = E6C3D8097(_t50,  &_v528, L"*.psqm");
					if(_t42 == 0) {
						L9:
						_t32 = E6C3D8316(_t43, L"Microsoft\\Windows\\Sqm\\Upload",  &_v528, 0, 0);
						if(_t32 < 0) {
							_t46 = _t32 & 0x1000ffff;
							if(_t46 != 3) {
								_t42 = _t46;
								_t49 =  *0x6c3e0088; // 0x6c3e0088
								if(_t49 != 0x6c3e0088 && ( *(_t49 + 0x1c) & 0x00000001) != 0) {
									_push(_t32);
									_push(0x6c3d5ab8);
									_push(0x67);
									L19:
									_t22 = _t49 + 0x14; // 0x0
									_push( *_t22);
									_t23 = _t49 + 0x10; // 0x1
									_push( *_t23);
									E6C3D99F8();
								}
							}
						} else {
							_t42 = E6C3D8097(_t50,  &_v528, L"*.sqm");
							if(_t42 != 0) {
								_t38 =  *0x6c3e0088; // 0x6c3e0088
								if(_t38 != 0x6c3e0088 && ( *(_t38 + 0x1c) & 0x00000001) != 0) {
									_push(_t42);
									_push(0x6c3d5ab8);
									_push(0x66);
									goto L14;
								}
							}
						}
					} else {
						_t38 =  *0x6c3e0088; // 0x6c3e0088
						if(_t38 != 0x6c3e0088 && ( *(_t38 + 0x1c) & 0x00000001) != 0) {
							_push(_t42);
							_push(0x6c3d5ab8);
							_push(0x64);
							L14:
							_t17 = _t38 + 0x14; // 0x0
							_push( *_t17);
							_t18 = _t38 + 0x10; // 0x1
							_push( *_t18);
							E6C3D99F8();
						}
					}
				}
				return E6C3C171F(_t42, _t42, _v8 ^ _t53, _t50, 0, 0x1000ffff);
			}



















                                                0x6c3d853a
                                                0x6c3d853a
                                                0x6c3d8545
                                                0x6c3d854c
                                                0x6c3d8561
                                                0x6c3d8568
                                                0x6c3d857e
                                                0x6c3d8580
                                                0x6c3d858c
                                                0x6c3d85cb
                                                0x6c3d85d0
                                                0x00000000
                                                0x6c3d85d2
                                                0x6c3d85d2
                                                0x6c3d85d4
                                                0x6c3d85e0
                                                0x6c3d85f0
                                                0x6c3d85f1
                                                0x6c3d85f6
                                                0x00000000
                                                0x6c3d85f6
                                                0x6c3d85e0
                                                0x6c3d858e
                                                0x6c3d859f
                                                0x6c3d85a3
                                                0x6c3d85fa
                                                0x6c3d8608
                                                0x6c3d860f
                                                0x6c3d8651
                                                0x6c3d8656
                                                0x6c3d8658
                                                0x6c3d865a
                                                0x6c3d8666
                                                0x6c3d866e
                                                0x6c3d866f
                                                0x6c3d8674
                                                0x6c3d8676
                                                0x6c3d8676
                                                0x6c3d8676
                                                0x6c3d8679
                                                0x6c3d8679
                                                0x6c3d867c
                                                0x6c3d867c
                                                0x6c3d8666
                                                0x6c3d8611
                                                0x6c3d8622
                                                0x6c3d8626
                                                0x6c3d8628
                                                0x6c3d8632
                                                0x6c3d863a
                                                0x6c3d863b
                                                0x6c3d8640
                                                0x00000000
                                                0x6c3d8640
                                                0x6c3d8632
                                                0x6c3d8626
                                                0x6c3d85a5
                                                0x6c3d85a5
                                                0x6c3d85af
                                                0x6c3d85bf
                                                0x6c3d85c0
                                                0x6c3d85c5
                                                0x6c3d8642
                                                0x6c3d8642
                                                0x6c3d8642
                                                0x6c3d8645
                                                0x6c3d8645
                                                0x6c3d8648
                                                0x6c3d8648
                                                0x6c3d85af
                                                0x6c3d85a3
                                                0x6c3d8691

                                                APIs
                                                • memset.MSVCRT ref: 6C3D8568
                                                  • Part of subcall function 6C3D8316: LocalFree.KERNEL32(?), ref: 6C3D8527
                                                  • Part of subcall function 6C3D8097: memset.MSVCRT ref: 6C3D80D6
                                                  • Part of subcall function 6C3D8097: memset.MSVCRT ref: 6C3D80EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memset$FreeLocal
                                                • String ID: *.psqm$*.sqm$CabSessionAfterSize$Fm*$Microsoft\Windows\Sqm\Sessions$Microsoft\Windows\Sqm\Upload$Software\Microsoft\SQMClient\Windows
                                                • API String ID: 1741899810-4113143861
                                                • Opcode ID: 7c607c23a08acfe600e773e667ce4d36cd09067fedf80b9d6136f4de8c2ef4d2
                                                • Instruction ID: 580e66483fc6b7dd0090fee80adba3c6136c3374da17eee0c354ce3ae2b5f849
                                                • Opcode Fuzzy Hash: 7c607c23a08acfe600e773e667ce4d36cd09067fedf80b9d6136f4de8c2ef4d2
                                                • Instruction Fuzzy Hash: 1C31667360024066CB01CA548CC4EE932A99B4520CF27189BF615DAE81C622FC498FA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C7B37 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 95COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E6C3C7B37(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void _v526;
				char _v528;
				signed int _v532;
				char _v536;
				char _v540;
				intOrPtr _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t35;
				void* _t37;
				void* _t44;
				intOrPtr _t52;
				void* _t53;
				signed int _t56;

				_t53 = __edx;
				_t28 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t28 ^ _t56;
				_v544 = _a4;
				_v532 = 0;
				_v540 = 0;
				_v536 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t35 = E6C3C3E29(0x80000002, 0x80000002, L"Software\\Policies\\Microsoft\\SQMClient", L"MSFTInternal",  &_v540);
				_t54 = L"Software\\Microsoft\\SQMClient";
				if(_t35 != 0) {
					_t37 = E6C3C3E29(0x80000002, 0x80000002, L"Software\\Microsoft\\SQMClient", L"MSFTInternal",  &_v540);
					if(_t37 == 0) {
						goto L1;
					} else {
						L3:
						_t49 = L"IsTest";
						if(E6C3C3E29(0x80000002, 0x80000002, _t54, L"IsTest",  &_v536) != 0) {
							goto L12;
						}
						L4:
						if(_v536 != 0) {
							_v532 = _v532 | 0x00000010;
						}
						L6:
						return E6C3C171F(_v532, _t49, _v8 ^ _t56, _t53, _t54, 0x80000002);
					}
					L12:
					_push(_v544);
					if(E6C3C18E5( &_v528, 0x104, L"%s\\%s", _t54) >= 0) {
						_t44 = E6C3C3E29(0x80000002, 0x80000002,  &_v528, L"IsTest",  &_v536);
						if(_t44 != 0) {
							goto L6;
						} else {
							goto L4;
						}
					}
					_t52 =  *0x6c3e0088; // 0x6c3e0088
					if(_t52 != 0x6c3e0088 && ( *(_t52 + 0x1c) & 0x00000001) != 0) {
						_t24 = _t52 + 0x14; // 0x0
						_t25 = _t52 + 0x10; // 0x1
						E6C3D99F8( *_t25,  *_t24, 0x3f, 0x6c3d5ab8, _t41);
					}
					goto L6;
				}
				L1:
				if(_v540 != 0) {
					_v532 = 0x20;
				}
				goto L3;
			}




















                                                0x6c3c7b37
                                                0x6c3c7b42
                                                0x6c3c7b49
                                                0x6c3c7b52
                                                0x6c3c7b60
                                                0x6c3c7b66
                                                0x6c3c7b6c
                                                0x6c3c7b72
                                                0x6c3c7b80
                                                0x6c3c7ba0
                                                0x6c3c7ba7
                                                0x6c3c7bac
                                                0x6c3cfbd8
                                                0x6c3c7c0a
                                                0x00000000
                                                0x6c3c7c0c
                                                0x6c3c7bc5
                                                0x6c3c7bcc
                                                0x6c3c7bdb
                                                0x00000000
                                                0x00000000
                                                0x6c3c7be1
                                                0x6c3c7be8
                                                0x6c3c7bea
                                                0x6c3c7bea
                                                0x6c3c7bf1
                                                0x6c3c7c05
                                                0x6c3c7c05
                                                0x6c3cfbe2
                                                0x6c3cfbe2
                                                0x6c3cfc04
                                                0x6c3cfc4a
                                                0x6c3c7c10
                                                0x00000000
                                                0x6c3c7c12
                                                0x00000000
                                                0x6c3c7c12
                                                0x6c3c7c10
                                                0x6c3cfc06
                                                0x6c3cfc12
                                                0x6c3cfc2a
                                                0x6c3cfc2d
                                                0x6c3cfc30
                                                0x6c3cfc30
                                                0x00000000
                                                0x6c3cfc12
                                                0x6c3c7bb2
                                                0x6c3c7bb9
                                                0x6c3c7bbb
                                                0x6c3c7bbb
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C7B80
                                                  • Part of subcall function 6C3C3E29: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                  • Part of subcall function 6C3C3E29: RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                  • Part of subcall function 6C3C3E29: RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValuememset
                                                • String ID: $%s\%s$Fm*$IsTest$MSFTInternal$Software\Microsoft\SQMClient$Software\Policies\Microsoft\SQMClient
                                                • API String ID: 1830152886-3343402634
                                                • Opcode ID: c57721f70084d3b6e0eae24d6a6a981a9f44e7486f7fd48a4b3247d286523d90
                                                • Instruction ID: a55454158cb0f2972cd4bb1212d29a2916df0005dc7deb3943b6e1753f3152f4
                                                • Opcode Fuzzy Hash: c57721f70084d3b6e0eae24d6a6a981a9f44e7486f7fd48a4b3247d286523d90
                                                • Instruction Fuzzy Hash: 9B31C4B5A4121CABDB50DA548C88FDE77BCEF19348F1004E6E908E2640D7759F858FA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CA2A6 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 452fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E6C3CA2A6(void* __ebx, void** __ecx, void* __edi, void* __esi, long _a4) {
				long _v8;
				void** _v12;
				void* _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				struct _OVERLAPPED* _v32;
				struct _OVERLAPPED* _v36;
				void* _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				void _v68;
				void* __ebp;
				intOrPtr* _t185;
				intOrPtr _t186;
				void* _t193;
				intOrPtr _t194;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t203;
				intOrPtr _t205;
				signed int* _t207;
				intOrPtr* _t209;
				intOrPtr _t210;
				signed int _t213;
				void* _t214;
				intOrPtr _t215;
				void* _t216;
				intOrPtr _t217;
				void* _t220;
				intOrPtr _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				intOrPtr _t228;
				intOrPtr _t231;
				void* _t233;
				intOrPtr _t235;
				intOrPtr _t240;
				intOrPtr _t243;
				intOrPtr _t247;
				intOrPtr _t249;
				void* _t252;
				void** _t254;
				intOrPtr _t255;
				intOrPtr _t263;
				signed int _t264;
				intOrPtr* _t267;
				void** _t270;
				signed int _t271;
				intOrPtr _t278;
				void _t280;
				long _t283;
				void* _t284;
				signed int* _t296;
				void* _t298;
				intOrPtr* _t303;
				void* _t304;
				signed int _t305;
				signed int _t306;
				intOrPtr _t309;
				intOrPtr _t310;
				void* _t311;

				_t185 = _a4;
				_v12 = __ecx;
				_v24 = 0x8008000d;
				_v36 = 0;
				_v32 = 0;
				if(_t185 == 0 ||  *_t185 == 0) {
					_t186 =  *0x6c3e0088; // 0x6c3e0088
					if(_t186 != 0x6c3e0088 && ( *(_t186 + 0x1c) & 0x00000001) != 0) {
						_t183 = _t186 + 0x14; // 0x0
						_t184 = _t186 + 0x10; // 0x1
						E6C3D5F11( *_t184,  *_t183, 0xb, E6C3C9D50);
					}
					return 0x80080057;
				} else {
					_push(__ebx);
					_t252 =  *_v12;
					_push(__esi);
					_push(__edi);
					_push(6);
					_v8 =  *((intOrPtr*)(_t252 + 0x14)) + 0x78;
					memcpy( &_v68, _t252 + 0x3e0, 0 << 2);
					_t193 = E6C3C1967(_t252 + 0x3e0,  *((intOrPtr*)(_t252 + 0x14)) + 0x78);
					_v16 = _t193;
					if(_t193 == 0) {
						_v24 = 0x8008000e;
						_t194 =  *0x6c3e0088; // 0x6c3e0088
						if(_t194 != 0x6c3e0088 && ( *(_t194 + 0x1c) & 0x00000001) != 0) {
							_t106 = _t194 + 0x14; // 0x0
							_t107 = _t194 + 0x10; // 0x1
							E6C3D99F8( *_t107,  *_t106, 0xc, E6C3C9D50, _v8);
						}
						L31:
						return _v24;
					}
					_t283 = _v8;
					_t263 = _t283 + _t193;
					_v28 = _t263;
					if(_t193 + 0x78 > _t263 || _t283 < 0x78) {
						_t198 =  *0x6c3e0088; // 0x6c3e0088
						if(_t198 != 0x6c3e0088 && ( *(_t198 + 0x1c) & 0x00000001) != 0) {
							_t111 = _t198 + 0x14; // 0x0
							_t112 = _t198 + 0x10; // 0x1
							E6C3D5F11( *_t112,  *_t111, 0xd, E6C3C9D50);
						}
					}
					_t284 = _v16;
					_t264 = 0x1e;
					memcpy(_t284, _t252, _t264 << 2);
					_t18 = _t284 + 0x78; // 0x78
					_t303 = _t18;
					_v20 = 0x78;
					if(_t303 == 0 || _t303 < _t284) {
						L111:
						_t200 =  *0x6c3e0088; // 0x6c3e0088
						if(_t200 == 0x6c3e0088 || ( *(_t200 + 0x1c) & 0x00000001) == 0) {
							goto L30;
						} else {
							_push(E6C3C9D50);
							_push(0xe);
							goto L114;
						}
					} else {
						_t267 = _v12;
						_t21 =  *_t267 + 0x3e0; // 0x0
						_t203 =  *_t21;
						if(_t203 + _t303 > _v28 || _t203 > _v8) {
							goto L111;
						} else {
							if(_v68 > 0) {
								 *_t303 = 0;
								_t249 =  *((intOrPtr*)( *_t267 + 0x3e0));
								 *((intOrPtr*)(_t303 + 4)) = _t249;
								_t310 = _t303 + 8;
								_v36 = _t310;
								_t303 = _t310 + _t249;
								_v20 = 0x80;
							}
							if(_t303 == 0 || _t303 < _t284) {
								L108:
								_t200 =  *0x6c3e0088; // 0x6c3e0088
								if(_t200 == 0x6c3e0088 || ( *(_t200 + 0x1c) & 0x00000001) == 0) {
									goto L30;
								} else {
									_push(E6C3C9D50);
									_push(0xf);
									goto L114;
								}
							} else {
								_t205 =  *((intOrPtr*)( *_t267 + 0x3ec));
								if(_t205 + _t303 > _v28 || _t205 > _v8) {
									goto L108;
								} else {
									if(_v56 > 0) {
										 *_t303 = 3;
										_t247 =  *((intOrPtr*)( *_t267 + 0x3ec));
										 *((intOrPtr*)(_t303 + 4)) = _t247;
										_t309 = _t303 + 8;
										_v32 = _t309;
										_t303 = _t309 + _t247;
										_v20 = _v20 + 8;
									}
									_v40 = 0x94;
									do {
										_t254 = _v12;
										_t207 = E6C3CA224(_t254,  *((intOrPtr*)(_v40 +  *_t254)));
										_t270 = _t254;
										while(1) {
											_t296 = _t207;
											if(E6C3CA18D(_t270, _t296, 0x10) == 0) {
												goto L20;
											}
											_t271 =  *_t296;
											_t209 = _t311 + _t271 * 4 - 0x40;
											_t255 =  *_t209;
											_v44 = _t209;
											if(_t255 == 0) {
												_t210 =  *0x6c3e0088; // 0x6c3e0088
												if(_t210 != 0x6c3e0088 && ( *(_t210 + 0x1c) & 0x00000002) != 0) {
													_t117 = _t210 + 0x14; // 0x0
													_t118 = _t210 + 0x10; // 0x1
													E6C3D99F8( *_t118,  *_t117, 0x10, E6C3C9D50, _t296[1]);
												}
												L42:
												_t207 = E6C3CA224(_v12, _t296[2]);
												_t270 = _v12;
												continue;
											}
											_t213 = _t271;
											if(_t213 != 0) {
												_t214 = _t213 - 1;
												if(_t214 == 0) {
													if(_t303 == 0 || _t303 < _v16) {
														L81:
														_t200 =  *0x6c3e0088; // 0x6c3e0088
														if(_t200 != 0x6c3e0088 && ( *(_t200 + 0x1c) & 0x00000001) != 0) {
															_push(E6C3C9D50);
															_push(0x13);
															L114:
															_t178 = _t200 + 0x14; // 0x0
															_push( *_t178);
															_t179 = _t200 + 0x10; // 0x1
															_push( *_t179);
															E6C3D5F11();
														}
														goto L30;
													} else {
														_t215 = _v64;
														if(_t215 + _t303 > _v28 || _t215 > _v8) {
															goto L81;
														} else {
															_t216 = E6C3D9D53(_v12, _t296, _t303, _t215);
															L56:
															_t303 = _t303 + _t216;
															L40:
															if(_t216 == 0) {
																_t217 =  *0x6c3e0088; // 0x6c3e0088
																if(_t217 == 0x6c3e0088 || ( *(_t217 + 0x1c) & 0x00000001) == 0) {
																	L30:
																	_push(_v16);
																	E6C3C4994();
																	goto L31;
																} else {
																	_push(_t296[1]);
																	_push(E6C3C9D50);
																	_push(0x16);
																	L87:
																	_t144 = _t217 + 0x14; // 0x0
																	_push( *_t144);
																	_t145 = _t217 + 0x10; // 0x1
																	_push( *_t145);
																	E6C3D99F8();
																	goto L30;
																}
															}
															_v20 = _v20 + _t216;
															 *_v44 = _t255 - _t216;
															goto L42;
														}
													}
												}
												_t220 = _t214;
												if(_t220 != 0) {
													if(_t220 != 0) {
														_t217 =  *0x6c3e0088; // 0x6c3e0088
														if(_t217 == 0x6c3e0088 || ( *(_t217 + 0x1c) & 0x00000001) == 0) {
															goto L30;
														} else {
															_push(_t271);
															_push(E6C3C9D50);
															_push(0x15);
															goto L87;
														}
													}
													if(_t303 == 0 || _t303 < _v16) {
														L75:
														_t200 =  *0x6c3e0088; // 0x6c3e0088
														if(_t200 == 0x6c3e0088 || ( *(_t200 + 0x1c) & 0x00000001) == 0) {
															goto L30;
														} else {
															_push(E6C3C9D50);
															_push(0x14);
															goto L114;
														}
													} else {
														_t223 = _v48;
														if(_t223 + _t303 > _v28 || _t223 > _v8) {
															goto L75;
														} else {
															_t216 = E6C3C9FE0(_v12, _t296, _t303, _t296, _t303, _t223);
															goto L56;
														}
													}
												}
												_t224 = _v32;
												if(_t224 == 0 || _t224 < _v16) {
													L78:
													_t200 =  *0x6c3e0088; // 0x6c3e0088
													if(_t200 == 0x6c3e0088 || ( *(_t200 + 0x1c) & 0x00000001) == 0) {
														goto L30;
													} else {
														_push(E6C3C9D50);
														_push(0x12);
														goto L114;
													}
												} else {
													_t278 = _v56;
													if(_t224 + _t278 > _v28 || _t278 > _v8) {
														goto L78;
													} else {
														_t216 = E6C3CA0F0(_v12, _t296, _v32, _t278);
														_v32 = _v32 + _t216;
														goto L40;
													}
												}
											}
											_t226 = _v36;
											if(_t226 == 0 || _t226 < _v16) {
												L88:
												_t200 =  *0x6c3e0088; // 0x6c3e0088
												if(_t200 == 0x6c3e0088 || ( *(_t200 + 0x1c) & 0x00000001) == 0) {
													goto L30;
												} else {
													_push(E6C3C9D50);
													_push(0x11);
													goto L114;
												}
											} else {
												_t280 = _v68;
												if(_t226 + _t280 > _v28 || _t280 > _v8) {
													goto L88;
												} else {
													_t216 = E6C3CA1C0(_t255, _v12, _t303, _t296, _v36, _t280);
													_v36 = _v36 + 0xc;
													goto L40;
												}
											}
										}
										L20:
										_v40 = _v40 + 4;
									} while (_v40 < 0x3e0);
									_t297 = _v8;
									if(_v20 != _v8) {
										_t228 =  *0x6c3e0088; // 0x6c3e0088
										if(_t228 != 0x6c3e0088 && ( *(_t228 + 0x1c) & 0x00000001) != 0) {
											_t170 = _t228 + 0x14; // 0x0
											_t171 = _t228 + 0x10; // 0x1
											E6C3D782C( *_t171,  *_t170, 0x1b, E6C3C9D50, _t297, _v20);
										}
										goto L30;
									}
									_t304 = _v16;
									 *((intOrPtr*)(_t304 + 0xc)) = E6C3C49A5(_t304, _t297);
									_t231 =  *0x6c3e0088; // 0x6c3e0088
									if(_t231 == 0x6c3e0088 || ( *(_t231 + 0x1c) & 0x00000004) == 0) {
										_t298 = E6C3C9D50;
									} else {
										_t298 = E6C3C9D50;
										_t126 = _t231 + 0x14; // 0x0
										_t127 = _t231 + 0x10; // 0x1
										E6C3D77B8( *_t127,  *_t126, 0x17, E6C3C9D50, _a4, _t297);
									}
									_t305 = 0;
									_t233 = CreateFileW(_a4, 0xc0000000, 0, E6C3C9DD3(_t270, _t298, 0, 1), 2, 0x2080, 0);
									_v40 = _t233;
									if(_t233 == 0xffffffff) {
										_t306 = GetLastError();
										_t235 =  *0x6c3e0088; // 0x6c3e0088
										if(_t235 != 0x6c3e0088 && ( *(_t235 + 0x1c) & 0x00000001) != 0) {
											_t163 = _t235 + 0x14; // 0x0
											_t164 = _t235 + 0x10; // 0x1
											E6C3D99F8( *_t164,  *_t163, 0x1a, _t298, _t306);
										}
										if(_t306 > 0) {
											_t306 = _t306 & 0x1000ffff | 0x80080000;
										}
										_v24 = _t306;
										goto L30;
									} else {
										_a4 = 0;
										if(WriteFile(_v40, _v16, _v8,  &_a4, 0) == 0) {
											_t305 = GetLastError();
											_t240 =  *0x6c3e0088; // 0x6c3e0088
											if(_t240 != 0x6c3e0088 && ( *(_t240 + 0x1c) & 0x00000001) != 0) {
												_t158 = _t240 + 0x14; // 0x0
												_t159 = _t240 + 0x10; // 0x1
												E6C3D99F8( *_t159,  *_t158, 0x19, _t298, _t305);
											}
											if(_t305 > 0) {
												_t305 = _t305 & 0x1000ffff | 0x80080000;
											}
											L28:
											_v24 = _t305;
											L29:
											CloseHandle(_v40);
											goto L30;
										}
										_t282 = _a4;
										if(_a4 != _v8) {
											_t243 =  *0x6c3e0088; // 0x6c3e0088
											if(_t243 != 0x6c3e0088 && ( *(_t243 + 0x1c) & 0x00000001) != 0) {
												_t153 = _t243 + 0x14; // 0x0
												_t154 = _t243 + 0x10; // 0x1
												E6C3D782C( *_t154,  *_t153, 0x18, _t298, _v8, _t282);
											}
											goto L29;
										}
										goto L28;
									}
								}
							}
						}
					}
				}
			}



































































                                                0x6c3ca2ae
                                                0x6c3ca2b1
                                                0x6c3ca2b8
                                                0x6c3ca2bf
                                                0x6c3ca2c2
                                                0x6c3ca2c5
                                                0x6c3d4442
                                                0x6c3d444c
                                                0x6c3d445b
                                                0x6c3d445e
                                                0x6c3d4461
                                                0x6c3d4461
                                                0x00000000
                                                0x6c3ca2d4
                                                0x6c3ca2d7
                                                0x6c3ca2d8
                                                0x6c3ca2dd
                                                0x6c3ca2de
                                                0x6c3ca2df
                                                0x6c3ca2ef
                                                0x6c3ca2f2
                                                0x6c3ca2f4
                                                0x6c3ca2fc
                                                0x6c3ca2ff
                                                0x6c3d4126
                                                0x6c3d412d
                                                0x6c3d4137
                                                0x6c3d4151
                                                0x6c3d4154
                                                0x6c3d4157
                                                0x6c3d4157
                                                0x6c3ca4b7
                                                0x00000000
                                                0x6c3ca4bc
                                                0x6c3ca305
                                                0x6c3ca308
                                                0x6c3ca310
                                                0x6c3ca313
                                                0x6c3d4161
                                                0x6c3d416b
                                                0x6c3d4182
                                                0x6c3d4185
                                                0x6c3d4188
                                                0x6c3d4188
                                                0x6c3d416b
                                                0x6c3ca322
                                                0x6c3ca327
                                                0x6c3ca32c
                                                0x6c3ca32e
                                                0x6c3ca32e
                                                0x6c3ca333
                                                0x6c3ca33a
                                                0x6c3d4411
                                                0x6c3d4411
                                                0x6c3d441b
                                                0x00000000
                                                0x6c3d442b
                                                0x6c3d442b
                                                0x6c3d4430
                                                0x00000000
                                                0x6c3d4430
                                                0x6c3ca348
                                                0x6c3ca348
                                                0x6c3ca34d
                                                0x6c3ca34d
                                                0x6c3ca359
                                                0x00000000
                                                0x6c3ca368
                                                0x6c3ca36d
                                                0x6c3ca36f
                                                0x6c3ca373
                                                0x6c3ca379
                                                0x6c3ca37c
                                                0x6c3ca37f
                                                0x6c3ca382
                                                0x6c3ca384
                                                0x6c3ca384
                                                0x6c3ca38d
                                                0x6c3d43ee
                                                0x6c3d43ee
                                                0x6c3d43f8
                                                0x00000000
                                                0x6c3d4408
                                                0x6c3d4408
                                                0x6c3d440d
                                                0x00000000
                                                0x6c3d440d
                                                0x6c3ca39b
                                                0x6c3ca39d
                                                0x6c3ca3a9
                                                0x00000000
                                                0x6c3ca3b8
                                                0x6c3ca3bb
                                                0x6c3ca3bd
                                                0x6c3ca3c5
                                                0x6c3ca3cb
                                                0x6c3ca3ce
                                                0x6c3ca3d1
                                                0x6c3ca3d4
                                                0x6c3ca3d6
                                                0x6c3ca3d6
                                                0x6c3ca3da
                                                0x6c3ca3e1
                                                0x6c3ca3e1
                                                0x6c3ca3ee
                                                0x6c3ca3f3
                                                0x6c3ca3f5
                                                0x6c3ca3f7
                                                0x6c3ca401
                                                0x00000000
                                                0x00000000
                                                0x6c3ca4c1
                                                0x6c3ca4c3
                                                0x6c3ca4c7
                                                0x6c3ca4cb
                                                0x6c3ca4ce
                                                0x6c3d4192
                                                0x6c3d419c
                                                0x6c3d41b6
                                                0x6c3d41b9
                                                0x6c3d41bc
                                                0x6c3d41bc
                                                0x6c3ca529
                                                0x6c3ca52f
                                                0x6c3ca534
                                                0x00000000
                                                0x6c3ca534
                                                0x6c3ca4d6
                                                0x6c3ca4d9
                                                0x6c3ca53c
                                                0x6c3ca53d
                                                0x6c3d41c8
                                                0x6c3d428e
                                                0x6c3d428e
                                                0x6c3d4298
                                                0x6c3d42a8
                                                0x6c3d42ad
                                                0x6c3d4432
                                                0x6c3d4432
                                                0x6c3d4432
                                                0x6c3d4435
                                                0x6c3d4435
                                                0x6c3d4438
                                                0x6c3d4438
                                                0x00000000
                                                0x6c3d41d7
                                                0x6c3d41d7
                                                0x6c3d41e0
                                                0x00000000
                                                0x6c3d41ef
                                                0x6c3d41f5
                                                0x6c3ca5c0
                                                0x6c3ca5c0
                                                0x6c3ca517
                                                0x6c3ca519
                                                0x6c3d42b4
                                                0x6c3d42be
                                                0x6c3ca4ae
                                                0x6c3ca4ae
                                                0x6c3ca4b1
                                                0x00000000
                                                0x6c3d42ce
                                                0x6c3d42ce
                                                0x6c3d42d1
                                                0x6c3d42d6
                                                0x6c3d42d8
                                                0x6c3d42d8
                                                0x6c3d42d8
                                                0x6c3d42db
                                                0x6c3d42db
                                                0x6c3d42de
                                                0x00000000
                                                0x6c3d42de
                                                0x6c3d42be
                                                0x6c3ca524
                                                0x6c3ca527
                                                0x00000000
                                                0x6c3ca527
                                                0x6c3d41e0
                                                0x6c3d41c8
                                                0x6c3ca544
                                                0x6c3ca545
                                                0x6c3ca586
                                                0x6c3d421b
                                                0x6c3d4225
                                                0x00000000
                                                0x6c3d4235
                                                0x6c3d4235
                                                0x6c3d4236
                                                0x6c3d423b
                                                0x00000000
                                                0x6c3d423b
                                                0x6c3d4225
                                                0x6c3ca58e
                                                0x6c3d4242
                                                0x6c3d4242
                                                0x6c3d424c
                                                0x00000000
                                                0x6c3d425c
                                                0x6c3d425c
                                                0x6c3d4261
                                                0x00000000
                                                0x6c3d4261
                                                0x6c3ca59d
                                                0x6c3ca59d
                                                0x6c3ca5a6
                                                0x00000000
                                                0x6c3ca5b5
                                                0x6c3ca5bb
                                                0x00000000
                                                0x6c3ca5bb
                                                0x6c3ca5a6
                                                0x6c3ca58e
                                                0x6c3ca547
                                                0x6c3ca54c
                                                0x6c3d4268
                                                0x6c3d4268
                                                0x6c3d4272
                                                0x00000000
                                                0x6c3d4282
                                                0x6c3d4282
                                                0x6c3d4287
                                                0x00000000
                                                0x6c3d4287
                                                0x6c3ca55b
                                                0x6c3ca55b
                                                0x6c3ca563
                                                0x00000000
                                                0x6c3ca572
                                                0x6c3ca57a
                                                0x6c3ca57f
                                                0x00000000
                                                0x6c3ca57f
                                                0x6c3ca563
                                                0x6c3ca54c
                                                0x6c3ca4db
                                                0x6c3ca4e0
                                                0x6c3d42e8
                                                0x6c3d42e8
                                                0x6c3d42f2
                                                0x00000000
                                                0x6c3d4302
                                                0x6c3d4302
                                                0x6c3d4307
                                                0x00000000
                                                0x6c3d4307
                                                0x6c3ca4ef
                                                0x6c3ca4ef
                                                0x6c3ca4f7
                                                0x00000000
                                                0x6c3ca506
                                                0x6c3ca50e
                                                0x6c3ca513
                                                0x00000000
                                                0x6c3ca513
                                                0x6c3ca4f7
                                                0x6c3ca4e0
                                                0x6c3ca407
                                                0x6c3ca407
                                                0x6c3ca40b
                                                0x6c3ca414
                                                0x6c3ca41a
                                                0x6c3d43b9
                                                0x6c3d43c3
                                                0x6c3d43de
                                                0x6c3d43e1
                                                0x6c3d43e4
                                                0x6c3d43e4
                                                0x00000000
                                                0x6c3d43c3
                                                0x6c3ca420
                                                0x6c3ca42a
                                                0x6c3ca42d
                                                0x6c3ca439
                                                0x6c3ca445
                                                0x6c3d41ff
                                                0x6c3d4203
                                                0x6c3d420b
                                                0x6c3d420e
                                                0x6c3d4211
                                                0x6c3d4211
                                                0x6c3ca44a
                                                0x6c3ca465
                                                0x6c3ca46e
                                                0x6c3ca471
                                                0x6c3d4381
                                                0x6c3d4383
                                                0x6c3d438a
                                                0x6c3d4396
                                                0x6c3d4399
                                                0x6c3d439c
                                                0x6c3d439c
                                                0x6c3d43a3
                                                0x6c3d43ab
                                                0x6c3d43ab
                                                0x6c3d43b1
                                                0x00000000
                                                0x6c3ca477
                                                0x6c3ca47f
                                                0x6c3ca490
                                                0x6c3d4342
                                                0x6c3d4344
                                                0x6c3d434b
                                                0x6c3d4357
                                                0x6c3d435a
                                                0x6c3d435d
                                                0x6c3d435d
                                                0x6c3d4364
                                                0x6c3d4370
                                                0x6c3d4370
                                                0x6c3ca4a2
                                                0x6c3ca4a2
                                                0x6c3ca4a5
                                                0x6c3ca4a8
                                                0x00000000
                                                0x6c3ca4a8
                                                0x6c3ca496
                                                0x6c3ca49c
                                                0x6c3d430e
                                                0x6c3d4315
                                                0x6c3d432c
                                                0x6c3d432f
                                                0x6c3d4332
                                                0x6c3d4332
                                                0x00000000
                                                0x6c3d4315
                                                0x00000000
                                                0x6c3ca49c
                                                0x6c3ca471
                                                0x6c3ca3a9
                                                0x6c3ca38d
                                                0x6c3ca359
                                                0x6c3ca33a

                                                APIs
                                                  • Part of subcall function 6C3C1967: malloc.MSVCRT(?,6C3E0554), ref: 6C3C1979
                                                • CreateFileW.KERNEL32(6C3CACC8,C0000000,00000000,00000000,00000001,00000002,00002080,00000000,00000000,?,00000000,00000010,?,00000000,00000010,00000094), ref: 6C3CA465
                                                • WriteFile.KERNEL32(000003E0,00000000,?,6C3CACC8,00000000,?,?), ref: 6C3CA488
                                                • CloseHandle.KERNEL32(000003E0,?,?), ref: 6C3CA4A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWritemalloc
                                                • String ID: x
                                                • API String ID: 4113784837-2363233923
                                                • Opcode ID: 0224aee12797273645213ea2965c413d7284ca17f6798081f9acfd013eb1bb77
                                                • Instruction ID: cf0f3f8058ab3aef9bb4ab721d8a251d57b32880d586a6ee7e221bed5eec4f45
                                                • Opcode Fuzzy Hash: 0224aee12797273645213ea2965c413d7284ca17f6798081f9acfd013eb1bb77
                                                • Instruction Fuzzy Hash: F302BF32A412589FCB11CF84C885FED7BB5BB05318F220599E954ABE60C736ED84DF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79BB68 Relevance: 10.7, APIs: 7, Instructions: 182COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79BB6F
                                                • #115.MSI(?,?,00000000,?,00000018,6C79BFBC,?), ref: 6C79BBA5
                                                • #118.MSI(?,00000000,?,?,?,00000000,?,00000018,6C79BFBC,?), ref: 6C79BBDB
                                                • #118.MSI(?,00000000,00000000,00000000,00000000,?,00000000,?,00000018,6C79BFBC,?), ref: 6C79BC0D
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                • __recalloc.LIBCMT ref: 6C79BCD0
                                                • _free.LIBCMT ref: 6C79BD4D
                                                • #137.MSI(00000000,00000000,00000000,?,?,?,6C753E98,?,00000000,?,00000018,6C79BFBC,?), ref: 6C79BD89
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #118H_prolog3_wcsnlen$#115#137__recalloc_free_memcpy_s
                                                • String ID:
                                                • API String ID: 3464579499-0
                                                • Opcode ID: c6781651d9c5cab444a49869b751a88b393d22304d720812dcb9397891c54cf6
                                                • Instruction ID: 9f2c62ab39277966144b8ae3979f1a8a068a0bd9b887427e8691411d1c0aacea
                                                • Opcode Fuzzy Hash: c6781651d9c5cab444a49869b751a88b393d22304d720812dcb9397891c54cf6
                                                • Instruction Fuzzy Hash: F2718071D0021AEFDF10DFA5DA89ADDBBB5FF05318F204169E510BB660CB31AA46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795B48 Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C795B4F
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,00000018,6C7962B7,?,?,?,?,?,6C76AB18,?,6C76AB18,?), ref: 6C795B7C
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,00000018,6C7962B7,?,?,?,?,?,6C76AB18,?,6C76AB18,?,6C76AB18), ref: 6C795B84
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,?,?,?,00000018,6C7962B7,?,?,?,?,?), ref: 6C795BCD
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,00000018,6C7962B7,?,?,?,?,?,6C76AB18,?,6C76AB18,?,6C76AB18), ref: 6C795BD5
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,?,?,?,00000018,6C7962B7,?,?,?,?,?), ref: 6C795C1B
                                                • PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,00000018,6C7962B7,?,?,?,?,?,6C76AB18,?,6C76AB18), ref: 6C795C23
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DriveNumberPath$H_prolog3
                                                • String ID:
                                                • API String ID: 2285536258-0
                                                • Opcode ID: 920141616f1a9777a7ef03707fa1b16cad9105fd883cddd3b2b620011a19ee9b
                                                • Instruction ID: 76b6b42745783772f03b863c077a726393f5d5234b3337fcfd08f4eaf2ca5b13
                                                • Opcode Fuzzy Hash: 920141616f1a9777a7ef03707fa1b16cad9105fd883cddd3b2b620011a19ee9b
                                                • Instruction Fuzzy Hash: CB81F674900609DFCB14DFA9D58899DFBB1FF08328B18C65AE828AB761C734E955CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A5AE2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 6C7A5B47
                                                • GetCurrentProcess.KERNEL32(?,00120411,00000001,00000000,?,?,6C7FEE70), ref: 6C7A5BD9
                                                • GetCurrentProcess.KERNEL32(00000000,?,?,6C7FEE70), ref: 6C7A5BDC
                                                • GetCurrentProcess.KERNEL32(00000000,?,?,6C7FEE70), ref: 6C7A5BDF
                                                • DuplicateHandle.KERNEL32(00000000,?,?,6C7FEE70), ref: 6C7A5BE2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CurrentProcess$DuplicateHandle_memset
                                                • String ID: VSSetup
                                                • API String ID: 2604347766-1972238211
                                                • Opcode ID: 1b64112d1231b49253d795d97d947093f2c8850deb0025e865998b1d9582f4a5
                                                • Instruction ID: 25c322184c3b0e1c5df8ae77e58bd9c6c4b7626bceeba2ce8ed9bb97c773161f
                                                • Opcode Fuzzy Hash: 1b64112d1231b49253d795d97d947093f2c8850deb0025e865998b1d9582f4a5
                                                • Instruction Fuzzy Hash: E6615F71A00119AFEB20EF58CD88EADB7F9FF48304F14859AE58997640DB719E81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CC385 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E6C3CC385(intOrPtr __ecx, wchar_t* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, signed int _a24) {
				signed int _v8;
				char _v132;
				short _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				struct _FILETIME _v548;
				struct _SYSTEMTIME _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				long _t49;
				intOrPtr _t59;
				void* _t60;
				intOrPtr _t61;
				wchar_t* _t67;
				intOrPtr _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				wchar_t* _t79;
				signed int _t83;
				long _t88;
				void* _t95;
				void* _t99;
				signed int _t100;

				_t46 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t46 ^ _t100;
				_v536 = __ecx;
				_t79 = _a4;
				_t49 = _a20;
				_v540 = _a8;
				_t83 = _a24;
				_t92 = _t49 | _t83;
				_v532 = 0;
				if((_t49 | _t83) != 0) {
					_v548.dwLowDateTime = _t49;
					_v548.dwHighDateTime = _t83;
					if(FileTimeToSystemTime( &_v548,  &_v564) != 0) {
						_push( &_v132);
						_push( &_v564);
						if( *0x6c3e0060() != 0) {
							if(E6C3C18E5( &_v532, 0xc8, L"If-Modified-Since:%s",  &_v132) >= 0) {
								while(1) {
									L1:
									_t59 =  *0x6c3e0088; // 0x6c3e0088
									if(_t59 != 0x6c3e0088 && ( *(_t59 + 0x1c) & 0x00000004) != 0) {
										_t38 = _t59 + 0x14; // 0x0
										_t39 = _t59 + 0x10; // 0x1
										E6C3D98D7( *_t39,  *_t38, 0x24, 0x6c3ccad8, _t79, _v540, _a12);
									}
									_t60 = E6C3CCB53(_v536, _t79, _v540, _a12);
									_t98 = _t60;
									if(_t60 < 0) {
										break;
									}
									_t98 = E6C3CC43B(_v536,  &_v532, _a16);
									if(_t98 < 0) {
										if(_t79 == 0) {
											goto L5;
										}
										_t67 = _t79;
										_t92 =  &(_t67[0]);
										do {
											_t88 =  *_t67;
											_t67 =  &(_t67[0]);
										} while (_t88 != 0);
										if(_t67 == _t92 || _t98 != 0x80072ee7 && _t98 != 0x80072efd && _t98 != 0x80072efe && _t98 != 0x80072ee2) {
											goto L5;
										} else {
											_t79 = wcschr(_t79, 0x3b);
											if(_t79 != 0) {
												_t79 =  &(_t79[0]);
											}
											continue;
										}
									}
									L5:
									_pop(_t95);
									_pop(_t99);
									return E6C3C171F(_t98, _t79, _v8 ^ _t100, _t92, _t95, _t99);
								}
								_t61 =  *0x6c3e0088; // 0x6c3e0088
								if(_t61 != 0x6c3e0088 && ( *(_t61 + 0x1c) & 0x00000001) != 0) {
									_t44 = _t61 + 0x14; // 0x0
									_t45 = _t61 + 0x10; // 0x1
									E6C3D99F8( *_t45,  *_t44, 0x25, 0x6c3ccad8, _t98);
								}
								goto L5;
							}
							L16:
							_v532 = 0;
							goto L1;
						}
						_t73 =  *0x6c3e0088; // 0x6c3e0088
						if(_t73 != 0x6c3e0088 && ( *(_t73 + 0x1c) & 0x00000001) != 0) {
							_push(GetLastError());
							_push(0x6c3ccad8);
							_push(0x23);
							L10:
							_t75 =  *0x6c3e0088; // 0x6c3e0088
							_t26 = _t75 + 0x14; // 0x0
							_push( *_t26);
							_t27 = _t75 + 0x10; // 0x1
							_push( *_t27);
							E6C3D99F8();
						}
						goto L16;
					}
					_t77 =  *0x6c3e0088; // 0x6c3e0088
					if(_t77 == 0x6c3e0088 || ( *(_t77 + 0x1c) & 0x00000001) == 0) {
						goto L16;
					} else {
						_push(GetLastError());
						_push(0x6c3ccad8);
						_push(0x22);
						goto L10;
					}
				}
				goto L1;
			}




























                                                0x6c3cc390
                                                0x6c3cc397
                                                0x6c3cc39e
                                                0x6c3cc3a7
                                                0x6c3cc3a9
                                                0x6c3cc3ad
                                                0x6c3cc3b3
                                                0x6c3cc3ba
                                                0x6c3cc3bd
                                                0x6c3cc3c9
                                                0x6c3d331b
                                                0x6c3d332f
                                                0x6c3d333d
                                                0x6c3d3370
                                                0x6c3d3377
                                                0x6c3d3380
                                                0x6c3d33bf
                                                0x6c3cc3cf
                                                0x6c3cc3cf
                                                0x6c3cc3cf
                                                0x6c3cc3d9
                                                0x6c3d33de
                                                0x6c3d33e1
                                                0x6c3d33e4
                                                0x6c3d33e4
                                                0x6c3cc3f5
                                                0x6c3cc3fa
                                                0x6c3cc3fe
                                                0x00000000
                                                0x00000000
                                                0x6c3cc419
                                                0x6c3cc41d
                                                0x6c3d33f0
                                                0x00000000
                                                0x00000000
                                                0x6c3d33f6
                                                0x6c3d33f8
                                                0x6c3d33fb
                                                0x6c3d33fb
                                                0x6c3d33ff
                                                0x6c3d3400
                                                0x6c3d3409
                                                0x00000000
                                                0x6c3d3433
                                                0x6c3d343c
                                                0x6c3d3442
                                                0x6c3d3449
                                                0x6c3d3449
                                                0x00000000
                                                0x6c3d3442
                                                0x6c3d3409
                                                0x6c3cc423
                                                0x6c3cc426
                                                0x6c3cc429
                                                0x6c3cc433
                                                0x6c3cc433
                                                0x6c3d344f
                                                0x6c3d3459
                                                0x6c3d346d
                                                0x6c3d3470
                                                0x6c3d3473
                                                0x6c3d3473
                                                0x00000000
                                                0x6c3d3459
                                                0x6c3d33c5
                                                0x6c3d33c5
                                                0x00000000
                                                0x6c3d33c5
                                                0x6c3d3382
                                                0x6c3d338c
                                                0x6c3d339a
                                                0x6c3d339b
                                                0x6c3d339c
                                                0x6c3d335b
                                                0x6c3d335b
                                                0x6c3d3360
                                                0x6c3d3360
                                                0x6c3d3363
                                                0x6c3d3363
                                                0x6c3d3366
                                                0x6c3d3366
                                                0x00000000
                                                0x6c3d338c
                                                0x6c3d333f
                                                0x6c3d3349
                                                0x00000000
                                                0x6c3d3351
                                                0x6c3d3357
                                                0x6c3d3358
                                                0x6c3d3359
                                                0x00000000
                                                0x6c3d3359
                                                0x6c3d3349
                                                0x00000000

                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?,6C3E0088,?,00000000), ref: 6C3D3335
                                                • GetLastError.KERNEL32(?,00000000), ref: 6C3D3351
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Time$ErrorFileLastSystem
                                                • String ID: Fm*$If-Modified-Since:%s
                                                • API String ID: 2781989572-4044886790
                                                • Opcode ID: fccff3d6475394fc035c80a3e8affc2719f6a275466e8fdceb021446e14081e8
                                                • Instruction ID: 93efffe38fc289a42b5ed43ad29a10eebbac5a5b639b2dde28ba7fca636f27e7
                                                • Opcode Fuzzy Hash: fccff3d6475394fc035c80a3e8affc2719f6a275466e8fdceb021446e14081e8
                                                • Instruction Fuzzy Hash: 8151DF32B402589BCB91EE559C88BDE77B9BB08308F010199E915D7A50DB75EE448FA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C4197 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E6C3C4197(void* __ebx, void* __ecx, signed int __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v8;
				void* __ebp;
				intOrPtr _t43;
				intOrPtr _t46;
				struct HINSTANCE__* _t48;
				intOrPtr _t49;
				void* _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t63;
				signed int _t70;
				long _t72;
				void* _t74;
				signed int _t75;
				void* _t80;

				_t74 = __esi;
				_t70 = __edx;
				_t66 = __ecx;
				_t63 = __ebx;
				_push(__ecx);
				_t72 = 0;
				_v8 = 0;
				if(_a4 == 0) {
					_t43 =  *0x6c3e0088; // 0x6c3e0088
					if(_t43 == 0x6c3e0088 || ( *(_t43 + 0x1c) & 0x00000001) == 0) {
						L23:
						_push(0x57);
						L24:
						_pop(_t72);
						L11:
						SetLastError(_t72);
						return _v8;
					} else {
						_push(0x6c3d5a6c);
						_push(0x75);
						L22:
						_t21 = _t43 + 0x14; // 0x0
						_push( *_t21);
						_t22 = _t43 + 0x10; // 0x1
						_push( *_t22);
						E6C3D5F11();
						goto L23;
					}
				}
				if(_a8 == 0) {
					if(_a12 != 0) {
						goto L2;
					}
					_t43 =  *0x6c3e0088; // 0x6c3e0088
					if(_t43 == 0x6c3e0088 || ( *(_t43 + 0x1c) & 0x00000001) == 0) {
						goto L23;
					} else {
						_push(0x6c3d5a6c);
						_push(0x76);
						goto L22;
					}
				}
				L2:
				_t80 =  *0x6c3e009c - _t72; // 0x0
				if(_t80 == 0) {
					_t46 =  *0x6c3e0088; // 0x6c3e0088
					if(_t46 != 0x6c3e0088 && ( *(_t46 + 0x1c) & 0x00000001) != 0) {
						_t29 = _t46 + 0x14; // 0x0
						_t30 = _t46 + 0x10; // 0x1
						E6C3D5F11( *_t30,  *_t29, 0x77, 0x6c3d5a6c);
					}
					_t72 = 0x1000010a;
					goto L11;
				}
				_t48 = LoadLibraryW(L"Winhttp.dll");
				if(_t48 == _t72) {
					_t49 =  *0x6c3e0088; // 0x6c3e0088
					if(_t49 != 0x6c3e0088 && ( *(_t49 + 0x1c) & 0x00000001) != 0) {
						_t34 = _t49 + 0x14; // 0x0
						_t35 = _t49 + 0x10; // 0x1
						E6C3D5F11( *_t35,  *_t34, 0x78, 0x6c3d5a6c);
					}
					_push(0xa);
					goto L24;
				}
				FreeLibrary(_t48);
				if(E6C3C3FCF(_t66, _a8, _a12, _a16 & 0x00000004) != 0) {
					goto L11;
				}
				_push(_t63);
				_push(_t74);
				EnterCriticalSection(0x6c3e0168);
				_t67 =  *0x6c3e00a8; // 0x0
				if(_t67 == _t72) {
					if(E6C3C17EB(0x70) == _t72) {
						_t56 = 0;
					} else {
						_t56 = E6C3C4611(_t55, _t70, _t72);
					}
					_t67 = _t56;
					 *0x6c3e00a8 = _t56;
					if(_t56 != _t72) {
						goto L6;
					} else {
						_t61 =  *0x6c3e0088; // 0x6c3e0088
						if(_t61 != 0x6c3e0088 && ( *(_t61 + 0x1c) & 0x00000001) != 0) {
							_t41 = _t61 + 0x14; // 0x0
							_t42 = _t61 + 0x10; // 0x1
							E6C3D99F8( *_t42,  *_t41, 0x7a, 0x6c3d5a6c, 0x70);
						}
						_t72 = 0xe;
						L10:
						LeaveCriticalSection(0x6c3e0168);
						goto L11;
					}
				}
				L6:
				_t75 = E6C3C4281(_t67, _t70, _a4, _a8, _a12, _a16, _a20,  &_v8);
				if(_t75 < _t72) {
					_t59 =  *0x6c3e0088; // 0x6c3e0088
					if(_t59 != 0x6c3e0088 && ( *(_t59 + 0x1c) & 0x00000001) != 0) {
						_t36 = _t59 + 0x14; // 0x0
						_t37 = _t59 + 0x10; // 0x1
						E6C3D99F8( *_t37,  *_t36, 0x79, 0x6c3d5a6c, _t75);
					}
					_t72 = _t75 & 0x1000ffff;
				}
				goto L10;
			}


















                                                0x6c3c4197
                                                0x6c3c4197
                                                0x6c3c4197
                                                0x6c3c4197
                                                0x6c3c419c
                                                0x6c3c419e
                                                0x6c3c41a3
                                                0x6c3c41a6
                                                0x6c3ce96c
                                                0x6c3ce976
                                                0x6c3ce990
                                                0x6c3ce990
                                                0x6c3ce992
                                                0x6c3ce992
                                                0x6c3c4252
                                                0x6c3c4253
                                                0x6c3c425e
                                                0x6c3ce97e
                                                0x6c3ce97e
                                                0x6c3ce983
                                                0x6c3ce985
                                                0x6c3ce985
                                                0x6c3ce985
                                                0x6c3ce988
                                                0x6c3ce988
                                                0x6c3ce98b
                                                0x00000000
                                                0x6c3ce98b
                                                0x6c3ce976
                                                0x6c3c41af
                                                0x6c3cb7ac
                                                0x00000000
                                                0x00000000
                                                0x6c3ce998
                                                0x6c3ce9a2
                                                0x00000000
                                                0x6c3ce9aa
                                                0x6c3ce9aa
                                                0x6c3ce9af
                                                0x00000000
                                                0x6c3ce9af
                                                0x6c3ce9a2
                                                0x6c3c41b5
                                                0x6c3c41b5
                                                0x6c3c41bb
                                                0x6c3ce9b3
                                                0x6c3ce9bd
                                                0x6c3ce9cc
                                                0x6c3ce9cf
                                                0x6c3ce9d2
                                                0x6c3ce9d2
                                                0x6c3ce9d7
                                                0x00000000
                                                0x6c3ce9d7
                                                0x6c3c41c6
                                                0x6c3c41ce
                                                0x6c3ce9e1
                                                0x6c3ce9eb
                                                0x6c3ce9fa
                                                0x6c3ce9fd
                                                0x6c3cea00
                                                0x6c3cea00
                                                0x6c3cea05
                                                0x00000000
                                                0x6c3cea05
                                                0x6c3c41d5
                                                0x6c3c41ef
                                                0x00000000
                                                0x00000000
                                                0x6c3c41f1
                                                0x6c3c41f2
                                                0x6c3c41f9
                                                0x6c3c41ff
                                                0x6c3c4207
                                                0x6c3c45e9
                                                0x6c3cb7b7
                                                0x6c3c45ef
                                                0x6c3c45f2
                                                0x6c3c45f2
                                                0x6c3c45f9
                                                0x6c3c45fb
                                                0x6c3c4601
                                                0x00000000
                                                0x6c3c4607
                                                0x6c3cea21
                                                0x6c3cea2b
                                                0x6c3cea3c
                                                0x6c3cea3f
                                                0x6c3cea42
                                                0x6c3cea42
                                                0x6c3cea49
                                                0x6c3c4249
                                                0x6c3c424a
                                                0x00000000
                                                0x6c3c4251
                                                0x6c3c4601
                                                0x6c3c420d
                                                0x6c3c4225
                                                0x6c3c4229
                                                0x6c3c422b
                                                0x6c3c4235
                                                0x6c3cea11
                                                0x6c3cea14
                                                0x6c3cea17
                                                0x6c3cea17
                                                0x6c3c4247
                                                0x6c3c4247
                                                0x00000000

                                                APIs
                                                • LoadLibraryW.KERNEL32(Winhttp.dll), ref: 6C3C41C6
                                                • FreeLibrary.KERNEL32(00000000), ref: 6C3C41D5
                                                • EnterCriticalSection.KERNEL32(6C3E0168,?,?,?,?,?), ref: 6C3C41F9
                                                  • Part of subcall function 6C3C4281: memset.MSVCRT ref: 6C3C42CF
                                                  • Part of subcall function 6C3C4281: EnterCriticalSection.KERNEL32(00000030,?,00000104,?,80000002,Software\Microsoft\SQMClient,DoNotDeleteFileAfterUpload,?,00000000,?,6C3E0168), ref: 6C3C434C
                                                  • Part of subcall function 6C3C4281: FindFirstFileW.KERNEL32(?,?,?,6C3E0168), ref: 6C3C4392
                                                  • Part of subcall function 6C3C4281: LeaveCriticalSection.KERNEL32(?,?,6C3E0168), ref: 6C3C43CD
                                                • LeaveCriticalSection.KERNEL32(6C3E0168,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 6C3C424A
                                                • SetLastError.KERNEL32(00000000,?,?,?), ref: 6C3C4253
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeaveLibrary$ErrorFileFindFirstFreeLastLoadmemset
                                                • String ID: Winhttp.dll
                                                • API String ID: 4214541343-1936088768
                                                • Opcode ID: 845410dd879ccc8ee80d2d6704aebf03a368ad92cc955b3cbe85d3d15ff1a31a
                                                • Instruction ID: d930a61c07a6961a42e10e561d1c5b419ed7b2aae2c32f8a2eb9fff3743f56de
                                                • Opcode Fuzzy Hash: 845410dd879ccc8ee80d2d6704aebf03a368ad92cc955b3cbe85d3d15ff1a31a
                                                • Instruction Fuzzy Hash: 5D510232340740AFCB92DE14CC86FED3A69BB45308F210452F9249ADA1C776DC54AFA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AA9AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7B0702: __EH_prolog3.LIBCMT ref: 6C7B0709
                                                  • Part of subcall function 6C7B0702: GetLastError.KERNEL32 ref: 6C7B0733
                                                  • Part of subcall function 6C7781D5: GetTempPathW.KERNEL32(00000100,?,00000000,?), ref: 6C7781FB
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • CloseHandle.KERNEL32(?), ref: 6C7AAA4B
                                                • DeleteFileW.KERNEL32(?), ref: 6C7AAA5A
                                                • GetLastError.KERNEL32 ref: 6C7AAA83
                                                • GetLastError.KERNEL32 ref: 6C7AAAAF
                                                Strings
                                                • Failed to Close and Send Ux Report, xrefs: 6C7AAADD
                                                • http://sqm.microsoft.com/sqm/vstudio/sqmserver.dll, xrefs: 6C7AAA9D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$H_prolog3$CloseDeleteFileHandlePathTemp
                                                • String ID: Failed to Close and Send Ux Report$http://sqm.microsoft.com/sqm/vstudio/sqmserver.dll
                                                • API String ID: 4074342544-2911352224
                                                • Opcode ID: 084152d4ce9ee55488c5dec4c857524d982acc7cc84f047b48a005ec81c9f2e1
                                                • Instruction ID: 357f64adc1e4072e9b8dea3ba1ae3d81b5a8d1be94071fa8f64dc5596b3ba5c3
                                                • Opcode Fuzzy Hash: 084152d4ce9ee55488c5dec4c857524d982acc7cc84f047b48a005ec81c9f2e1
                                                • Instruction Fuzzy Hash: 98519F712083429FD7208F65CA89B9EBBE5FF88728F100A2DF495D7790DB30D9068B52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C5D8B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5D92
                                                • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C7C4247,00000000,?), ref: 6C7C5DD0
                                                • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C7C4247,00000000,?), ref: 6C7C5E72
                                                Strings
                                                • Auto detecting proxy information, xrefs: 6C7C5D9C
                                                • WinHttpGetProxyForUrl, xrefs: 6C7C5E7B
                                                • WinHttpDetectAutoProxyConfigUrl, xrefs: 6C7C5DD9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$H_prolog3
                                                • String ID: Auto detecting proxy information$WinHttpDetectAutoProxyConfigUrl$WinHttpGetProxyForUrl
                                                • API String ID: 3502553090-3439616282
                                                • Opcode ID: c0ef502dbabda27cb04fbd12bdccf01031106fa22ea0495f7db924c10b4406f7
                                                • Instruction ID: 1d64756e3829bacb1a727ac5f80deed002ee7b9d06c523978201364e9b4f3363
                                                • Opcode Fuzzy Hash: c0ef502dbabda27cb04fbd12bdccf01031106fa22ea0495f7db924c10b4406f7
                                                • Instruction Fuzzy Hash: FD417B75A0021ADFCF04DFA4CA89AEDBBB1FF48305F004469E512BB690CB35A904DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77B906 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77B90D
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C77BA41
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                • Name, xrefs: 6C77B91C
                                                • ParameterInfo.xml, xrefs: 6C77B9ED
                                                • BlockingMutex Name attribute should not be empty and cannot contain '\'., xrefs: 6C77B9DF
                                                • BlockingMutex, xrefs: 6C77B982
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: BlockingMutex$BlockingMutex Name attribute should not be empty and cannot contain '\'.$Name$ParameterInfo.xml
                                                • API String ID: 3417717588-1122533197
                                                • Opcode ID: be7224e835387bd782b9631fbdcf582a7f66fb0fc87e7a5442cb0e809ced500b
                                                • Instruction ID: a08b422847fcc55d2b42ecbfbdd006ca30bfbb65ead1218df82f5e6ffcc541aa
                                                • Opcode Fuzzy Hash: be7224e835387bd782b9631fbdcf582a7f66fb0fc87e7a5442cb0e809ced500b
                                                • Instruction Fuzzy Hash: AC411F71500249EFDF14DFA8CA48AEE7BB8BF15318F144659F425AB780CB34EA19CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D68B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • PMDtoOffset.LIBCMT ref: 6C7D6989
                                                • std::bad_exception::bad_exception.LIBCMT ref: 6C7D69B3
                                                • __CxxThrowException@8.LIBCMT ref: 6C7D69C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
                                                • String ID: Bad dynamic_cast!
                                                • API String ID: 1176828985-2956939130
                                                • Opcode ID: 5854d5e7e695a4b2f25746439da5919aabe65b1de89bd15b87fa220f116f0bc8
                                                • Instruction ID: 9043c2130fa911500e28d12b35640c3fa3c4895a1eb737a39301bd58d06a352e
                                                • Opcode Fuzzy Hash: 5854d5e7e695a4b2f25746439da5919aabe65b1de89bd15b87fa220f116f0bc8
                                                • Instruction Fuzzy Hash: 3131F271A042159FDB04CF68CA88A9DBBF1EF48325F16496DE851E7B40D734FA05CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C8067 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 101COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E6C3C8067(void* __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				void _v526;
				char _v528;
				char _v532;
				void* __ebx;
				void* __esi;
				signed int _t27;
				intOrPtr _t31;
				void* _t36;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t50;
				signed int _t54;

				_t51 = __edi;
				_t50 = __edx;
				_t27 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t27 ^ _t54;
				_t46 = _a4;
				_t53 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_v532 = 0;
				if(_t46 == 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 != 0x6c3e0088 && ( *(_t31 + 0x1c) & 0x00000001) != 0) {
						_t17 = _t31 + 0x14; // 0x0
						_t18 = _t31 + 0x10; // 0x1
						E6C3D5F11( *_t18,  *_t17, 0x39, 0x6c3d5ab8);
					}
					L6:
					return E6C3C171F(_v532, _t46, _v8 ^ _t54, _t50, _t51, _t53);
				}
				_push(__edi);
				_push(_t46);
				_t53 = 0x104;
				_t36 = E6C3C18E5( &_v528, 0x104, L"%s\\%s", L"Software\\Policies\\Microsoft\\SQMClient");
				if(_t36 < 0) {
					_t49 =  *0x6c3e0088; // 0x6c3e0088
					if(_t49 == 0x6c3e0088 || ( *(_t49 + 0x1c) & 0x00000001) == 0) {
						L5:
						_pop(_t51);
						goto L6;
					} else {
						_push(_t36);
						_push(0x6c3d5ab8);
						_push(0x3a);
						L16:
						_t25 = _t49 + 0x14; // 0x0
						_push( *_t25);
						_t26 = _t49 + 0x10; // 0x1
						_push( *_t26);
						E6C3D99F8();
						goto L5;
					}
				}
				if(E6C3C3E29(0x104, 0x80000002,  &_v528, L"StudyId",  &_v532) == 0) {
					goto L5;
				}
				_push(_t46);
				_t42 = E6C3C18E5( &_v528, 0x104, L"%s\\%s", L"Software\\Microsoft\\SQMClient");
				if(_t42 < 0) {
					_t49 =  *0x6c3e0088; // 0x6c3e0088
					if(_t49 == 0x6c3e0088 || ( *(_t49 + 0x1c) & 0x00000001) == 0) {
						goto L5;
					} else {
						_push(_t42);
						_push(0x6c3d5ab8);
						_push(0x3b);
						goto L16;
					}
				}
				E6C3C3E29(0x104, 0x80000002,  &_v528, L"StudyId",  &_v532);
				goto L5;
			}

















                                                0x6c3c8067
                                                0x6c3c8067
                                                0x6c3c8072
                                                0x6c3c8079
                                                0x6c3c807d
                                                0x6c3c8081
                                                0x6c3c8090
                                                0x6c3c8097
                                                0x6c3c80a1
                                                0x6c3c80a7
                                                0x6c3cfac7
                                                0x6c3cfad1
                                                0x6c3cfae8
                                                0x6c3cfaeb
                                                0x6c3cfaee
                                                0x6c3cfaee
                                                0x6c3c8135
                                                0x6c3c8148
                                                0x6c3c8148
                                                0x6c3c80ad
                                                0x6c3c80ae
                                                0x6c3c80ba
                                                0x6c3c80c7
                                                0x6c3c80d1
                                                0x6c3cfaf8
                                                0x6c3cfb04
                                                0x6c3c8134
                                                0x6c3c8134
                                                0x00000000
                                                0x6c3cfb14
                                                0x6c3cfb14
                                                0x6c3cfb15
                                                0x6c3cfb1a
                                                0x6c3cfb42
                                                0x6c3cfb42
                                                0x6c3cfb42
                                                0x6c3cfb45
                                                0x6c3cfb45
                                                0x6c3cfb48
                                                0x00000000
                                                0x6c3cfb48
                                                0x6c3cfb04
                                                0x6c3c80f6
                                                0x00000000
                                                0x00000000
                                                0x6c3c80f8
                                                0x6c3c8107
                                                0x6c3c8111
                                                0x6c3cfb1e
                                                0x6c3cfb2a
                                                0x00000000
                                                0x6c3cfb3a
                                                0x6c3cfb3a
                                                0x6c3cfb3b
                                                0x6c3cfb40
                                                0x00000000
                                                0x6c3cfb40
                                                0x6c3cfb2a
                                                0x6c3c812f
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C8097
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                  • Part of subcall function 6C3C3E29: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                  • Part of subcall function 6C3C3E29: RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                  • Part of subcall function 6C3C3E29: RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue_vsnwprintfmemset
                                                • String ID: d<l$%s\%s$Fm*$Software\Microsoft\SQMClient$Software\Policies\Microsoft\SQMClient$StudyId
                                                • API String ID: 908408749-3228566057
                                                • Opcode ID: 3b962cdb9cf875a94821877edfcb521a5c384d8a21881179de662b8e208eccf2
                                                • Instruction ID: a87fce3d7be23d1fb0a68ae0338fdead3c1947d6d961a58fb02540cf6bc0129e
                                                • Opcode Fuzzy Hash: 3b962cdb9cf875a94821877edfcb521a5c384d8a21881179de662b8e208eccf2
                                                • Instruction Fuzzy Hash: D431F5B5702258AAD750CE55CC84FEFB7ACEF15388F20049AE91496A41C771DE44CFA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C784DC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C784DC7
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C7A8C7A: __EH_prolog3.LIBCMT ref: 6C7A8C81
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C784ED4
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                • Found duplicate ID attribute ", xrefs: 6C784DF8
                                                • \LocalizedData.xml. Duplicates not allowed., xrefs: 6C784E34
                                                • ParameterInfo.xml, xrefs: 6C784DE8
                                                • " for Text element in , xrefs: 6C784E0D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: " for Text element in $Found duplicate ID attribute "$ParameterInfo.xml$\LocalizedData.xml. Duplicates not allowed.
                                                • API String ID: 3417717588-3340550128
                                                • Opcode ID: 71de512e47c58f9efd1c440005c122ba26b3755accba47615d99c495c4cb73e5
                                                • Instruction ID: a11510b389f10949f2bb6a712b4ac756c120cd78140b21c743c94a25e3320937
                                                • Opcode Fuzzy Hash: 71de512e47c58f9efd1c440005c122ba26b3755accba47615d99c495c4cb73e5
                                                • Instruction Fuzzy Hash: F5410D72500049AFCB10DBE8CA4CAEDB7A8AF19328F144355F125E7791DB34EA498B62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79BDEE Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79BDF5
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C79BD95: __EH_prolog3.LIBCMT ref: 6C79BD9C
                                                  • Part of subcall function 6C79953C: __EH_prolog3.LIBCMT ref: 6C799543
                                                • _free.LIBCMT ref: 6C79BE65
                                                  • Part of subcall function 6C7CBE0E: HeapFree.KERNEL32(00000000,00000000,?,6C7CD3BD,00000000,?,6C7A831D,6C7CBD2E,6C7CC03C,00000000), ref: 6C7CBE24
                                                  • Part of subcall function 6C7CBE0E: GetLastError.KERNEL32(00000000,?,6C7CD3BD,00000000,?,6C7A831D,6C7CBD2E,6C7CC03C,00000000), ref: 6C7CBE36
                                                • #141.MSI(00000003,00000000,?,00000000,?,?,6C76AB18,?,6C76AB18,00000024,6C7AC05B,?,?,?,?,?), ref: 6C79BE9D
                                                • GetCommandLineW.KERNEL32(?,00000000,?,?,6C76AB18,?,6C76AB18,00000024,6C7AC05B,?,?,?,?,?,?,?), ref: 6C79BEA5
                                                • #141.MSI(00000102,00000000,?,00000000,?,?), ref: 6C79BED7
                                                • #281.MSI(Function_0004BFA8,00000922,?,00000000,?,?), ref: 6C79BEE5
                                                • #137.MSI(Function_0004BF8A,00007FDF,?,?,?), ref: 6C79BEF6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$#141$#137#281CommandErrorFreeHeapLastLine_free
                                                • String ID:
                                                • API String ID: 2896052883-0
                                                • Opcode ID: 3ce4da5887947b27a4225b55bc0937e61e3251a1a44ab16f4f1d37ad90f500a9
                                                • Instruction ID: 7da35b341771f44c5947bf8da3e9c0083a21b5c7445e6d1038c13008cce071a4
                                                • Opcode Fuzzy Hash: 3ce4da5887947b27a4225b55bc0937e61e3251a1a44ab16f4f1d37ad90f500a9
                                                • Instruction Fuzzy Hash: 80317071500748EFDB20DFAAD648A8ABBF8BF08304F40452DE59A97A51C774E548CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C81BC Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 87COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E6C3C81BC(void* __ebx, void* __edx, intOrPtr _a4, char _a8) {
				signed int _v8;
				void _v526;
				char _v528;
				char _v532;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t31;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t47;
				void* _t48;
				int _t49;
				intOrPtr _t51;
				signed int _t52;

				_t48 = __edx;
				_t44 = __ebx;
				_t27 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t27 ^ _t52;
				_t51 = _a4;
				_t49 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_v532 = 0;
				if(_t51 == 0) {
					_t31 =  *0x6c3e0088; // 0x6c3e0088
					if(_t31 != 0x6c3e0088 && ( *(_t31 + 0x1c) & 0x00000001) != 0) {
						_t18 = _t31 + 0x14; // 0x0
						_t19 = _t31 + 0x10; // 0x1
						E6C3D5F11( *_t19,  *_t18, 0x3c, 0x6c3d5ab8);
					}
				} else {
					_push(_t51);
					if(E6C3C18E5( &_v528, 0x104, L"%s\\%s", L"Software\\Microsoft\\SQMClient") < 0) {
						_t47 =  *0x6c3e0088; // 0x6c3e0088
						if(_t47 != 0x6c3e0088 && ( *(_t47 + 0x1c) & 0x00000001) != 0) {
							_t23 = _t47 + 0x14; // 0x0
							_t24 = _t47 + 0x10; // 0x1
							E6C3D99F8( *_t24,  *_t23, 0x3d, 0x6c3d5ab8, _t36);
						}
					} else {
						if(E6C3C3E29(_t51, 0x80000002,  &_v528, L"CabSessionAfterSize",  &_v532) == 0) {
							_t9 =  &_a8; // 0x6c3c640a
							if( *_t9 > _v532) {
								_t42 =  *0x6c3e0088; // 0x6c3e0088
								if(_t42 != 0x6c3e0088 && ( *(_t42 + 0x1c) & 0x00000004) != 0) {
									_t25 = _t42 + 0x14; // 0x0
									_t26 = _t42 + 0x10; // 0x1
									E6C3D5F11( *_t26,  *_t25, 0x3e, 0x6c3d5ab8);
								}
								_t49 = 1;
							}
						}
					}
				}
				return E6C3C171F(_t49, _t44, _v8 ^ _t52, _t48, _t49, _t51);
			}


















                                                0x6c3c81bc
                                                0x6c3c81bc
                                                0x6c3c81c7
                                                0x6c3c81ce
                                                0x6c3c81d2
                                                0x6c3c81d6
                                                0x6c3c81e5
                                                0x6c3c81ec
                                                0x6c3c81f6
                                                0x6c3c81fc
                                                0x6c3cfb52
                                                0x6c3cfb5c
                                                0x6c3cfb73
                                                0x6c3cfb76
                                                0x6c3cfb79
                                                0x6c3cfb79
                                                0x6c3c8202
                                                0x6c3c8202
                                                0x6c3c8223
                                                0x6c3cfb83
                                                0x6c3cfb8f
                                                0x6c3cfba7
                                                0x6c3cfbaa
                                                0x6c3cfbad
                                                0x6c3cfbad
                                                0x6c3c8229
                                                0x6c3c8248
                                                0x6c3c824a
                                                0x6c3c8253
                                                0x6c3c8255
                                                0x6c3c825f
                                                0x6c3cfbbe
                                                0x6c3cfbc1
                                                0x6c3cfbc4
                                                0x6c3cfbc4
                                                0x6c3c826d
                                                0x6c3c826d
                                                0x6c3c8253
                                                0x6c3c8248
                                                0x6c3c8223
                                                0x6c3c827d

                                                APIs
                                                • memset.MSVCRT ref: 6C3C81EC
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                  • Part of subcall function 6C3C3E29: RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                  • Part of subcall function 6C3C3E29: RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                  • Part of subcall function 6C3C3E29: RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue_vsnwprintfmemset
                                                • String ID: d<l$d<l$%s\%s$CabSessionAfterSize$Fm*$Software\Microsoft\SQMClient
                                                • API String ID: 908408749-4179217452
                                                • Opcode ID: a32be3c16dd7c9ea426863918a70623a128c4e860a0a44478225f38ebeba600b
                                                • Instruction ID: 08c4fec82f5226de6bab5ffb0be0fdfc519a1b120f8e75588cb57d5a57118bca
                                                • Opcode Fuzzy Hash: a32be3c16dd7c9ea426863918a70623a128c4e860a0a44478225f38ebeba600b
                                                • Instruction Fuzzy Hash: 84310476705208AFCB51DE05CC88FDE77A9BF54308F210496E914AB952C772DE888F63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C9C65 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E6C3C9C65(struct HINSTANCE__* _a4, _Unknown_base(*)()** _a8) {
				CHAR* _v8;
				signed int _v12;
				struct HINSTANCE__* _v24;
				CHAR* _v36;
				void _v44;
				char _v48;
				struct HINSTANCE__* _t30;
				signed int _t33;
				_Unknown_base(*)()* _t34;
				int _t35;
				CHAR* _t39;
				signed short _t41;
				signed int _t43;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t51;
				LONG* _t55;
				int _t56;

				_t30 = _a4;
				_v12 = _v12 & 0x00000000;
				_t55 =  *((intOrPtr*)(_t30 + 8)) + 0x6c3c0000;
				_t46 =  *_t55;
				_t39 =  *((intOrPtr*)(_t30 + 4)) + 0x6c3c0000;
				_t41 =  *( *((intOrPtr*)(_t30 + 0x10)) + 0x6c3c0000 + (_a8 -  *((intOrPtr*)(_t30 + 0xc)) - 0x6c3c0000 >> 2) * 4);
				_t12 = _t41 + 0x6c3c0002; // 0xd8780002
				_t33 = _t12;
				if(_t41 < 0) {
					_t33 = _t41 & 0x0000ffff;
				}
				_v8 = _t33;
				if(_t46 == 0) {
					_t34 = LoadLibraryA(_t39);
					_t51 = _t34;
					_a4 = _t51;
					if(_t51 == 0) {
						goto L11;
					}
					_t35 = InterlockedCompareExchange(_t55, _t51, 0);
					_t56 = _t35;
					if(_t56 != 0) {
						_t34 = FreeLibrary(_t51);
						_a4 = _t56;
					} else {
						_t43 = 8;
						memset( &_v44, _t35, _t43 << 2);
						_v24 = _a4;
						_t34 =  *0x6c3c9d4c; // 0x0
						_v48 = 0x24;
						_v36 = _t39;
						if(_t34 != 0) {
							_t34 =  *_t34(5,  &_v48);
						}
					}
					if(_a4 == 0) {
						goto L11;
					} else {
						_t46 = _a4;
						goto L2;
					}
				} else {
					L2:
					_t34 = GetProcAddress(_t46, _v8);
					_v12 = 1;
					if(_t34 == 0) {
						L11:
						_push(_v8);
						_push(_t39);
						L6C3DDBA5();
						if(_v12 != 0) {
							goto L3;
						}
						return _t34;
					}
					L3:
					 *_a8 = _t34;
					return _t34;
				}
			}




















                                                0x6c3c9c6d
                                                0x6c3c9c70
                                                0x6c3c9c90
                                                0x6c3c9c92
                                                0x6c3c9c9b
                                                0x6c3c9c9d
                                                0x6c3c9ca1
                                                0x6c3c9ca1
                                                0x6c3c9ca7
                                                0x6c3cb789
                                                0x6c3cb789
                                                0x6c3c9caf
                                                0x6c3c9cb2
                                                0x6c3c9ceb
                                                0x6c3c9cf1
                                                0x6c3c9cf5
                                                0x6c3c9cf8
                                                0x00000000
                                                0x00000000
                                                0x6c3c9d02
                                                0x6c3c9d08
                                                0x6c3c9d0c
                                                0x6c3ce85a
                                                0x6c3ce860
                                                0x6c3c9d12
                                                0x6c3c9d14
                                                0x6c3c9d18
                                                0x6c3c9d1d
                                                0x6c3c9d20
                                                0x6c3c9d27
                                                0x6c3c9d2e
                                                0x6c3c9d31
                                                0x6c3ce852
                                                0x6c3ce852
                                                0x6c3c9d31
                                                0x6c3c9d3b
                                                0x00000000
                                                0x6c3c9d41
                                                0x6c3c9d41
                                                0x00000000
                                                0x6c3c9d41
                                                0x6c3c9cb4
                                                0x6c3c9cb4
                                                0x6c3c9cb8
                                                0x6c3c9cc0
                                                0x6c3c9cc7
                                                0x6c3cb791
                                                0x6c3cb791
                                                0x6c3cb794
                                                0x6c3cb795
                                                0x6c3cb79e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3cb79e
                                                0x6c3c9ccd
                                                0x6c3c9cd0
                                                0x00000000
                                                0x6c3c9cd0

                                                APIs
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 6C3C9CB8
                                                • LoadLibraryA.KERNEL32(?), ref: 6C3C9CEB
                                                • InterlockedCompareExchange.KERNEL32(00000000,00000000,00000000), ref: 6C3C9D02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressCompareExchangeInterlockedLibraryLoadProc
                                                • String ID: $
                                                • API String ID: 792202920-3993045852
                                                • Opcode ID: 6d059cfd1024fa27b16249bbff8bfff6ee70df19a4c63e2e48e0b38f92bb0a9d
                                                • Instruction ID: a50eb0edc6d422445cea40ad6d772cb8385d1e622f82989036cda5dfbf5cd799
                                                • Opcode Fuzzy Hash: 6d059cfd1024fa27b16249bbff8bfff6ee70df19a4c63e2e48e0b38f92bb0a9d
                                                • Instruction Fuzzy Hash: C5318D76A00304EFDB11DF59C884B9EBBF9BF49319F268019E915AB640D771EA00CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C4F63 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 6C7C4FB8
                                                • _memset.LIBCMT ref: 6C7C4FCF
                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?), ref: 6C7C4FE3
                                                • GetTempFileNameW.KERNEL32(?,bch,00000000,?,?,?,?,?,?,?), ref: 6C7C4FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Temp_memset$FileNamePath
                                                • String ID: bch$http://www.microsoft.com
                                                • API String ID: 1350388415-1062877558
                                                • Opcode ID: 886dcaddb7b71510d9ead024c8de78fb454129db430cadccf9cf2f1cedb585c2
                                                • Instruction ID: a508f8314e6d57f1c7e0f49e830c9d95b341bb2b03cabfc0dda66ca713f6f9f1
                                                • Opcode Fuzzy Hash: 886dcaddb7b71510d9ead024c8de78fb454129db430cadccf9cf2f1cedb585c2
                                                • Instruction Fuzzy Hash: DB216AB0700209AFDB11CF75C94DE9A77BCAF48704F0049A9A55AD7241EB34EA819BA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B08EE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B08F5
                                                • GetCommandLineW.KERNEL32(00000030,6C7AA57B,?,6C76A794,?,-00000960,?,00000000,?,Failed to record current state name), ref: 6C7B0900
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                • GetCommandLineW.KERNEL32(?,00000000), ref: 6C7B0910
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C773A16: __EH_prolog3.LIBCMT ref: 6C773A1D
                                                • GetCommandLineW.KERNEL32(?,ChainingPackage,00000000,00000738,00000000), ref: 6C7B0954
                                                  • Part of subcall function 6C773C8F: __EH_prolog3.LIBCMT ref: 6C773C96
                                                  • Part of subcall function 6C77C5D4: __EH_prolog3.LIBCMT ref: 6C77C5DB
                                                  • Part of subcall function 6C77C5D4: GetLastError.KERNEL32 ref: 6C77C609
                                                  • Part of subcall function 6C7B1236: __EH_prolog3.LIBCMT ref: 6C7B123D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CommandLine$ErrorLast
                                                • String ID: ChainingPackage$Failed to record Operation UI Mode
                                                • API String ID: 1326720558-3597460744
                                                • Opcode ID: 1cd4db04e560816c9576336127a259a8fb2cefc75614124702a6c7e3dba767a7
                                                • Instruction ID: 4299db2efeb77207778e478f5d33d8205f7b8c52d50088dd9bca5fd297332b94
                                                • Opcode Fuzzy Hash: 1cd4db04e560816c9576336127a259a8fb2cefc75614124702a6c7e3dba767a7
                                                • Instruction Fuzzy Hash: B1213E7290024DAECF11EBE4CA4DBDE7BB8AF54318F144156E510A7B81CB349B49CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70libraryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6C3CBCC7(void* __ebx, void* __edx, struct HINSTANCE__* _a4) {
				signed int _v8;
				void _v526;
				short _v528;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t25;
				long _t28;
				intOrPtr _t29;
				intOrPtr _t33;
				long _t34;
				intOrPtr _t36;
				void* _t38;
				void* _t41;
				int _t42;
				signed int _t45;

				_t41 = __edx;
				_t38 = __ebx;
				_t19 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t19 ^ _t45;
				_t44 = _a4;
				_t42 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				if(GetModuleFileNameW(_a4,  &_v528, 0x104) == 0) {
					_t25 =  *0x6c3e0088; // 0x6c3e0088
					if(_t25 != 0x6c3e0088 && ( *(_t25 + 0x1c) & 0x00000001) != 0) {
						_t28 = GetLastError();
						_t29 =  *0x6c3e0088; // 0x6c3e0088
						_t11 = _t29 + 0x14; // 0x0
						_t12 = _t29 + 0x10; // 0x1
						E6C3D99F8( *_t12,  *_t11, 0x4f, 0x6c3d5ab8, _t28);
					}
				} else {
					if(LoadLibraryW( &_v528) == 0) {
						_t33 =  *0x6c3e0088; // 0x6c3e0088
						if(_t33 != 0x6c3e0088 && ( *(_t33 + 0x1c) & 0x00000001) != 0) {
							_t34 = GetLastError();
							_t36 =  *0x6c3e0088; // 0x6c3e0088
							_t17 = _t36 + 0x14; // 0x0
							_t18 = _t36 + 0x10; // 0x1
							E6C3D77B8( *_t18,  *_t17, 0x50, 0x6c3d5ab8,  &_v528, _t34);
						}
					} else {
						_t42 = 1;
					}
				}
				return E6C3C171F(_t42, _t38, _v8 ^ _t45, _t41, _t42, _t44);
			}



















                                                0x6c3cbcc7
                                                0x6c3cbcc7
                                                0x6c3cbcd2
                                                0x6c3cbcd9
                                                0x6c3cbcdd
                                                0x6c3cbce1
                                                0x6c3cbcf0
                                                0x6c3cbcf7
                                                0x6c3cbd14
                                                0x6c3cf935
                                                0x6c3cf93f
                                                0x6c3cf94f
                                                0x6c3cf956
                                                0x6c3cf962
                                                0x6c3cf965
                                                0x6c3cf968
                                                0x6c3cf968
                                                0x6c3cbd1a
                                                0x6c3cbd29
                                                0x6c3cf972
                                                0x6c3cf97c
                                                0x6c3cf98c
                                                0x6c3cf99a
                                                0x6c3cf9a6
                                                0x6c3cf9a9
                                                0x6c3cf9ac
                                                0x6c3cf9ac
                                                0x6c3cbd2f
                                                0x6c3cbd31
                                                0x6c3cbd31
                                                0x6c3cbd29
                                                0x6c3cbd41

                                                APIs
                                                • memset.MSVCRT ref: 6C3CBCF7
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,6C3C0000), ref: 6C3CBD0C
                                                • LoadLibraryW.KERNEL32(?,?,?,6C3C0000), ref: 6C3CBD21
                                                • GetLastError.KERNEL32(?,?,6C3C0000), ref: 6C3CF94F
                                                • GetLastError.KERNEL32(?,?,6C3C0000), ref: 6C3CF98C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$FileLibraryLoadModuleNamememset
                                                • String ID: Fm*
                                                • API String ID: 2354241510-3000852143
                                                • Opcode ID: d4a44cb1fe3fc38aaf728edb80088315689e626062601575ac32075e52dd5b20
                                                • Instruction ID: 5c17b676b9a63752cee571531e35c42ff0000ab8b6c9a0a90f73f1ccc35cd771
                                                • Opcode Fuzzy Hash: d4a44cb1fe3fc38aaf728edb80088315689e626062601575ac32075e52dd5b20
                                                • Instruction Fuzzy Hash: C621BB72740244ABCB51CF55CC88FDE3BBCAB4A308F110096E625DB552CB31EE489F62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C3292 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E6C3C3292(LONG* __ecx, void* __edi) {
				long _v8;
				long _t12;
				void* _t13;
				void* _t14;
				void* _t20;
				void** _t29;
				LONG* _t33;
				void** _t34;

				_push(__ecx);
				_t33 = __ecx;
				_t12 = InterlockedDecrement(__ecx);
				_v8 = _t12;
				if(_t12 == 0) {
					_t13 =  *(_t33 + 4);
					__eflags = _t13;
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					if(_t13 != 0) {
						__eflags =  *(_t33 + 8);
						if( *(_t33 + 8) != 0) {
							UnmapViewOfFile(_t13);
						} else {
							_t20 = VirtualFree(_t13,  *(_t33 + 0x818), 0x4000);
							__eflags = _t20;
							if(_t20 != 0) {
								VirtualFree( *(_t33 + 4), 0, 0x8000);
							}
						}
						 *(_t33 + 4) = 0;
					}
					_t14 =  *(_t33 + 8);
					__eflags = _t14;
					if(_t14 != 0) {
						CloseHandle(_t14);
						 *(_t33 + 8) = 0;
					}
					_t29 = _t33 + 0x814;
					_t26 =  *_t29;
					__eflags =  *_t29;
					if(__eflags != 0) {
						E6C3C9EEB(_t26, __eflags, 1);
						 *_t29 = 0;
					}
					_t34 = _t33 + 0x830;
					_t27 =  *_t34;
					__eflags =  *_t34;
					if(__eflags != 0) {
						E6C3CB55A(_t27, __eflags, 1);
						 *_t34 = 0;
					}
				}
				return _v8;
			}











                                                0x6c3c3297
                                                0x6c3c329a
                                                0x6c3c329d
                                                0x6c3c32a7
                                                0x6c3c32aa
                                                0x6c3cb4dc
                                                0x6c3cb4df
                                                0x6c3cb4e2
                                                0x6c3cb4e5
                                                0x6c3cb4e7
                                                0x6c3cb4ea
                                                0x6c3d203a
                                                0x6c3cb4f0
                                                0x6c3cb502
                                                0x6c3cb504
                                                0x6c3cb506
                                                0x6c3cb511
                                                0x6c3cb511
                                                0x6c3cb506
                                                0x6c3cb513
                                                0x6c3cb513
                                                0x6c3cb516
                                                0x6c3cb519
                                                0x6c3cb51b
                                                0x6c3d2046
                                                0x6c3d204c
                                                0x6c3d204c
                                                0x6c3cb521
                                                0x6c3cb527
                                                0x6c3cb529
                                                0x6c3cb52b
                                                0x6c3cb52f
                                                0x6c3cb534
                                                0x6c3cb534
                                                0x6c3cb536
                                                0x6c3cb53c
                                                0x6c3cb53e
                                                0x6c3cb541
                                                0x6c3cb549
                                                0x6c3cb54e
                                                0x6c3cb54e
                                                0x6c3cb541
                                                0x6c3c32b6

                                                APIs
                                                • InterlockedDecrement.KERNEL32(?), ref: 6C3C329D
                                                • VirtualFree.KERNEL32(?,?,00004000,00000000,?,6C3C3279,?,6C3C3238,00000000,?,?,00000000,00000000,?), ref: 6C3CB502
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,6C3C3279,?,6C3C3238,00000000,?,?,00000000,00000000,?), ref: 6C3CB511
                                                • ctype.LIBCPMT ref: 6C3CB52F
                                                • ctype.LIBCPMT ref: 6C3CB549
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: FreeVirtualctype$DecrementInterlocked
                                                • String ID:
                                                • API String ID: 2528146720-0
                                                • Opcode ID: 0b213b0a9ca3fdc5679d7b35ad479a1e47af7f3464f570726ae0488e6e34287b
                                                • Instruction ID: dc1412001474a6d4ec6d7f2521ccf5011694d35d156332078cd226780757c4b6
                                                • Opcode Fuzzy Hash: 0b213b0a9ca3fdc5679d7b35ad479a1e47af7f3464f570726ae0488e6e34287b
                                                • Instruction Fuzzy Hash: FA115BB1700605AFDB209F65C884A9EB7E8EB4435CB21842DE19A97A40CB76FD45CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79D992 Relevance: 10.5, APIs: 7, Instructions: 48filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResetEvent.KERNEL32(?,?,00000000,?,6C79D33C,?,00000000), ref: 6C79D99E
                                                • ReadFile.KERNEL32(?,?,00000004,00000000,?,?,6C79D33C,?,00000000), ref: 6C79D9B1
                                                • GetLastError.KERNEL32(?,6C79D33C,?,00000000), ref: 6C79D9BB
                                                • WaitForSingleObject.KERNEL32(?,?,?,6C79D33C,?,00000000), ref: 6C79D9D1
                                                • GetOverlappedResult.KERNEL32(?,?,?,00000000,?,6C79D33C,?,00000000), ref: 6C79D9E6
                                                • GetLastError.KERNEL32(?,6C79D33C,?,00000000), ref: 6C79D9F0
                                                • CloseHandle.KERNEL32 ref: 6C79DA03
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CloseEventFileHandleObjectOverlappedReadResetResultSingleWait
                                                • String ID:
                                                • API String ID: 2328609516-0
                                                • Opcode ID: 63a71f13fdae028ae45c68dcc1f84d6ff0e74c585d0ff61083491f39fb2d713b
                                                • Instruction ID: 42247c53bcc3501924b41745a9282c2008bdf2e90001855b83cd692692c04454
                                                • Opcode Fuzzy Hash: 63a71f13fdae028ae45c68dcc1f84d6ff0e74c585d0ff61083491f39fb2d713b
                                                • Instruction Fuzzy Hash: 2C019E32304741AFDB211FB1DD88E47BFB9FB5935AF404A38FA0681910DB71E8149B24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C795E71 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6C795E89
                                                • GetLastError.KERNEL32 ref: 6C795E91
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6C795EB2
                                                • ResetEvent.KERNEL32(00000000), ref: 6C795EB9
                                                • CloseHandle.KERNEL32(00000000), ref: 6C795EE8
                                                Strings
                                                • Launching Install operation. Download operation is completed., xrefs: 6C795EC4
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Event$CloseCreateErrorHandleLastObjectResetSingleWait
                                                • String ID: Launching Install operation. Download operation is completed.
                                                • API String ID: 1135383174-2441870237
                                                • Opcode ID: 535615ee5b0ce0ac34771699c3b4b8274bd8d24c40204e049d64cace73248905
                                                • Instruction ID: 127f371e8f9188644366f7e85a98ff78ef4ed17509e644937e3090f562958e15
                                                • Opcode Fuzzy Hash: 535615ee5b0ce0ac34771699c3b4b8274bd8d24c40204e049d64cace73248905
                                                • Instruction Fuzzy Hash: 7111C034600209AFCB00DF64C989FAEBBB9EB86716F104558FA25AB680DB70D541CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C256E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44timethreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3C256E() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t13;
				signed int _t15;
				signed int _t16;
				signed int _t17;
				signed int _t21;
				signed int _t22;
				signed int _t30;

				_t13 =  *0x6c3e01a0; // 0xeb2a6d46
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t13 == 0xbb40e64e || (_t13 & 0xffff0000) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t15 = GetCurrentProcessId();
					_t16 = GetCurrentThreadId();
					_t17 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t21 = _v16 ^ _v20.LowPart;
					_t30 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t15 ^ _t16 ^ _t17 ^ _t21;
					if(_t30 == 0xbb40e64e) {
						_t30 = 0xbb40e64f;
					}
					 *0x6c3e01a0 = _t30;
					 *0x6c3e008c =  !_t30;
					return _t21;
				} else {
					_t22 =  !_t13;
					 *0x6c3e008c = _t22;
					return _t22;
				}
			}













                                                0x6c3c2576
                                                0x6c3c257b
                                                0x6c3c257f
                                                0x6c3c258b
                                                0x6c3d4788
                                                0x6c3d4794
                                                0x6c3d479c
                                                0x6c3d47a4
                                                0x6c3d47b0
                                                0x6c3d47b9
                                                0x6c3d47bc
                                                0x6c3d47c0
                                                0x6c3d47c2
                                                0x6c3d47c2
                                                0x6c3d47c7
                                                0x6c3d47cf
                                                0x00000000
                                                0x6c3c259c
                                                0x6c3c259c
                                                0x6c3c259e
                                                0x00000000
                                                0x6c3c259e

                                                APIs
                                                • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6C3D4788
                                                • GetCurrentProcessId.KERNEL32 ref: 6C3D4794
                                                • GetCurrentThreadId.KERNEL32 ref: 6C3D479C
                                                • GetTickCount.KERNEL32 ref: 6C3D47A4
                                                • QueryPerformanceCounter.KERNEL32(?), ref: 6C3D47B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                • String ID: Fm*
                                                • API String ID: 1445889803-3000852143
                                                • Opcode ID: d61a15729137287c52c0d96209ffa078d527f5ec82d6e2c7a22dc270db753a21
                                                • Instruction ID: 34c4a403064254e541e3220f7100bd56e97790eb9c5c239f1b82b6f2a89d829d
                                                • Opcode Fuzzy Hash: d61a15729137287c52c0d96209ffa078d527f5ec82d6e2c7a22dc270db753a21
                                                • Instruction Fuzzy Hash: 46010876E002249BCF219BB9C8486DEB7FCFB4E356F564956E811E7204DA34AA40DFD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7CAD61 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryW.KERNEL32(kernel32.dll,?,6C7CADB1), ref: 6C7CAD70
                                                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C7CAD87
                                                • GetProcAddress.KERNEL32(DecodePointer), ref: 6C7CAD99
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad
                                                • String ID: DecodePointer$EncodePointer$kernel32.dll
                                                • API String ID: 2238633743-1525541703
                                                • Opcode ID: 86e1900a7fe47a61e741f8503549a83fecc5906ae98cfea0eaf49d31a46e2d69
                                                • Instruction ID: fdebaf0dfb0988933957ed18a9375635357806d347a2e45b42da740d5f2eff8c
                                                • Opcode Fuzzy Hash: 86e1900a7fe47a61e741f8503549a83fecc5906ae98cfea0eaf49d31a46e2d69
                                                • Instruction Fuzzy Hash: 1DE0EC70B00625DFCF60AF7299486473F78A74A369F08457BE81092A00C7345484DF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D8316 Relevance: 9.2, APIs: 6, Instructions: 161COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 18%
                                                			E6C3D8316(void* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				struct _ACL* _v20;
				void* _v24;
				void* __edi;
				void* __esi;
				intOrPtr _t72;
				long _t73;
				intOrPtr _t74;
				int _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t90;

				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				if(_a4 != 0) {
					if(_a8 != 0) {
						asm("sbb eax, eax");
						_t90 =  *0x6c3e0028(0, ( ~_a12 & 0x00008000) + 0x23, 0, 0, _a4, _a8);
						if(_t90 >= 0) {
							if(_a12 == 0) {
								L29:
								_t90 = 0;
								L33:
								if(_v8 != 0) {
									LocalFree(_v8);
								}
								L35:
								return _t90;
							}
							_t90 = 0x8007000c;
							if(E6C3CB5FC(__ecx, 0x8007000c, 0, 0, _a16,  &_v8) != 0) {
								if(GetSecurityDescriptorDacl(_v8,  &_v12,  &_v20,  &_v16) == 0 || _v12 == 0) {
									_t72 =  *0x6c3e0088; // 0x6c3e0088
									if(_t72 != 0x6c3e0088 && ( *(_t72 + 0x1c) & 0x00000001) != 0) {
										_t73 = GetLastError();
										_t74 =  *0x6c3e0088; // 0x6c3e0088
										_t55 = _t74 + 0x14; // 0x0
										_t56 = _t74 + 0x10; // 0x1
										E6C3D782C( *_t56,  *_t55, 0x58, 0x6c3d5ab8, _v12, _t73);
									}
									goto L33;
								} else {
									_t78 = GetSecurityDescriptorOwner(_v8,  &_v24,  &_v16);
									if(_t78 != 0) {
										__imp__SetNamedSecurityInfoW(_a8, 1, 0x80000005, _v24, 0, _v20, 0);
										if(_t78 == 0) {
											goto L29;
										}
										_t88 =  *0x6c3e0088; // 0x6c3e0088
										if(_t88 != 0x6c3e0088 && ( *(_t88 + 0x1c) & 0x00000001) != 0) {
											_push(_t78);
											_push(0x6c3d5ab8);
											_push(0x5a);
											_t49 = _t88 + 0x14; // 0x0
											_push( *_t49);
											_t50 = _t88 + 0x10; // 0x1
											_push( *_t50);
											L28:
											E6C3D99F8();
										}
										goto L33;
									}
									_t80 =  *0x6c3e0088; // 0x6c3e0088
									if(_t80 == 0x6c3e0088 || ( *(_t80 + 0x1c) & 0x00000001) == 0) {
										goto L33;
									} else {
										_push(GetLastError());
										_t82 =  *0x6c3e0088; // 0x6c3e0088
										_push(0x6c3d5ab8);
										_push(0x59);
										_t41 = _t82 + 0x14; // 0x0
										_push( *_t41);
										_t42 = _t82 + 0x10; // 0x1
										_push( *_t42);
										goto L28;
									}
								}
							}
							_t83 =  *0x6c3e0088; // 0x6c3e0088
							if(_t83 != 0x6c3e0088 && ( *(_t83 + 0x1c) & 0x00000001) != 0) {
								_push(0x6c3d5ab8);
								_push(0x57);
								L17:
								_t28 = _t83 + 0x14; // 0x0
								_push( *_t28);
								_t29 = _t83 + 0x10; // 0x1
								_push( *_t29);
								E6C3D5F11();
							}
							goto L33;
						}
						_t85 =  *0x6c3e0088; // 0x6c3e0088
						if(_t85 != 0x6c3e0088 && ( *(_t85 + 0x1c) & 0x00000001) != 0) {
							_t20 = _t85 + 0x14; // 0x0
							_t21 = _t85 + 0x10; // 0x1
							E6C3D99F8( *_t21,  *_t20, 0x56, 0x6c3d5ab8, _t90);
						}
						goto L33;
					}
					_t83 =  *0x6c3e0088; // 0x6c3e0088
					if(_t83 == 0x6c3e0088 || ( *(_t83 + 0x1c) & 0x00000001) == 0) {
						goto L35;
					} else {
						_push(0x6c3d5ab8);
						_push(0x55);
						goto L17;
					}
				}
				_t83 =  *0x6c3e0088; // 0x6c3e0088
				if(_t83 == 0x6c3e0088 || ( *(_t83 + 0x1c) & 0x00000001) == 0) {
					goto L35;
				} else {
					_push(0x6c3d5ab8);
					_push(0x54);
					goto L17;
				}
			}




















                                                0x6c3d832a
                                                0x6c3d832d
                                                0x6c3d8330
                                                0x6c3d8333
                                                0x6c3d8336
                                                0x6c3d8339
                                                0x6c3d8364
                                                0x6c3d8397
                                                0x6c3d83ab
                                                0x6c3d83af
                                                0x6c3d83e6
                                                0x6c3d84e8
                                                0x6c3d84e8
                                                0x6c3d851f
                                                0x6c3d8522
                                                0x6c3d8527
                                                0x6c3d8527
                                                0x6c3d852d
                                                0x6c3d8532
                                                0x6c3d8532
                                                0x6c3d83f3
                                                0x6c3d8400
                                                0x6c3d844a
                                                0x6c3d84ec
                                                0x6c3d84f6
                                                0x6c3d84fe
                                                0x6c3d8508
                                                0x6c3d8514
                                                0x6c3d8517
                                                0x6c3d851a
                                                0x6c3d851a
                                                0x00000000
                                                0x6c3d8459
                                                0x6c3d8464
                                                0x6c3d846c
                                                0x6c3d84b5
                                                0x6c3d84bd
                                                0x00000000
                                                0x00000000
                                                0x6c3d84bf
                                                0x6c3d84cb
                                                0x6c3d84d3
                                                0x6c3d84d4
                                                0x6c3d84d9
                                                0x6c3d84db
                                                0x6c3d84db
                                                0x6c3d84de
                                                0x6c3d84de
                                                0x6c3d84e1
                                                0x6c3d84e1
                                                0x6c3d84e1
                                                0x00000000
                                                0x6c3d84cb
                                                0x6c3d846e
                                                0x6c3d8478
                                                0x00000000
                                                0x6c3d8488
                                                0x6c3d848e
                                                0x6c3d848f
                                                0x6c3d8494
                                                0x6c3d8499
                                                0x6c3d849b
                                                0x6c3d849b
                                                0x6c3d849e
                                                0x6c3d849e
                                                0x00000000
                                                0x6c3d849e
                                                0x6c3d8478
                                                0x6c3d844a
                                                0x6c3d8402
                                                0x6c3d840c
                                                0x6c3d841c
                                                0x6c3d8421
                                                0x6c3d8423
                                                0x6c3d8423
                                                0x6c3d8423
                                                0x6c3d8426
                                                0x6c3d8426
                                                0x6c3d8429
                                                0x6c3d8429
                                                0x00000000
                                                0x6c3d840c
                                                0x6c3d83b1
                                                0x6c3d83bb
                                                0x6c3d83d3
                                                0x6c3d83d6
                                                0x6c3d83d9
                                                0x6c3d83d9
                                                0x00000000
                                                0x6c3d83bb
                                                0x6c3d8366
                                                0x6c3d8370
                                                0x00000000
                                                0x6c3d8380
                                                0x6c3d8380
                                                0x6c3d8385
                                                0x00000000
                                                0x6c3d8385
                                                0x6c3d8370
                                                0x6c3d833b
                                                0x6c3d8345
                                                0x00000000
                                                0x6c3d8355
                                                0x6c3d8355
                                                0x6c3d835a
                                                0x00000000
                                                0x6c3d835a

                                                APIs
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,00000000,?,?), ref: 6C3D8442
                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 6C3D8464
                                                • GetLastError.KERNEL32 ref: 6C3D8488
                                                • SetNamedSecurityInfoW.ADVAPI32(00000001,00000001,80000005,?,00000000,?,00000000), ref: 6C3D84B5
                                                • GetLastError.KERNEL32 ref: 6C3D84FE
                                                • LocalFree.KERNEL32(?), ref: 6C3D8527
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Security$DescriptorErrorLast$DaclFreeInfoLocalNamedOwner
                                                • String ID:
                                                • API String ID: 442303658-0
                                                • Opcode ID: 0210172c3ffa12d1bf0297d5b7810af96bbbc0ba0aa4bfc07ef909428ab27ad1
                                                • Instruction ID: 008458edffecb21d3f1919241c6b461a26d7a9c27fc96f4f8b74fb3f51ca86ae
                                                • Opcode Fuzzy Hash: 0210172c3ffa12d1bf0297d5b7810af96bbbc0ba0aa4bfc07ef909428ab27ad1
                                                • Instruction Fuzzy Hash: 30519136555154ABCB52CE44CC84FDE3B7AFB05719F220057FA109A960C772FA489FE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7ABD48 Relevance: 9.1, APIs: 6, Instructions: 90windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6C7ABD62
                                                • GetTickCount.KERNEL32 ref: 6C7ABD72
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C7ABDF3
                                                • TranslateMessage.USER32(?), ref: 6C7ABE01
                                                • DispatchMessageW.USER32(?), ref: 6C7ABE0B
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C7ABE1A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Message$Peek$CountDispatchMultipleObjectsTickTranslateWait
                                                • String ID:
                                                • API String ID: 732506675-0
                                                • Opcode ID: ead22b3ef2022fcf1f3456bdef8cb516ecccae8ff422a2c20b4b642502df8737
                                                • Instruction ID: 0b808cb904697aa5097351fc60ea402ddc6aa7c9e8caed51a487d1d2f37cd5a4
                                                • Opcode Fuzzy Hash: ead22b3ef2022fcf1f3456bdef8cb516ecccae8ff422a2c20b4b642502df8737
                                                • Instruction Fuzzy Hash: 8731F4B2A0030DABDB109FF1C9898DA7BFCEF05315F140A75E152A2950EB31E885CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D6513 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 25%
                                                			E6C3D6513(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void _v86;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t29;
				intOrPtr _t33;
				intOrPtr _t35;
				long _t37;
				void* _t38;
				void* _t41;
				int _t42;
				intOrPtr _t44;
				signed int _t45;

				_t41 = __edx;
				_t21 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t21 ^ _t45;
				_t44 = _a4;
				_t42 = 0;
				_v88 = 0;
				memset( &_v86, 0, 0x4c);
				_t37 = 0x57;
				if(_t44 != 0) {
					_push(0x27);
					_push( &_v88);
					_push(_t44);
					if( *0x6c3e0004() != 0) {
						_t37 = E6C3D7DFE(_t38, 0x80000001, L"Software\\Microsoft\\SQMClient", 0, L"UserId",  &_v88);
						if(_t37 != 0) {
							_t29 =  *0x6c3e0088; // 0x6c3e0088
							if(_t29 == 0x6c3e0088 || ( *(_t29 + 0x1c) & 0x00000001) == 0) {
								L14:
								SetLastError(_t37);
								return E6C3C171F(_t42, _t37, _v8 ^ _t45, _t41, _t42, _t44);
							} else {
								_push(_t37);
								_push(0x6c3d5a6c);
								_push(0x72);
								L13:
								_t18 = _t29 + 0x14; // 0x0
								_push( *_t18);
								_t19 = _t29 + 0x10; // 0x1
								_push( *_t19);
								E6C3D99F8();
								goto L14;
							}
						}
						_t42 = 1;
						goto L14;
					}
					_t33 =  *0x6c3e0088; // 0x6c3e0088
					if(_t33 == 0x6c3e0088 || ( *(_t33 + 0x1c) & 0x00000001) == 0) {
						goto L14;
					} else {
						_push(GetLastError());
						_t29 =  *0x6c3e0088; // 0x6c3e0088
						_push(0x6c3d5a6c);
						_push(0x71);
						goto L13;
					}
				}
				_t35 =  *0x6c3e0088; // 0x6c3e0088
				if(_t35 != 0x6c3e0088 && ( *(_t35 + 0x1c) & 0x00000001) != 0) {
					_t8 = _t35 + 0x14; // 0x0
					_t9 = _t35 + 0x10; // 0x1
					E6C3D5F11( *_t9,  *_t8, 0x70, 0x6c3d5a6c);
				}
				goto L14;
			}



















                                                0x6c3d6513
                                                0x6c3d651b
                                                0x6c3d6522
                                                0x6c3d6527
                                                0x6c3d652b
                                                0x6c3d6534
                                                0x6c3d6538
                                                0x6c3d6544
                                                0x6c3d6545
                                                0x6c3d6578
                                                0x6c3d657d
                                                0x6c3d657e
                                                0x6c3d6587
                                                0x6c3d65c9
                                                0x6c3d65cd
                                                0x6c3d65d4
                                                0x6c3d65de
                                                0x6c3d65f9
                                                0x6c3d65fa
                                                0x6c3d6610
                                                0x6c3d65e6
                                                0x6c3d65e6
                                                0x6c3d65e7
                                                0x6c3d65ec
                                                0x6c3d65ee
                                                0x6c3d65ee
                                                0x6c3d65ee
                                                0x6c3d65f1
                                                0x6c3d65f1
                                                0x6c3d65f4
                                                0x00000000
                                                0x6c3d65f4
                                                0x6c3d65de
                                                0x6c3d65d1
                                                0x00000000
                                                0x6c3d65d1
                                                0x6c3d6589
                                                0x6c3d6593
                                                0x00000000
                                                0x6c3d659b
                                                0x6c3d65a1
                                                0x6c3d65a2
                                                0x6c3d65a7
                                                0x6c3d65ac
                                                0x00000000
                                                0x6c3d65ac
                                                0x6c3d6593
                                                0x6c3d6547
                                                0x6c3d6551
                                                0x6c3d6568
                                                0x6c3d656b
                                                0x6c3d656e
                                                0x6c3d656e
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3D6538
                                                • GetLastError.KERNEL32 ref: 6C3D659B
                                                • SetLastError.KERNEL32(00000000,80000001,Software\Microsoft\SQMClient,00000000,UserId,?), ref: 6C3D65FA
                                                  • Part of subcall function 6C3D5F11: EtwTraceMessage.NTDLL ref: 6C3D5F26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$MessageTracememset
                                                • String ID: Fm*$Software\Microsoft\SQMClient$UserId
                                                • API String ID: 1733364027-2710965330
                                                • Opcode ID: 9ee67306e85582d09573cb439562fc41bd1cabb29e58d8fcd15fb1070c037a56
                                                • Instruction ID: 459e0d893514e5d96a02900deb6bd72d941c8d4422cc33caeb657dcb7f11a463
                                                • Opcode Fuzzy Hash: 9ee67306e85582d09573cb439562fc41bd1cabb29e58d8fcd15fb1070c037a56
                                                • Instruction Fuzzy Hash: 71215572210280ABC740DA948C84FDE377DEB4A308F120829F625DA951CB65ED889F22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA55E Relevance: 9.1, APIs: 6, Instructions: 73registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DA55E(void* _a4, void* _a8, char* _a12, char* _a16) {
				char _v8;
				int _v12;
				int _v16;
				int _t45;

				_v8 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 1,  &_a8) == 0) {
					_v12 = 4;
					if(RegQueryValueExA(_a8, _a16, 0,  &_v16,  &_v8,  &_v12) == 0 && _v16 != 4) {
						_v8 = 0;
					}
					RegCloseKey(_a8);
				}
				if(RegOpenKeyExA(_a4, _a12, 0, 1,  &_a8) == 0) {
					_t45 = 4;
					_v12 = _t45;
					if(RegQueryValueExA(_a8, _a16, 0,  &_v16,  &_v8,  &_v12) == 0 && _v16 != _t45) {
						_v8 = 0;
					}
					RegCloseKey(_a8);
				}
				return _v8;
			}







                                                0x6c3da57b
                                                0x6c3da58b
                                                0x6c3da59d
                                                0x6c3da5ab
                                                0x6c3da5b3
                                                0x6c3da5b3
                                                0x6c3da5b9
                                                0x6c3da5b9
                                                0x6c3da5d0
                                                0x6c3da5d4
                                                0x6c3da5e5
                                                0x6c3da5ef
                                                0x6c3da5f6
                                                0x6c3da5f6
                                                0x6c3da5fc
                                                0x6c3da5fc
                                                0x6c3da609

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6C3DA581
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 6C3DA5A7
                                                • RegCloseKey.ADVAPI32(?), ref: 6C3DA5B9
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6C3DA5CC
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 6C3DA5EB
                                                • RegCloseKey.ADVAPI32(?), ref: 6C3DA5FC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: c18602dfc06951c899e7d6d1e7832157aab5cae0b4200988cf4a4b8e875dd3b9
                                                • Instruction ID: e55c7a635eb0a834db03602ded81f6c2e2d933fbbb8ef6545526ccf1247bfa4b
                                                • Opcode Fuzzy Hash: c18602dfc06951c899e7d6d1e7832157aab5cae0b4200988cf4a4b8e875dd3b9
                                                • Instruction Fuzzy Hash: 412100B6900248FBDF128F92DD44ECE7BBDEB84314F108162BA14A6010D731EA54EB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C87B7 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3C87B7(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, long _a8, HANDLE* _a12, int _a16, long _a20) {
				signed int _v8;
				long _v12;
				long _v16;
				struct tagMSG _v44;
				long _t30;
				intOrPtr _t37;
				long _t45;

				_v8 = _v8 & 0x00000000;
				_t45 = _a20;
				_v16 = GetTickCount();
				do {
					if(_a20 != 0xffffffff && _a20 != 0) {
						_t45 = _a20 - _v8;
					}
					_t30 = MsgWaitForMultipleObjects(_a8, _a12, _a16, _t45, 0x4ff);
					_v12 = _t30;
					if(_t30 == _a8) {
						while(PeekMessageW( &_v44, 0, 0, 0, 1) != 0) {
							TranslateMessage( &_v44);
							DispatchMessageW( &_v44);
						}
					}
					_v8 = E6C3C1948(_v16, GetTickCount());
				} while (_v12 == _a8);
				_t37 =  *0x6c3e0088; // 0x6c3e0088
				if(_t37 != 0x6c3e0088 && ( *(_t37 + 0x1c) & 0x00000004) != 0) {
					_t27 = _t37 + 0x14; // 0x0
					_t28 = _t37 + 0x10; // 0x1
					E6C3D77B8( *_t28,  *_t27, 0x53, 0x6c3d5ab8, _a4, _v8);
				}
				return _v12;
			}










                                                0x6c3c87bf
                                                0x6c3c87c4
                                                0x6c3c87d7
                                                0x6c3c87da
                                                0x6c3c87de
                                                0x6c3cb7e2
                                                0x6c3cb7e2
                                                0x6c3c87f9
                                                0x6c3c8802
                                                0x6c3c8805
                                                0x6c3cfa44
                                                0x6c3cfa34
                                                0x6c3cfa3e
                                                0x6c3cfa3e
                                                0x6c3cfa44
                                                0x6c3c8816
                                                0x6c3c881c
                                                0x6c3c8821
                                                0x6c3c882e
                                                0x6c3cfa68
                                                0x6c3cfa6b
                                                0x6c3cfa6e
                                                0x6c3cfa6e
                                                0x6c3c883e

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 6C3C87CF
                                                • MsgWaitForMultipleObjects.USER32(?,?,00000000,?,000004FF), ref: 6C3C87F9
                                                • GetTickCount.KERNEL32 ref: 6C3C880B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick$MultipleObjectsWait
                                                • String ID:
                                                • API String ID: 459475419-0
                                                • Opcode ID: 49a8ad38ee5c2e3f8fd469f1054cd03574854df23025027aede4643a78425ad3
                                                • Instruction ID: b86c9f63b066754aced69ec6d2db8aa72d43529481a0f4fc53f7c648b31d65a7
                                                • Opcode Fuzzy Hash: 49a8ad38ee5c2e3f8fd469f1054cd03574854df23025027aede4643a78425ad3
                                                • Instruction Fuzzy Hash: 3A212C72A00249EFDF01DFA5C884EDE7B78EF09358F108162EA14A6550C731EE55EFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C17EB Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 80%
                                                			E6C3C17EB(int _a4) {
				char _v16;
				signed int _t13;
				signed int _t15;
				char* _t17;
				signed int _t18;

				while(1) {
					_t13 = malloc(_a4);
					if(_t13 != 0) {
						break;
					}
					_push(_a4);
					L6C3DA2CD();
					__eflags = _t13;
					if(_t13 != 0) {
						continue;
					} else {
						__eflags =  *0x6c3e0560 & 0x00000001;
						if(( *0x6c3e0560 & 0x00000001) == 0) {
							 *0x6c3e0560 =  *0x6c3e0560 | 0x00000001;
							__eflags =  *0x6c3e0560;
							E6C3D9EF9(0x6c3e0554);
							E6C3DA2B1(__eflags, E6C3DE0D9);
						}
						E6C3D9F36( &_v16, 0x6c3e0554);
						_push(0x6c3de290);
						_t15 =  &_v16;
						_push(_t15);
						L6C3DA180();
						asm("int3");
						while(1) {
							_push(_a4);
							L6C3DA2CD();
							__eflags = _t15;
							if(_t15 == 0) {
								break;
							}
							_t15 = malloc(_a4);
							__eflags = _t15;
							if(_t15 == 0) {
								continue;
							} else {
								return _t15;
							}
							goto L14;
						}
						__eflags =  *0x6c3e0570 & 0x00000001;
						if(( *0x6c3e0570 & 0x00000001) == 0) {
							 *0x6c3e0570 =  *0x6c3e0570 | 0x00000001;
							__eflags =  *0x6c3e0570;
							E6C3D9EF9(0x6c3e0564);
							E6C3DA2B1(__eflags, E6C3DE0F2);
						}
						E6C3D9F36( &_v16, 0x6c3e0564);
						_push(0x6c3de290);
						_t17 =  &_v16;
						_push(_t17);
						L6C3DA180();
						asm("int3");
						_t18 = _t17 + 1;
						__eflags = _t18;
						return _t18;
					}
					L14:
				}
				return _t13;
				goto L14;
			}








                                                0x6c3c17f3
                                                0x6c3c17f6
                                                0x6c3c17fe
                                                0x00000000
                                                0x00000000
                                                0x6c3d4470
                                                0x6c3d4473
                                                0x6c3d4478
                                                0x6c3d447b
                                                0x00000000
                                                0x6c3d4481
                                                0x6c3d4481
                                                0x6c3d448d
                                                0x6c3d448f
                                                0x6c3d448f
                                                0x6c3d4498
                                                0x6c3d44a2
                                                0x6c3d44a7
                                                0x6c3d44ac
                                                0x6c3d44b1
                                                0x6c3d44b6
                                                0x6c3d44b9
                                                0x6c3d44ba
                                                0x6c3d44bf
                                                0x6c3d44c0
                                                0x6c3d44c0
                                                0x6c3d44c3
                                                0x6c3d44c8
                                                0x6c3d44cb
                                                0x00000000
                                                0x00000000
                                                0x6c3c1979
                                                0x6c3c197b
                                                0x6c3c197e
                                                0x00000000
                                                0x6c3c1984
                                                0x6c3c1986
                                                0x6c3c1986
                                                0x00000000
                                                0x6c3c197e
                                                0x6c3d44d1
                                                0x6c3d44dd
                                                0x6c3d44df
                                                0x6c3d44df
                                                0x6c3d44e8
                                                0x6c3d44f2
                                                0x6c3d44f7
                                                0x6c3d44fc
                                                0x6c3d4501
                                                0x6c3d4506
                                                0x6c3d4509
                                                0x6c3d450a
                                                0x6c3d450f
                                                0x6c3d4510
                                                0x6c3d4510
                                                0x6c3d4511
                                                0x6c3d4511
                                                0x00000000
                                                0x6c3d447b
                                                0x6c3c1805
                                                0x00000000

                                                APIs
                                                • malloc.MSVCRT ref: 6C3C17F6
                                                • _callnewh.MSVCRT ref: 6C3D4473
                                                • _CxxThrowException.MSVCRT(00000001,6C3DE290), ref: 6C3D44BA
                                                • _callnewh.MSVCRT ref: 6C3D44C3
                                                • _CxxThrowException.MSVCRT(00000001,6C3DE290), ref: 6C3D450A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ExceptionThrow_callnewh$malloc
                                                • String ID:
                                                • API String ID: 1527866585-0
                                                • Opcode ID: fc16f5a3c5c8ae648c3ec0ceae7b70fbc6d5d51b3896965eb51897a88bad8b71
                                                • Instruction ID: 30cb03590cc6220b3a40f7962baeb3a40e4058ea00bd037100b16178389b5608
                                                • Opcode Fuzzy Hash: fc16f5a3c5c8ae648c3ec0ceae7b70fbc6d5d51b3896965eb51897a88bad8b71
                                                • Instruction Fuzzy Hash: 6011A33390831866DF04ABA2ED019DD3B78AF0025DF164015EC9295D90DF36BA49EFD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D8C6C Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6C3D8C6C(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				void* _t25;
				void* _t26;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t42;
				void* _t43;

				_push(4);
				E6C3C49E9(E6C3DDD2D, __ebx, __edi, __esi);
				_t42 = __ecx;
				 *((intOrPtr*)(_t43 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t43 - 4)) = 1;
				if( *__ecx != 0 &&  *((intOrPtr*)(__ecx + 4)) == 0) {
					_t39 = __ecx + 0x30;
					EnterCriticalSection(_t39);
					 *_t42 = 0;
					E6C3D8958(_t42 + 0x14);
					E6C3D8C1F(_t42 + 0x20);
					LeaveCriticalSection(_t39);
					_t24 =  *(_t42 + 0x48);
					if(_t24 != 0) {
						CloseHandle(_t24);
						 *(_t42 + 0x48) = 0;
					}
					_t25 =  *(_t42 + 0x4c);
					if(_t25 != 0) {
						CloseHandle(_t25);
						 *(_t42 + 0x4c) = 0;
					}
					_t26 =  *(_t42 + 0x50);
					if(_t26 != 0) {
						CloseHandle(_t26);
						 *(_t42 + 0x50) = 0;
					}
					DeleteCriticalSection(_t42 + 0x30);
				}
				 *((char*)(_t43 - 4)) = 0;
				E6C3D8C1F(_t42 + 0x20);
				return E6C3C4821(E6C3D8958(_t42 + 0x14));
			}









                                                0x6c3d8c6c
                                                0x6c3d8c73
                                                0x6c3d8c78
                                                0x6c3d8c7a
                                                0x6c3d8c81
                                                0x6c3d8c88
                                                0x6c3d8c8f
                                                0x6c3d8c93
                                                0x6c3d8c9c
                                                0x6c3d8c9e
                                                0x6c3d8ca6
                                                0x6c3d8cac
                                                0x6c3d8cb2
                                                0x6c3d8cbd
                                                0x6c3d8cc0
                                                0x6c3d8cc2
                                                0x6c3d8cc2
                                                0x6c3d8cc5
                                                0x6c3d8cca
                                                0x6c3d8ccd
                                                0x6c3d8ccf
                                                0x6c3d8ccf
                                                0x6c3d8cd2
                                                0x6c3d8cd7
                                                0x6c3d8cda
                                                0x6c3d8cdc
                                                0x6c3d8cdc
                                                0x6c3d8ce3
                                                0x6c3d8ce3
                                                0x6c3d8cec
                                                0x6c3d8cef
                                                0x6c3d8d01

                                                APIs
                                                • LeaveCriticalSection.KERNEL32(?,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8CAC
                                                • CloseHandle.KERNEL32(?,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8CC0
                                                • CloseHandle.KERNEL32(?,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8CCD
                                                • CloseHandle.KERNEL32(?,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8CDA
                                                • DeleteCriticalSection.KERNEL32(?,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8CE3
                                                • EnterCriticalSection.KERNEL32(?,00000004,6C3D630E,6C3E0168,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8C93
                                                  • Part of subcall function 6C3D8958: free.MSVCRT(00000000,?,6C3D8CFC,00000004,6C3D630E,6C3E0168,?,6C3CF4D9,00000001,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3D8964
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseCriticalHandleSection$DeleteEnterLeavefree
                                                • String ID:
                                                • API String ID: 2998865046-0
                                                • Opcode ID: ceef2a9d19161b2fc54a9fcc272dbcd00982573f45197d7bfacf4a3223fb2782
                                                • Instruction ID: 270651eb39ff7196a3327141e1d26a453b1b2bc1d89e4d66fc903ba786c4d744
                                                • Opcode Fuzzy Hash: ceef2a9d19161b2fc54a9fcc272dbcd00982573f45197d7bfacf4a3223fb2782
                                                • Instruction Fuzzy Hash: E011C576502705CBCB20EFA9D5845AAF7F8BF14208791192ED28293E10DB75F948CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C1E75 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3C1E75(void* __esi) {
				intOrPtr _t6;
				signed int _t14;
				signed int _t15;

				if( *0x6c3e009c == 0) {
					_t6 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t6 - 0x6c3e0088;
					if(_t6 != 0x6c3e0088) {
						__eflags =  *(_t6 + 0x1c) & 0x00000001;
						if(( *(_t6 + 0x1c) & 0x00000001) != 0) {
							_t4 = _t6 + 0x14; // 0x0
							_t5 = _t6 + 0x10; // 0x1
							E6C3D5F11( *_t5,  *_t4, 0xd, 0x6c3d5a6c);
						}
					}
					SetLastError(0x1000010a);
					__eflags = 0;
					return 0;
				} else {
					E6C3C1D01();
					EnterCriticalSection(0x6c3e0168);
					_t14 =  *0x6c3e00a4; // 0x0
					_t20 = _t14;
					if(_t14 != 0) {
						E6C3C1ED9(_t14, _t20, 1);
						 *0x6c3e00a4 =  *0x6c3e00a4 & 0x00000000;
					}
					_t15 =  *0x6c3e00a8; // 0x0
					if(_t15 != 0) {
						E6C3D6301(_t15, __eflags, 1);
						 *0x6c3e00a8 =  *0x6c3e00a8 & 0x00000000;
					}
					 *0x6c3e009c =  *0x6c3e009c & 0x00000000;
					LeaveCriticalSection(0x6c3e0168);
					DeleteCriticalSection(0x6c3e0168);
					return 1;
				}
			}






                                                0x6c3c1e7c
                                                0x6c3cf4a0
                                                0x6c3cf4a5
                                                0x6c3cf4aa
                                                0x6c3cf4ac
                                                0x6c3cf4b0
                                                0x6c3cf4b9
                                                0x6c3cf4bc
                                                0x6c3cf4bf
                                                0x6c3cf4bf
                                                0x6c3cf4b0
                                                0x6c3cf4c9
                                                0x6c3cf4cf
                                                0x6c3cf4d1
                                                0x6c3c1e82
                                                0x6c3c1e83
                                                0x6c3c1e8e
                                                0x6c3c1e94
                                                0x6c3c1e9a
                                                0x6c3c1e9c
                                                0x6c3c1ea0
                                                0x6c3c1ea5
                                                0x6c3c1ea5
                                                0x6c3c1eac
                                                0x6c3c1eb4
                                                0x6c3cf4d4
                                                0x6c3cf4d9
                                                0x6c3cf4d9
                                                0x6c3c1eba
                                                0x6c3c1ec2
                                                0x6c3c1ec9
                                                0x6c3c1ed3
                                                0x6c3c1ed3

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6C3E0168,00000000,6C3C1E21,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C1E8E
                                                • ctype.LIBCPMT ref: 6C3C1EA0
                                                • LeaveCriticalSection.KERNEL32(6C3E0168,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C1EC2
                                                • DeleteCriticalSection.KERNEL32(6C3E0168,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C1EC9
                                                • SetLastError.KERNEL32(1000010A,6C3C1E21,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3CF4C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CriticalSection$DeleteEnterErrorLastLeavectype
                                                • String ID:
                                                • API String ID: 1588575130-0
                                                • Opcode ID: 1315060675eed6a42dbe8494d0d75426cea9b2dca27939797205a000e9a0c9e7
                                                • Instruction ID: 9c309d152ed47a6f167c80efc3c422f6bcd29ba509349ee3b4b1665d02b9c245
                                                • Opcode Fuzzy Hash: 1315060675eed6a42dbe8494d0d75426cea9b2dca27939797205a000e9a0c9e7
                                                • Instruction Fuzzy Hash: 79018F393521509FDB91EB20C848FDE3678AF0A31AF11000AE155D9991CB7ADD48BF67
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CAA10 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 203COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 21%
                                                			E6C3CAA10(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, WCHAR* _a16, intOrPtr _a20) {
				signed int _v8;
				void _v526;
				char _v528;
				intOrPtr _v532;
				int _v536;
				struct _FILETIME _v544;
				struct _FILETIME _v560;
				void _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				intOrPtr _t78;
				void* _t86;
				void* _t89;
				WCHAR* _t94;
				intOrPtr _t97;
				void* _t98;
				int _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t98 = __edx;
				_t72 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t72 ^ _t102;
				_t94 = _a16;
				_t101 = 0;
				_v532 = _a4;
				_v544.dwLowDateTime = 0;
				asm("stosd");
				_v536 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t104 = _t103 + 0xc;
				_push(0x57);
				_pop(0);
				if(_t94 == 0) {
					_t78 =  *0x6c3e0088; // 0x6c3e0088
					if(_t78 == 0x6c3e0088 || ( *(_t78 + 0x1c) & 0x00000001) == 0) {
						goto L19;
					} else {
						_push(0x6c3d5ab8);
						_push(0x40);
						goto L23;
					}
				} else {
					if(_a20 == 0) {
						__eax =  *0x6c3e0088; // 0x6c3e0088
						if(__eax == 0x6c3e0088 || ( *(__eax + 0x1c) & 0x00000001) == 0) {
							L19:
							return E6C3C171F(0, _t94, _v8 ^ _t102, _t98, 0, _t101);
						} else {
							_push(0x6c3d5ab8);
							_push(0x41);
							L23:
							_t41 = _t78 + 0x14; // 0x0
							_push( *_t41);
							_t42 = _t78 + 0x10; // 0x1
							_push( *_t42);
							E6C3D5F11();
							goto L19;
						}
					}
					__eax =  &_v528;
					if((_a12 & 0x00000010) != 0) {
						__eax = E6C3D8316(__ecx, L"Microsoft\\Windows\\Sqm\\Upload",  &_v528, 1, 1);
						if(__eax >= 0) {
							__eax =  *0x6c3e04ec(_v532);
							if(__eax != 0) {
								__eax =  &_v528;
								__eax =  *0x6c3e0540( &_v528, __eax);
								if(__eax != 0) {
									L15:
									if(_a8 <= __esi) {
										L3:
										if((_a12 & 0x00000002) != 0) {
											_t89 = E6C3C18E5(_t94, _a20, _v532, _v536);
											if(_t89 >= 0) {
												L18:
												goto L19;
											}
											_t97 =  *0x6c3e0088; // 0x6c3e0088
											if(_t97 != 0x6c3e0088 && ( *(_t97 + 0x1c) & 0x00000001) != 0) {
												_push(_t89);
												_push(0x6c3d5ab8);
												_push(0x47);
												L43:
												_t62 = _t97 + 0x14; // 0x0
												_push( *_t62);
												_t63 = _t97 + 0x10; // 0x1
												_push( *_t63);
												E6C3D99F8();
											}
											goto L19;
										}
										goto L19;
									} else {
										goto L16;
									}
									while(1) {
										L16:
										_t86 = E6C3C18E5(_t94, _a20,  &_v528, _t101);
										_t104 = _t104 + 0x10;
										if(_t86 < 0) {
											break;
										}
										_push(_t94);
										if( *0x6c3e04f0() != 0) {
											if((_a12 & 0x00000001) != 0) {
												goto L18;
											}
											if((_a12 & 0x00000002) == 0 || GetFileAttributesExW(_t94, 0,  &_v580) == 0) {
												L10:
												_t101 = _t101 + 1;
												if(_t101 < _a8) {
													continue;
												}
												goto L3;
											} else {
												if(_t101 != 0) {
													goto L1;
												}
												L9:
												_v544.dwLowDateTime = _v560.dwLowDateTime;
												_v536 = _t101;
												_v544.dwHighDateTime = _v560.dwHighDateTime;
												goto L10;
											}
										}
										goto L18;
									}
									_t97 =  *0x6c3e0088; // 0x6c3e0088
									if(_t97 == 0x6c3e0088 || ( *(_t97 + 0x1c) & 0x00000001) == 0) {
										goto L19;
									} else {
										_push(_t86);
										_push(0x6c3d5ab8);
										_push(0x46);
										goto L43;
									}
								}
								__eax =  *0x6c3e0088; // 0x6c3e0088
								if(__eax == 0x6c3e0088 || ( *(__eax + 0x1c) & 0x00000001) == 0) {
									goto L19;
								} else {
									_push(0x6c3d5ab8);
									_push(0x44);
									goto L23;
								}
							}
							__eax =  *0x6c3e0088; // 0x6c3e0088
							if(__eax == 0x6c3e0088 || ( *(__eax + 0x1c) & 0x00000001) == 0) {
								goto L19;
							} else {
								_push(0x6c3d5ab8);
								_push(0x43);
								goto L23;
							}
						}
						__ecx =  *0x6c3e0088; // 0x6c3e0088
						if(__ecx != 0x6c3e0088 && ( *(__ecx + 0x1c) & 0x00000001) != 0) {
							_t49 = __ecx + 0x14; // 0x0
							_t50 = __ecx + 0x10; // 0x1
							__eax = E6C3D99F8( *_t50,  *_t49, 0x42, 0x6c3d5ab8, __eax);
						}
						__edi = 3;
						goto L19;
					}
					__eax = E6C3C173D( &_v528, 0x104, _v532);
					if(__eax < 0) {
						__ecx =  *0x6c3e0088; // 0x6c3e0088
						if(__ecx == 0x6c3e0088 || ( *(__ecx + 0x1c) & 0x00000001) == 0) {
							goto L19;
						} else {
							_push(__eax);
							_push(0x6c3d5ab8);
							_push(0x45);
							goto L43;
						}
					}
					goto L15;
				}
				L1:
				if(CompareFileTime( &_v544,  &_v560) <= 0) {
					goto L10;
				}
				goto L9;
			}

























                                                0x6c3caa10
                                                0x6c3caa1b
                                                0x6c3caa22
                                                0x6c3caa29
                                                0x6c3caa2e
                                                0x6c3caa30
                                                0x6c3caa43
                                                0x6c3caa49
                                                0x6c3caa52
                                                0x6c3caa58
                                                0x6c3caa5f
                                                0x6c3caa64
                                                0x6c3caa69
                                                0x6c3caa6b
                                                0x6c3caa6c
                                                0x6c3cfeb2
                                                0x6c3cfebc
                                                0x00000000
                                                0x6c3cfecc
                                                0x6c3cfecc
                                                0x6c3cfed1
                                                0x00000000
                                                0x6c3cfed1
                                                0x6c3caa72
                                                0x6c3caa75
                                                0x6c3cfee3
                                                0x6c3cfeed
                                                0x6c3caada
                                                0x6c3caaea
                                                0x6c3cfefd
                                                0x6c3cfefd
                                                0x6c3cff02
                                                0x6c3cfed3
                                                0x6c3cfed3
                                                0x6c3cfed3
                                                0x6c3cfed6
                                                0x6c3cfed6
                                                0x6c3cfed9
                                                0x00000000
                                                0x6c3cfed9
                                                0x6c3cfeed
                                                0x6c3caa7f
                                                0x6c3caa85
                                                0x6c3cff10
                                                0x6c3cff17
                                                0x6c3cff4e
                                                0x6c3cff56
                                                0x6c3cff7f
                                                0x6c3cff86
                                                0x6c3cff8e
                                                0x6c3caaa4
                                                0x6c3caaa7
                                                0x6c3ca9aa
                                                0x6c3ca9ae
                                                0x6c3cfffe
                                                0x6c3d0008
                                                0x6c3caad8
                                                0x00000000
                                                0x6c3caad8
                                                0x6c3d000e
                                                0x6c3d001a
                                                0x6c3d002a
                                                0x6c3d002b
                                                0x6c3d0030
                                                0x6c3cffde
                                                0x6c3cffde
                                                0x6c3cffde
                                                0x6c3cffe1
                                                0x6c3cffe1
                                                0x6c3cffe4
                                                0x6c3cffe4
                                                0x00000000
                                                0x6c3d001a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3caaad
                                                0x6c3caaad
                                                0x6c3caab9
                                                0x6c3caabe
                                                0x6c3caac3
                                                0x00000000
                                                0x00000000
                                                0x6c3caac9
                                                0x6c3caad2
                                                0x6c3ca9bd
                                                0x00000000
                                                0x00000000
                                                0x6c3ca9c7
                                                0x6c3ca9ff
                                                0x6c3ca9ff
                                                0x6c3caa03
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3ca9dd
                                                0x6c3ca9df
                                                0x00000000
                                                0x00000000
                                                0x6c3ca9e1
                                                0x6c3ca9e7
                                                0x6c3ca9f3
                                                0x6c3ca9f9
                                                0x00000000
                                                0x6c3ca9f9
                                                0x6c3ca9c7
                                                0x00000000
                                                0x6c3caad2
                                                0x6c3d0034
                                                0x6c3d0040
                                                0x00000000
                                                0x6c3d0050
                                                0x6c3d0050
                                                0x6c3d0051
                                                0x6c3d0056
                                                0x00000000
                                                0x6c3d0056
                                                0x6c3d0040
                                                0x6c3cff94
                                                0x6c3cff9e
                                                0x00000000
                                                0x6c3cffae
                                                0x6c3cffae
                                                0x6c3cffb3
                                                0x00000000
                                                0x6c3cffb3
                                                0x6c3cff9e
                                                0x6c3cff58
                                                0x6c3cff62
                                                0x00000000
                                                0x6c3cff72
                                                0x6c3cff72
                                                0x6c3cff77
                                                0x00000000
                                                0x6c3cff77
                                                0x6c3cff62
                                                0x6c3cff19
                                                0x6c3cff25
                                                0x6c3cff35
                                                0x6c3cff38
                                                0x6c3cff3b
                                                0x6c3cff3b
                                                0x6c3cff42
                                                0x00000000
                                                0x6c3cff42
                                                0x6c3caa97
                                                0x6c3caa9e
                                                0x6c3cffba
                                                0x6c3cffc6
                                                0x00000000
                                                0x6c3cffd6
                                                0x6c3cffd6
                                                0x6c3cffd7
                                                0x6c3cffdc
                                                0x00000000
                                                0x6c3cffdc
                                                0x6c3cffc6
                                                0x00000000
                                                0x6c3caa9e
                                                0x6c3ca990
                                                0x6c3ca9a6
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 6C3CA9D3
                                                • memset.MSVCRT ref: 6C3CAA5F
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AttributesFile_vsnwprintfmemset
                                                • String ID: Fm*$Microsoft\Windows\Sqm\Upload
                                                • API String ID: 1199674523-3206609812
                                                • Opcode ID: 6d7ab5d6978727e6b642f8ce35a9452519f788a4e31fda2a9964d4027b1beb17
                                                • Instruction ID: 01a6c90ec299bb549829b3ac5c7bb36d2668951192d07ad596014288961edc81
                                                • Opcode Fuzzy Hash: 6d7ab5d6978727e6b642f8ce35a9452519f788a4e31fda2a9964d4027b1beb17
                                                • Instruction Fuzzy Hash: 3A711375B4525CABCB52CE14CD84BDD3BA8FF19708F200086E9589AD81C772DE859FA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C68A6 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C68AD
                                                • GetLastError.KERNEL32 ref: 6C7C68F5
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                Strings
                                                • WinHttpReceiveResponse, xrefs: 6C7C68FE
                                                • WINHTTP_CALLBACK_STATUS_REQUEST_ERROR error: error=%d, result= %d. Percentage downloaded=%i, xrefs: 6C7C699B
                                                • Error writing to local file: hr= 0x%x, xrefs: 6C7C6A2B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorLast
                                                • String ID: Error writing to local file: hr= 0x%x$WINHTTP_CALLBACK_STATUS_REQUEST_ERROR error: error=%d, result= %d. Percentage downloaded=%i$WinHttpReceiveResponse
                                                • API String ID: 1123136255-3042121607
                                                • Opcode ID: 3479b91789cda5e113e519c6a45ed8dfa423ab54d6450cc1357f2a11e690d639
                                                • Instruction ID: 549e17585d6263c37af7cc6c69afecbc3a94e2bc133d00373ea5964fcf4174d1
                                                • Opcode Fuzzy Hash: 3479b91789cda5e113e519c6a45ed8dfa423ab54d6450cc1357f2a11e690d639
                                                • Instruction Fuzzy Hash: 0381B470A0060ADFCB14CF64C598AEEBBF6FF48315F218829E469D7750DB35AA41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C780E96 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C780E9D
                                                  • Part of subcall function 6C778B9F: __EH_prolog3.LIBCMT ref: 6C778BA6
                                                • __CxxThrowException@8.LIBCMT ref: 6C781011
                                                Strings
                                                • schema validation failure: , xrefs: 6C780F73
                                                • ParameterInfo.xml, xrefs: 6C780F63
                                                • must have exactly 2 child nodes, xrefs: 6C780F88
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: must have exactly 2 child nodes$ParameterInfo.xml$schema validation failure:
                                                • API String ID: 2489616738-936724439
                                                • Opcode ID: 14b477a40ebfb19da7ef3f4523fde4c6a7587176ee8eded119a116a2878038f5
                                                • Instruction ID: 2b494ffa22d0b51c23875dd1f314312339792e234992c74ea103d1e8b0d059e2
                                                • Opcode Fuzzy Hash: 14b477a40ebfb19da7ef3f4523fde4c6a7587176ee8eded119a116a2878038f5
                                                • Instruction Fuzzy Hash: 42514371501249EFDB10DFA8CA4DBEEBBB8AF05318F148559E115EB781CB31DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CB5FC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 133COMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalFree.KERNEL32(?,?), ref: 6C3CB6DB
                                                  • Part of subcall function 6C3C3679: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6C3C332F,?), ref: 6C3C3683
                                                  • Part of subcall function 6C3C3679: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6C3C332F,?), ref: 6C3C36B3
                                                  • Part of subcall function 6C3C3679: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 6C3C36D5
                                                  • Part of subcall function 6C3C3679: FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,6C3C332F,?), ref: 6C3C36E0
                                                  • Part of subcall function 6C3C1967: malloc.MSVCRT(?,6C3E0554), ref: 6C3C1979
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,?,00000000), ref: 6C3CB6BD
                                                Strings
                                                • (A;OICI;GA;;;LS), xrefs: 6C3CB6A2
                                                • O:%sD:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;%s), xrefs: 6C3CB686
                                                • O:%sD:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA), xrefs: 6C3CFDB8
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ConvertDescriptorProcessSecurityString$ChangeCloseCurrentFindFreeLocalNotificationOpenToken_vsnwprintfmalloc
                                                • String ID: (A;OICI;GA;;;LS)$O:%sD:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)$O:%sD:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;%s)
                                                • API String ID: 924584396-2141982788
                                                • Opcode ID: e7dff6d99bdcfcc9d5ec9ff5c24605e16e5f5adb0ad2a0d8c2ea0b3e2b337fe4
                                                • Instruction ID: 9eb72438302d43d89626f68284a5d8814475331f774d15b979f7daa0a49714e1
                                                • Opcode Fuzzy Hash: e7dff6d99bdcfcc9d5ec9ff5c24605e16e5f5adb0ad2a0d8c2ea0b3e2b337fe4
                                                • Instruction Fuzzy Hash: B341E131702244BBDB019E64CCC5AEE7B68AF0534CF20446AE910AED91CB32DD65AF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B3E97 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B3E9E
                                                  • Part of subcall function 6C7B401F: __EH_prolog3.LIBCMT ref: 6C7B4026
                                                  • Part of subcall function 6C7B401F: GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6C7B4041
                                                  • Part of subcall function 6C7B401F: GetModuleFileNameW.KERNEL32(6C750000,00000010,00000104), ref: 6C7B40B3
                                                  • Part of subcall function 6C7B401F: PathFileExistsW.SHLWAPI(?,00000014,00000000), ref: 6C7B4101
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B3F43
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                • GetFileSize.KERNEL32(?,00000000,00000080,80000000,00000001,00000003,00000080,00000000,?), ref: 6C7B3F4C
                                                • CloseHandle.KERNEL32(?), ref: 6C7B3F6A
                                                  • Part of subcall function 6C778329: __EH_prolog3.LIBCMT ref: 6C778330
                                                  • Part of subcall function 6C77A3BC: __EH_prolog3.LIBCMT ref: 6C77A3C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$File$CloseDispatcherExceptionException@8ExistsHandleLocaleModuleNamePathSizeThreadThrowUser
                                                • String ID: DHTML Header: %s
                                                • API String ID: 3827389996-3243986505
                                                • Opcode ID: 8ef4b03e0a1c2dd8c8408d03f8a982d3265b69874819467b8f07e2a888f4e5b2
                                                • Instruction ID: dfe2356007478db09a45cf601357d3881daed3fe55accce63c6d2d1cf16d28ed
                                                • Opcode Fuzzy Hash: 8ef4b03e0a1c2dd8c8408d03f8a982d3265b69874819467b8f07e2a888f4e5b2
                                                • Instruction Fuzzy Hash: A8412C7190020AAFCF10DFA8DA4DADEBBB9AF09314F14055AF110F7780DB349A499B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A69C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CodeExitH_prolog3Process_memset
                                                • String ID: -d $D
                                                • API String ID: 1173512957-2205093307
                                                • Opcode ID: ef4fed80fa619a52204f416cfa4be8c246ec47d85b6e22803a744393997ed485
                                                • Instruction ID: e7f7c8f9188d55f68c2079363fa36f622c459110f566c10b2b06e14a6564b711
                                                • Opcode Fuzzy Hash: ef4fed80fa619a52204f416cfa4be8c246ec47d85b6e22803a744393997ed485
                                                • Instruction Fuzzy Hash: 954170756001099FDF00DFA4CA88AEEB7BAFF49318F144565E501BB351CB31DA09CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C19F5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105sleepthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E6C3C19F5(signed char __eax, void* __ebx, void* __edx, intOrPtr* __edi, void* __esi, void* _a4, long _a8, intOrPtr _a12) {
				signed char _t26;
				void* _t27;
				signed char _t28;
				void* _t30;
				long _t31;
				void* _t33;
				long _t35;
				long _t36;
				void* _t37;
				void* _t43;
				long _t44;
				void** _t46;
				intOrPtr* _t58;
				signed int _t61;
				void* _t62;
				long _t64;
				void* _t66;
				intOrPtr* _t70;
				intOrPtr _t80;

				_t58 = __edi;
				_t41 = __ebx;
				_t26 = __eax;
				asm("adc al, 0x82");
				asm("loop 0xffffff9f");
				asm("lds ecx, [edi-0x55c052bf]");
				_t66 = __esi - 1;
				if(_t66 >= 0) {
					_push(__ebx);
					 *__edi =  *__edi + _t46;
					asm("o16 add [eax+eax+0x77], dh");
					 *_t46 =  *_t46 + __eax;
					__eflags =  *_t46;
					if ( *_t46 < 0) goto L3;
					 *[gs:ecx] =  *[gs:ecx] + __edx;
					__eflags =  *[gs:ecx];
					if ( *[gs:ecx] != 0) goto L4;
					asm("popad");
					 *((intOrPtr*)(__eax + __eax + 0x69)) =  *((intOrPtr*)(__eax + __eax + 0x69)) + _t46;
					 *((intOrPtr*)(__eax + __eax + 0x79)) =  *((intOrPtr*)(__eax + __eax + 0x79)) + __edx;
					 *_t70 =  *_t70 + _t46;
					 *[gs:eax+eax+0x72] =  *[gs:eax+eax+0x72] + __edx;
					 *_t46 =  *_t46 + _t46;
					__eflags =  *_t46;
					asm("arpl [eax], ax");
					if ( *_t46 >= 0) goto L5;
					_t41 = __ebx + 1;
					 *((intOrPtr*)(__eax + __eax + 0x69)) =  *((intOrPtr*)(__eax + __eax + 0x69)) + _t46;
					 *_t70 =  *_t70 + __eax;
					asm("outsb");
					 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __edx;
					_t15 = __eax - 0x6f6f6f70;
					 *_t15 =  *(__eax - 0x6f6f6f70) + __edx;
					__eflags =  *_t15;
					_push(_t70);
					_t26 = 0;
					__eflags = _a4;
					if(_a4 == 0) {
						__eflags =  *0x6c3e00b0 - _t26; // 0x0
						if(__eflags <= 0) {
							_t27 = 0;
						} else {
							 *0x6c3e00b0 =  *0x6c3e00b0 - 1;
							goto L7;
						}
					} else {
						L7:
						__eflags = _a8 - 1;
						goto L8;
					}
				} else {
					L8:
					_t28 = _t26 | 0x00000001;
					_push(_t66);
					_push(_t58);
					 *0x6c3e00b8 =  *_adjust_fdiv;
					if(_t28 != 0) {
						__eflags = _a8 - _t28;
						if(_a8 == _t28) {
							_push(_t28);
							while(1) {
								_t30 = InterlockedCompareExchange(0x6c3e0164, 1, ??);
								__eflags = _t30;
								if(_t30 == 0) {
									break;
								}
								Sleep(0x3e8);
								_push(0);
							}
							_t31 =  *0x6c3e00bc; // 0x0
							__eflags = _t31 - 2;
							if(_t31 != 2) {
								_push(0x1f);
								L6C3DA3F9();
							} else {
								_t43 =  *0x6c3e00c4; // 0x0
								__eflags = _t43;
								if(_t43 != 0) {
									_t61 =  *0x6c3e00c0; // 0x0
									_t62 = _t61 + 0xfffffffc;
									__eflags = _t62;
									while(1) {
										__eflags = _t62 - _t43;
										if(_t62 < _t43) {
											break;
										}
										_t33 =  *_t62;
										__eflags = _t33;
										if(_t33 != 0) {
											 *_t33();
										}
										_t62 = _t62 - 4;
									}
									free(_t43);
									 *0x6c3e00c0 =  *0x6c3e00c0 & 0x00000000;
									 *0x6c3e00c4 =  *0x6c3e00c4 & 0x00000000;
									__eflags =  *0x6c3e00c4;
								}
								 *0x6c3e00bc = 0;
								InterlockedExchange(0x6c3e0164, 0);
							}
						}
						goto L18;
					} else {
						_t44 =  *( *[fs:0x18] + 4);
						_a8 = _t28;
						_push(_t28);
						while(1) {
							_t35 = InterlockedCompareExchange(0x6c3e0164, _t44, ??);
							if(_t35 == 0) {
								break;
							}
							__eflags = _t35 - _t44;
							if(__eflags == 0) {
								_a8 = 1;
								break;
							} else {
								Sleep(0x3e8);
								_push(0);
								continue;
							}
							goto L20;
						}
						_t36 =  *0x6c3e00bc; // 0x0
						_t64 = 2;
						if(_t36 != 0) {
							_push(0x1f);
							L6C3DA3F9();
							goto L14;
						} else {
							 *0x6c3e00bc = 1;
							if(E6C3C25D6(0x6c3c1b38, E6C3C1B40) != 0) {
								_t27 = 0;
							} else {
								_push(0x6c3c1b34);
								_push(0x6c3c1b30);
								L6C3C2563();
								 *0x6c3e00bc = _t64;
								L14:
								if(_a8 == 0) {
									InterlockedExchange(0x6c3e0164, 0);
								}
								_t80 =  *0x6c3e04e0; // 0x0
								if(_t80 != 0) {
									_push(0x6c3e04e0);
									_t37 = E6C3DA362(0, _t64, 0x6c3e0164, __eflags);
									__eflags = _t37;
									if(_t37 != 0) {
										 *0x6c3e04e0(_a4, _t64, _a12);
									}
								}
								 *0x6c3e00b0 =  *0x6c3e00b0 + 1;
								L18:
								_t27 = 1;
							}
						}
					}
				}
				L20:
				return _t27;
			}






















                                                0x6c3c19f5
                                                0x6c3c19f5
                                                0x6c3c19f5
                                                0x6c3c19f5
                                                0x6c3c19f7
                                                0x6c3c19f9
                                                0x6c3c19ff
                                                0x6c3c1a00
                                                0x6c3c1a2c
                                                0x6c3c1a2d
                                                0x6c3c1a30
                                                0x6c3c1a35
                                                0x6c3c1a35
                                                0x6c3c1a38
                                                0x6c3c1a3a
                                                0x6c3c1a3a
                                                0x6c3c1a3e
                                                0x6c3c1a40
                                                0x6c3c1a41
                                                0x6c3c1a45
                                                0x6c3c1a49
                                                0x6c3c1a4c
                                                0x6c3c1a51
                                                0x6c3c1a51
                                                0x6c3c1a54
                                                0x6c3c1a56
                                                0x6c3c1a58
                                                0x6c3c1a59
                                                0x6c3c1a5d
                                                0x6c3c1a60
                                                0x6c3c1a61
                                                0x6c3c1a65
                                                0x6c3c1a65
                                                0x6c3c1a65
                                                0x6c3c1a6d
                                                0x6c3c1a70
                                                0x6c3c1a72
                                                0x6c3c1a75
                                                0x6c3c1d14
                                                0x6c3c1d1a
                                                0x6c3c1d27
                                                0x6c3c1d1c
                                                0x6c3c1d1c
                                                0x00000000
                                                0x6c3c1d1c
                                                0x6c3c1a7b
                                                0x6c3c1a7b
                                                0x6c3c1a7b
                                                0x00000000
                                                0x6c3c1a7b
                                                0x6c3c1a02
                                                0x6c3c1a7d
                                                0x6c3c1a7d
                                                0x6c3c1a88
                                                0x6c3c1a89
                                                0x6c3c1a8a
                                                0x6c3c1a90
                                                0x6c3c1d2e
                                                0x6c3c1d31
                                                0x6c3c1d3d
                                                0x6c3c1d43
                                                0x6c3c1d46
                                                0x6c3c1d48
                                                0x6c3c1d4a
                                                0x00000000
                                                0x00000000
                                                0x6c3d4571
                                                0x6c3d4577
                                                0x6c3d4577
                                                0x6c3c1d50
                                                0x6c3c1d55
                                                0x6c3c1d58
                                                0x6c3d457e
                                                0x6c3d4580
                                                0x6c3c1d5e
                                                0x6c3c1d5e
                                                0x6c3c1d64
                                                0x6c3c1d66
                                                0x6c3c1d68
                                                0x6c3c1d6e
                                                0x6c3c1d6e
                                                0x6c3c1d71
                                                0x6c3c1d71
                                                0x6c3c1d73
                                                0x00000000
                                                0x00000000
                                                0x6c3d458b
                                                0x6c3d458d
                                                0x6c3d458f
                                                0x6c3d4591
                                                0x6c3d4591
                                                0x6c3d4593
                                                0x6c3d4593
                                                0x6c3c1d7a
                                                0x6c3c1d80
                                                0x6c3c1d87
                                                0x6c3c1d87
                                                0x6c3c1d8e
                                                0x6c3c1d92
                                                0x6c3c1d9c
                                                0x6c3c1d9c
                                                0x6c3c1d58
                                                0x00000000
                                                0x6c3c1a96
                                                0x6c3c1a9d
                                                0x6c3c1aa6
                                                0x6c3c1aa9
                                                0x6c3c1aaf
                                                0x6c3c1ab1
                                                0x6c3c1ab5
                                                0x00000000
                                                0x00000000
                                                0x6c3d4512
                                                0x6c3d4514
                                                0x6c3d4528
                                                0x00000000
                                                0x6c3d4516
                                                0x6c3d451b
                                                0x6c3d4521
                                                0x00000000
                                                0x6c3d4521
                                                0x00000000
                                                0x6c3d4514
                                                0x6c3c1abb
                                                0x6c3c1ac4
                                                0x6c3c1ac5
                                                0x6c3d4534
                                                0x6c3d4536
                                                0x00000000
                                                0x6c3c1acb
                                                0x6c3c1ad5
                                                0x6c3c1ae8
                                                0x6c3d4540
                                                0x6c3c1aee
                                                0x6c3c1aee
                                                0x6c3c1af3
                                                0x6c3c1af8
                                                0x6c3c1afe
                                                0x6c3c1b04
                                                0x6c3c1b0a
                                                0x6c3c1b0e
                                                0x6c3c1b0e
                                                0x6c3c1b14
                                                0x6c3c1b1a
                                                0x6c3d4547
                                                0x6c3d454c
                                                0x6c3d4551
                                                0x6c3d4554
                                                0x6c3d4561
                                                0x6c3d4561
                                                0x6c3d4554
                                                0x6c3c1b20
                                                0x6c3c1b26
                                                0x6c3c1b28
                                                0x6c3c1b28
                                                0x6c3c1ae8
                                                0x6c3c1ac5
                                                0x6c3c1b2b
                                                0x6c3c1b2c
                                                0x6c3c1b2d

                                                APIs
                                                • DisableThreadLibraryCalls.KERNEL32(?,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C19CE
                                                • InterlockedCompareExchange.KERNEL32(6C3E0164,?,00000000), ref: 6C3C1AB1
                                                • _initterm.MSVCRT ref: 6C3C1AF8
                                                • InterlockedExchange.KERNEL32(6C3E0164,00000000), ref: 6C3C1B0E
                                                • InterlockedCompareExchange.KERNEL32(6C3E0164,00000001,00000000), ref: 6C3C1D46
                                                • free.MSVCRT(00000000,?,00000000,?,?,6C3C1DDB,?,00000001,?,?,?,?,6C3C1C70,0000002C), ref: 6C3C1D7A
                                                • InterlockedExchange.KERNEL32(6C3E0164,00000000), ref: 6C3C1D9C
                                                • Sleep.KERNEL32(000003E8,?,00000000,?,?,6C3C1DDB,?,00000001,?,?,?,?,6C3C1C70,0000002C), ref: 6C3D451B
                                                Strings
                                                • Microsoft\Windows\SoftwareQualityMetricsClient, xrefs: 6C3C19AC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ExchangeInterlocked$Compare$CallsDisableLibrarySleepThread_inittermfree
                                                • String ID: Microsoft\Windows\SoftwareQualityMetricsClient
                                                • API String ID: 529680579-2483579846
                                                • Opcode ID: 056363f47c4f65afe1d7cc5dfda0d498878ebb8baa5d50c79e47b2256930571a
                                                • Instruction ID: f70be0b8f7ec4da5bdbeeb19a513f6aca99064d727ba5ba19206f84be370e799
                                                • Opcode Fuzzy Hash: 056363f47c4f65afe1d7cc5dfda0d498878ebb8baa5d50c79e47b2256930571a
                                                • Instruction Fuzzy Hash: AF31127630C2C06FCB51CB218854E9D7B79AB0231C718819FE4468B952DB2ADD02FFA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D785F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(00000000,?,00000000,00000000,00000000,-00020005,?,00000000,00000000,80000002,Software\Microsoft\SQMClient\Windows,CabSessionAfterSize,?,?,6C3D6078,80000002), ref: 6C3D78BB
                                                • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?,6C3D6078,80000002,Software\Microsoft\SQMClient\Windows,00000000,CEIPEnable,00000000,80000002,Software\Microsoft\SQMClient\Windows\DisabledSessions), ref: 6C3D78F3
                                                • RegCloseKey.ADVAPI32(00000000,?,?,6C3D6078,80000002,Software\Microsoft\SQMClient\Windows,00000000,CEIPEnable,00000000,80000002,Software\Microsoft\SQMClient\Windows\DisabledSessions,80000002,Software\Microsoft\SQMClient\Windows\Users,80000002,Software\Microsoft\SQMClient\Windows\Uploader\PendingUpload,80000002), ref: 6C3D792D
                                                Strings
                                                • CabSessionAfterSize, xrefs: 6C3D7868
                                                • Software\Microsoft\SQMClient\Windows, xrefs: 6C3D7869
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: CabSessionAfterSize$Software\Microsoft\SQMClient\Windows
                                                • API String ID: 1818849710-2962713777
                                                • Opcode ID: 2757bee1448f8c3103ff312fc367fef142336c65f5a370d07556be1c4a026992
                                                • Instruction ID: 2c0f2f2a7e4dfc7f7e4830c2eaa3f2aa5be2e5fad68fac497d6a8863ef891002
                                                • Opcode Fuzzy Hash: 2757bee1448f8c3103ff312fc367fef142336c65f5a370d07556be1c4a026992
                                                • Instruction Fuzzy Hash: 7A312533641154BBCB52DE04CC85FEA3B79EB47758F220045F9109A9A4C372ED44EFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D5DAA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 61%
                                                			E6C3D5DAA(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, char _a20, void** _a24) {
				void* _v8;
				long _v112;
				intOrPtr _v116;
				void* _v120;
				char _v128;
				intOrPtr _v132;
				char* _v136;
				intOrPtr _v140;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v180;
				short _v184;
				int _t32;
				void* _t36;
				void* _t37;
				long _t42;
				void* _t44;
				int* _t45;
				int* _t46;
				intOrPtr _t48;
				int* _t53;
				int _t54;
				int _t57;
				void** _t58;
				int* _t59;
				void* _t60;

				_t45 = _a24;
				asm("cdq");
				_v160 = _a16;
				_v156 = __edx;
				asm("cdq");
				_t42 = 0;
				_v136 =  &_a20;
				_t32 =  *_t45;
				_v132 = __edx;
				_t48 = 0;
				_v8 = 0;
				_v140 = 0x1a0000;
				_v180 = 0xff;
				_v128 = 2;
				if(_t32 == 0) {
					L12:
					_v184 = _t48 + 4 << 4;
					L13:
					__imp__TraceEvent(_a4, _a8,  &_v184);
					if(_v8 != 0) {
						LocalFree(_v8);
					}
					L15:
					return 0;
				}
				_t53 =  &_v128;
				do {
					_t46 =  &(_t45[1]);
					_t57 =  *_t46;
					_t42 = _t42 + _t57;
					_t48 = _t48 + 1;
					_t53 =  &(_t53[4]);
					_a16 = _t48;
					if(_t48 <= 7) {
						asm("cdq");
						 *((intOrPtr*)(_t53 - 4)) = _t48;
						_t48 = _a16;
						 *(_t53 - 8) = _t32;
						 *_t53 = _t57;
					}
					_t45 =  &(_t46[1]);
					_t32 =  *_t45;
				} while (_t32 != 0);
				if(_t42 > 0x2000) {
					goto L15;
				}
				if(_t48 <= 7) {
					goto L12;
				}
				_t36 = LocalAlloc(_t32, _t42);
				_v8 = _t36;
				if(_t36 == 0) {
					goto L15;
				}
				_t58 = _a24;
				asm("cdq");
				_v112 = _t42;
				_v120 = _t36;
				_v116 = _t48;
				_t44 = 0;
				while(1) {
					_t37 =  *_t58;
					if(_t37 == 0) {
						break;
					}
					_t59 =  &(_t58[1]);
					_t54 =  *_t59;
					memcpy(_v8 + _t44, _t37, _t54);
					_t60 = _t60 + 0xc;
					_t44 = _t44 + _t54;
					_t58 =  &(_t59[1]);
				}
				_v184 = 0x50;
				goto L13;
			}





























                                                0x6c3d5db8
                                                0x6c3d5dbb
                                                0x6c3d5dbc
                                                0x6c3d5dc2
                                                0x6c3d5dcb
                                                0x6c3d5dcd
                                                0x6c3d5dcf
                                                0x6c3d5dd5
                                                0x6c3d5dd7
                                                0x6c3d5ddb
                                                0x6c3d5de0
                                                0x6c3d5de3
                                                0x6c3d5ded
                                                0x6c3d5df4
                                                0x6c3d5dfb
                                                0x6c3d5e84
                                                0x6c3d5e8a
                                                0x6c3d5e91
                                                0x6c3d5e9e
                                                0x6c3d5ea8
                                                0x6c3d5ead
                                                0x6c3d5ead
                                                0x6c3d5eb3
                                                0x6c3d5eb9
                                                0x6c3d5eb9
                                                0x6c3d5e01
                                                0x6c3d5e04
                                                0x6c3d5e04
                                                0x6c3d5e07
                                                0x6c3d5e09
                                                0x6c3d5e0b
                                                0x6c3d5e0c
                                                0x6c3d5e12
                                                0x6c3d5e15
                                                0x6c3d5e17
                                                0x6c3d5e18
                                                0x6c3d5e1b
                                                0x6c3d5e1e
                                                0x6c3d5e21
                                                0x6c3d5e21
                                                0x6c3d5e23
                                                0x6c3d5e26
                                                0x6c3d5e28
                                                0x6c3d5e32
                                                0x00000000
                                                0x00000000
                                                0x6c3d5e37
                                                0x00000000
                                                0x00000000
                                                0x6c3d5e3b
                                                0x6c3d5e43
                                                0x6c3d5e46
                                                0x00000000
                                                0x00000000
                                                0x6c3d5e48
                                                0x6c3d5e4b
                                                0x6c3d5e4c
                                                0x6c3d5e4f
                                                0x6c3d5e52
                                                0x6c3d5e55
                                                0x6c3d5e73
                                                0x6c3d5e73
                                                0x6c3d5e77
                                                0x00000000
                                                0x00000000
                                                0x6c3d5e59
                                                0x6c3d5e5c
                                                0x6c3d5e66
                                                0x6c3d5e6b
                                                0x6c3d5e6e
                                                0x6c3d5e70
                                                0x6c3d5e70
                                                0x6c3d5e79
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Local$AllocEventFreeTracememcpy
                                                • String ID: P
                                                • API String ID: 4064889523-3110715001
                                                • Opcode ID: 94edebfee9b0b7823b20d3ae98400bbb169650c7bf39e7cf3d8e1dde9870c6ed
                                                • Instruction ID: 00e7fe18b24cca73a8bec194392db44f0cd221dbfd633d8907d5f62dee28985e
                                                • Opcode Fuzzy Hash: 94edebfee9b0b7823b20d3ae98400bbb169650c7bf39e7cf3d8e1dde9870c6ed
                                                • Instruction Fuzzy Hash: E7317CF2D052199FDB10DF69C9847CEB7BAFF48318F258169E404A7611D331AA54CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B6D61 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B6D68
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B6E31
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                • ReadFile.KERNEL32(00000003,00000000,?,?,00000000,?,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?), ref: 6C7B6E4D
                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 6C7B6E6C
                                                  • Part of subcall function 6C778329: __EH_prolog3.LIBCMT ref: 6C778330
                                                  • Part of subcall function 6C77A3BC: __EH_prolog3.LIBCMT ref: 6C77A3C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CloseDispatcherExceptionException@8FileHandleReadThrowUser
                                                • String ID: File: %s
                                                • API String ID: 3209669068-1010730093
                                                • Opcode ID: e4b3647bdbbb7c96b081ce425716dca057325838afd9a25ff9c651e61c5cb707
                                                • Instruction ID: 536c56be6c12578904e41d8d1a9e7514aa911cc07b4d3c0dd24eaaafc8d2316c
                                                • Opcode Fuzzy Hash: e4b3647bdbbb7c96b081ce425716dca057325838afd9a25ff9c651e61c5cb707
                                                • Instruction Fuzzy Hash: 93313B71900209AFDB01DFA8CA49ADEBBB9BF04314F54856AE924F7740D7709A09CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A2F67 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _malloc.LIBCMT ref: 6C7A2FB1
                                                • InitializeAcl.ADVAPI32(00000000,00000008,6C7A32D1,?,|tzl,6C7A36F3), ref: 6C7A2FCD
                                                • _free.LIBCMT ref: 6C7A2FE1
                                                • AddAce.ADVAPI32(6C7C0D43,6C7A32D1,000000FF,00000000,?,|tzl,6C7A36F3), ref: 6C7A3022
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Initialize_free_malloc
                                                • String ID: |tzl
                                                • API String ID: 425657638-3263282363
                                                • Opcode ID: 93a77c3f9e1963ca20ee31bb17932a6bc7092c29647c871bb5d9c769aa3ed2a7
                                                • Instruction ID: e6d450a05eb688b88a6ccfc914ba58e0b30e9d6dde9d6399cee355fd821f9d46
                                                • Opcode Fuzzy Hash: 93a77c3f9e1963ca20ee31bb17932a6bc7092c29647c871bb5d9c769aa3ed2a7
                                                • Instruction Fuzzy Hash: 6321B4317006019FD7018FA6CA8CA1BB7F9FF887587258629F46AC7650DB30E842CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79DADB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #116
                                                • String ID: d
                                                • API String ID: 3213738560-2564639436
                                                • Opcode ID: 94882caba47e251f1b0bda9bd6cef0dc54127e4ce84d5f74f0633f368f476528
                                                • Instruction ID: fc49fa2cf611f78ac28c651a89eee5166b5197f433768454650ba066e7119dbc
                                                • Opcode Fuzzy Hash: 94882caba47e251f1b0bda9bd6cef0dc54127e4ce84d5f74f0633f368f476528
                                                • Instruction Fuzzy Hash: 1F21B67074074ABFDB04CF65EA94A48BBF6FB65308F14827AE0149B940D7B0EA50CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B8B7C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7B8B83
                                                  • Part of subcall function 6C77C9D8: __EH_prolog3_catch_GS.LIBCMT ref: 6C77C9DF
                                                  • Part of subcall function 6C77C9D8: __CxxThrowException@8.LIBCMT ref: 6C77CA34
                                                Strings
                                                • Failed to get install context for product: %s, received error: %d, xrefs: 6C7B8BD5
                                                • 1, xrefs: 6C7B8C46
                                                • State, xrefs: 6C7B8C0C
                                                • MsiGetPatchInfoEx failed for product: %s, received error: %d, xrefs: 6C7B8C3F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3_H_prolog3_catch_Throw
                                                • String ID: 1$Failed to get install context for product: %s, received error: %d$MsiGetPatchInfoEx failed for product: %s, received error: %d$State
                                                • API String ID: 2959381629-1747160380
                                                • Opcode ID: 6f53e194de8d368235026fb4b6ac1a719e470c18d8504d97dc9ff2a003676ece
                                                • Instruction ID: 6df36d7a4b8bc38b9e28174cdae508c10275940a08f095ce780760f53b819253
                                                • Opcode Fuzzy Hash: 6f53e194de8d368235026fb4b6ac1a719e470c18d8504d97dc9ff2a003676ece
                                                • Instruction Fuzzy Hash: 95219171910209EFEB00CFA8D998BDDBBB9FF08304F148429E560B7651DB71A904CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C781D3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C781D44
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7819AD: __EH_prolog3.LIBCMT ref: 6C7819B4
                                                  • Part of subcall function 6C7819AD: __CxxThrowException@8.LIBCMT ref: 6C781ADE
                                                  • Part of subcall function 6C778AAC: __EH_prolog3.LIBCMT ref: 6C778AB3
                                                  • Part of subcall function 6C778AAC: __CxxThrowException@8.LIBCMT ref: 6C778B39
                                                  • Part of subcall function 6C7792D1: __EH_prolog3.LIBCMT ref: 6C7792D8
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C781E11
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                • String ID: ApplicableIf$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
                                                • API String ID: 2724732616-3920316726
                                                • Opcode ID: 071b615b18688bdd387c0408eb6f542f76eeddefd048e89a109cf3e0e0c218bf
                                                • Instruction ID: f2668637ec62f159a170b3c46a64db50bd9bc54838340e0158ad3aec51c65b72
                                                • Opcode Fuzzy Hash: 071b615b18688bdd387c0408eb6f542f76eeddefd048e89a109cf3e0e0c218bf
                                                • Instruction Fuzzy Hash: A6213E72911149ABCF11DBE8CA4DADD7BB8AF15328F148559F124ABB80CB31DB088772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA94E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DA94E() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				int _t10;
				long _t17;

				_t10 =  *0x6c3e0550; // 0xffffffff
				if(_t10 == 0xffffffff) {
					if(RegOpenKeyExA(0x80000002, "System\\WPA\\ApplianceServer", 0, 1,  &_v8) == 0) {
						_v12 = 4;
						_t17 = RegQueryValueExA(_v8, "Installed", 0,  &_v16,  &_v20,  &_v12);
						if(_t17 == 0 && _v16 == 4 && _v20 != _t17) {
							 *0x6c3e0550 = 1;
						}
						RegCloseKey(_v8);
					}
					_t10 =  *0x6c3e0550; // 0xffffffff
					if(_t10 == 0xffffffff) {
						 *0x6c3e0550 = 0;
						return 0;
					}
				}
				return _t10;
			}









                                                0x6c3da953
                                                0x6c3da95e
                                                0x6c3da97a
                                                0x6c3da992
                                                0x6c3da999
                                                0x6c3da9a1
                                                0x6c3da9ae
                                                0x6c3da9ae
                                                0x6c3da9bb
                                                0x6c3da9bb
                                                0x6c3da9c1
                                                0x6c3da9c9
                                                0x6c3da9cd
                                                0x00000000
                                                0x6c3da9cd
                                                0x6c3da9c9
                                                0x6c3da9d3

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,System\WPA\ApplianceServer,00000000,00000001,?), ref: 6C3DA972
                                                • RegQueryValueExA.ADVAPI32(?,Installed,00000000,?,?,?), ref: 6C3DA999
                                                • RegCloseKey.ADVAPI32(?), ref: 6C3DA9BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Installed$System\WPA\ApplianceServer
                                                • API String ID: 3677997916-2615809295
                                                • Opcode ID: 63e335102066c0d6af60cb6dc91d98324464d98e9701e057f039e3daab112741
                                                • Instruction ID: 0b9b7098b22b1b3409f1d384da6238eb95dbc875fc6dece0416a1bb6fb323de7
                                                • Opcode Fuzzy Hash: 63e335102066c0d6af60cb6dc91d98324464d98e9701e057f039e3daab112741
                                                • Instruction Fuzzy Hash: 23015A32A04248AADF11CAE9C985B9E77BCBB09318F220316E121E15C0EB71AA44EF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C89E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryfileloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C7780C1,?,?,?,?,00000000,?,00000001,?,6C77A9FA,?,80000000,00000001), ref: 6C7C89F3
                                                • GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C7C8A03
                                                • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?,6C7780C1,?,?,?,?,00000000,?), ref: 6C7C8A40
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressCreateFileHandleModuleProc
                                                • String ID: CreateFileTransactedW$kernel32.dll
                                                • API String ID: 2580138172-2053874626
                                                • Opcode ID: a2a71eb8bb3b0ada5987137d04b51e5b4553239202e064c59cc4c3663b25baed
                                                • Instruction ID: b15e4b1eae4ea46e70feb78a6a78c56d1365b2f788381e5c0fe391f157d9570c
                                                • Opcode Fuzzy Hash: a2a71eb8bb3b0ada5987137d04b51e5b4553239202e064c59cc4c3663b25baed
                                                • Instruction Fuzzy Hash: 8201BB3264064ABFCF124E95DE04C9F3F76FBD57617248926F92550860C732C5B1EB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA7C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 35%
                                                			E6C3DA7C0(void* __ecx) {
				char _v8;
				intOrPtr _t3;
				intOrPtr _t6;
				intOrPtr* _t13;

				_t3 =  *0x6c3e054c; // 0xffffffff
				if(_t3 == 0xffffffff) {
					_t13 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
					if(_t13 == 0) {
						L5:
						_t6 = 0;
						L6:
						 *0x6c3e054c = _t6;
						return _t6;
					}
					_push(0);
					_push(4);
					_push( &_v8);
					_push(0x1a);
					_push(GetCurrentProcess());
					if( *_t13() < 0 || _v8 == 0) {
						goto L5;
					} else {
						_t6 = 1;
						goto L6;
					}
				}
				return _t3;
			}







                                                0x6c3da7c6
                                                0x6c3da7ce
                                                0x6c3da7e8
                                                0x6c3da7ec
                                                0x6c3da810
                                                0x6c3da810
                                                0x6c3da812
                                                0x6c3da812
                                                0x00000000
                                                0x6c3da817
                                                0x6c3da7ee
                                                0x6c3da7f0
                                                0x6c3da7f5
                                                0x6c3da7f6
                                                0x6c3da7fe
                                                0x6c3da803
                                                0x00000000
                                                0x6c3da80b
                                                0x6c3da80d
                                                0x00000000
                                                0x6c3da80d
                                                0x6c3da803
                                                0x6c3da819

                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 6C3DA7DB
                                                • GetProcAddress.KERNEL32(00000000), ref: 6C3DA7E2
                                                • GetCurrentProcess.KERNEL32(0000001A,?,00000004,00000000), ref: 6C3DA7F8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressCurrentHandleModuleProcProcess
                                                • String ID: NtQueryInformationProcess$ntdll.dll
                                                • API String ID: 4190356694-2906145389
                                                • Opcode ID: c091a43aa5c94c147ef4a360c939eb506526ca714f78c7abe855360a5c16a812
                                                • Instruction ID: 020d194946ba74b40bbe8aa1cdba1f3e76825a4ebd9a04199d5dae0284db371b
                                                • Opcode Fuzzy Hash: c091a43aa5c94c147ef4a360c939eb506526ca714f78c7abe855360a5c16a812
                                                • Instruction Fuzzy Hash: FFF0BE72A01240AADB1096B68E08B8A3EBCDB06724F114921FD11D2580D634EA879FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C775847 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77584E
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: IA64$Unknown$x64$x86
                                                • API String ID: 431132790-3030484263
                                                • Opcode ID: 6a6e50ba653dcb8339720d2454a1eff474f2a54b42309777546510e19504bc02
                                                • Instruction ID: dbe809e01de1061c739c2bea4ba4a8e43758f02d1ce9e68e19390a1f5a55042e
                                                • Opcode Fuzzy Hash: 6a6e50ba653dcb8339720d2454a1eff474f2a54b42309777546510e19504bc02
                                                • Instruction Fuzzy Hash: 5FF02770600249BBEF519B56DB48BBC7260FB20719F104822F110EEE80C778BB29F665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA847 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DA847() {
				void* _v8;
				char _v12;
				int _v16;

				_v12 = _v12 & 0x00000000;
				if(RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", 0, 1,  &_v8) == 0) {
					_v16 = 4;
					RegQueryValueExA(_v8, "ServerAdminUI", 0, 0,  &_v12,  &_v16);
					RegCloseKey(_v8);
				}
				return _v12;
			}






                                                0x6c3da84f
                                                0x6c3da86d
                                                0x6c3da883
                                                0x6c3da88a
                                                0x6c3da893
                                                0x6c3da893
                                                0x6c3da89d

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,00000000,00000001,?), ref: 6C3DA865
                                                • RegQueryValueExA.ADVAPI32(?,ServerAdminUI,00000000,00000000,00000000,?), ref: 6C3DA88A
                                                • RegCloseKey.ADVAPI32(?), ref: 6C3DA893
                                                Strings
                                                • ServerAdminUI, xrefs: 6C3DA87B
                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, xrefs: 6C3DA85B
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: ServerAdminUI$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
                                                • API String ID: 3677997916-377279143
                                                • Opcode ID: 1673f500afcc85cd2b04fe7eb9c64ef0ade253f42a33e8e40a670ee5a3e4f936
                                                • Instruction ID: 00d961dc21d2cdf498686715c7e82c46e4a64dfb773678b160542d65affa0c8e
                                                • Opcode Fuzzy Hash: 1673f500afcc85cd2b04fe7eb9c64ef0ade253f42a33e8e40a670ee5a3e4f936
                                                • Instruction Fuzzy Hash: 90F0F876A00248BBEB109B90CD49FCD7BBCAB04704F100051BA04B1090D7B1BB99AB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CABD9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E6C3CABD9(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				void _v526;
				char _v528;
				signed int _v532;
				intOrPtr _v536;
				signed char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				intOrPtr _t77;
				intOrPtr _t83;
				signed int _t88;
				intOrPtr _t89;
				signed int _t92;
				signed int _t96;
				intOrPtr _t97;
				intOrPtr _t101;
				intOrPtr _t103;
				long _t105;
				void* _t108;
				intOrPtr _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t120;
				signed int _t121;
				void* _t126;

				_t117 = __edx;
				_t108 = __ecx;
				_t73 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t73 ^ _t121;
				_t120 = _a8;
				_t118 = _a4;
				_t105 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_v532 = 0x80004005;
				if(_t120 == 0 || _a12 != 0) {
					_t126 =  *0x6c3e009c - _t105; // 0x0
					if(_t126 == 0) {
						_t77 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t77 - 0x6c3e0088;
						if(_t77 != 0x6c3e0088) {
							__eflags =  *(_t77 + 0x1c) & 0x00000001;
							if(( *(_t77 + 0x1c) & 0x00000001) != 0) {
								_t43 = _t77 + 0x14; // 0x0
								_t44 = _t77 + 0x10; // 0x1
								E6C3D5F11( *_t44,  *_t43, 0x1b, 0x6c3d5a6c);
							}
						}
						_t105 = 0x1000010a;
						goto L15;
					}
					_t118 = E6C3C3080(_t108, _t118);
					_v536 = _t118;
					if(_t118 == 0) {
						_t83 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t83 - 0x6c3e0088;
						if(_t83 != 0x6c3e0088) {
							__eflags =  *(_t83 + 0x1c) & 0x00000001;
							if(( *(_t83 + 0x1c) & 0x00000001) != 0) {
								_t48 = _t83 + 0x14; // 0x0
								_t49 = _t83 + 0x10; // 0x1
								E6C3D5F11( *_t49,  *_t48, 0x1c, 0x6c3d5a6c);
							}
						}
						_push(6);
						L36:
						_pop(_t105);
						L12:
						if(_t118 != 0) {
							E6C3C3252(_t118, _t118);
							if((_a16 & 0x00000008) != 0) {
								E6C3C3252(_t118, _t118);
							}
						}
						goto L15;
					}
					if(_t120 == 0) {
						L6:
						_v540 = _v540 & 0x00000000;
						_t88 = E6C3CAED1(_t118,  &_v540);
						_v532 = _t88;
						if(_t88 < 0) {
							_t89 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t89 - 0x6c3e0088;
							if(_t89 != 0x6c3e0088) {
								__eflags =  *(_t89 + 0x1c) & 0x00000001;
								if(( *(_t89 + 0x1c) & 0x00000001) != 0) {
									_t58 = _t89 + 0x14; // 0x0
									_t59 = _t89 + 0x10; // 0x1
									E6C3D99F8( *_t59,  *_t58, 0x1e, 0x6c3d5a6c, _t105);
								}
							}
							_t105 = _v532 & 0x1000ffff;
							goto L12;
						}
						EnterCriticalSection(0x6c3e0168);
						E6C3CAD9A(_t105, _t118);
						_t131 = _t120;
						if(_t120 == 0) {
							L16:
							__eflags = _v532;
							if(_v532 >= 0) {
								L9:
								if((_v540 & 0x00000001) != 0) {
									__eflags = _a16 & 0x00000004;
									if((_a16 & 0x00000004) == 0) {
										goto L10;
									} else {
										goto L11;
									}
								}
								L10:
								_t92 = E6C3CAD45(_v536);
								if(_t92 < 0) {
									__eflags = _t92 - 0x90080102;
									if(_t92 != 0x90080102) {
										_t114 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t114 - 0x6c3e0088;
										if(_t114 != 0x6c3e0088) {
											__eflags =  *(_t114 + 0x1c) & 0x00000001;
											if(( *(_t114 + 0x1c) & 0x00000001) != 0) {
												_t71 = _t114 + 0x14; // 0x0
												_t72 = _t114 + 0x10; // 0x1
												E6C3D99F8( *_t72,  *_t71, 0x20, 0x6c3d5a6c, _t92 & 0x1000ffff);
											}
										}
									}
								}
								goto L11;
							} else {
								L11:
								LeaveCriticalSection(0x6c3e0168);
								_t118 = _v536;
								goto L12;
							}
						}
						_push( &_v528);
						_t96 = E6C3CA24D(_t105, _v536, 0x1000ffff, _t120, _t131);
						_v532 = _t96;
						if(_t96 < 0) {
							_t97 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t97 - 0x6c3e0088;
							if(_t97 != 0x6c3e0088) {
								__eflags =  *(_t97 + 0x1c) & 0x00000001;
								if(( *(_t97 + 0x1c) & 0x00000001) != 0) {
									_t65 = _t97 + 0x14; // 0x0
									_t66 = _t97 + 0x10; // 0x1
									E6C3D77B8( *_t66,  *_t65, 0x1f, 0x6c3d5a6c,  &_v528, _t105);
								}
							}
							_t105 = _v532 & 0x1000ffff;
							goto L16;
						}
						goto L9;
					}
					_t105 = E6C3CAA10(_t117, _t120, _a12, _a16,  &_v528, 0x104);
					if(_t105 != 0) {
						_t101 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t101 - 0x6c3e0088;
						if(_t101 != 0x6c3e0088) {
							__eflags =  *(_t101 + 0x1c) & 0x00000001;
							if(( *(_t101 + 0x1c) & 0x00000001) != 0) {
								_t53 = _t101 + 0x14; // 0x0
								_t54 = _t101 + 0x10; // 0x1
								E6C3D99F8( *_t54,  *_t53, 0x1d, 0x6c3d5a6c, _t105);
							}
						}
						_push(0x57);
						goto L36;
					}
					goto L6;
				} else {
					_t103 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t103 - 0x6c3e0088;
					if(_t103 != 0x6c3e0088) {
						__eflags =  *(_t103 + 0x1c) & 0x00000001;
						if(( *(_t103 + 0x1c) & 0x00000001) != 0) {
							_t38 = _t103 + 0x14; // 0x0
							_t39 = _t103 + 0x10; // 0x1
							E6C3D5F11( *_t39,  *_t38, 0x1a, 0x6c3d5a6c);
						}
					}
					_t105 = 0x57;
					L15:
					SetLastError(_t105);
					return E6C3C171F(0 | _v532 >= 0x00000000, _t105, _v8 ^ _t121, _t117, _t118, _t120);
				}
			}































                                                0x6c3cabd9
                                                0x6c3cabd9
                                                0x6c3cabe4
                                                0x6c3cabeb
                                                0x6c3cabf0
                                                0x6c3cabf4
                                                0x6c3cabf7
                                                0x6c3cac06
                                                0x6c3cac0d
                                                0x6c3cac17
                                                0x6c3cac21
                                                0x6c3cac2c
                                                0x6c3cac32
                                                0x6c3cee12
                                                0x6c3cee17
                                                0x6c3cee1c
                                                0x6c3cee1e
                                                0x6c3cee22
                                                0x6c3cee2b
                                                0x6c3cee2e
                                                0x6c3cee31
                                                0x6c3cee31
                                                0x6c3cee22
                                                0x6c3cee36
                                                0x00000000
                                                0x6c3cee36
                                                0x6c3cac3e
                                                0x6c3cac42
                                                0x6c3cac48
                                                0x6c3cee40
                                                0x6c3cee45
                                                0x6c3cee4a
                                                0x6c3cee4c
                                                0x6c3cee50
                                                0x6c3cee59
                                                0x6c3cee5c
                                                0x6c3cee5f
                                                0x6c3cee5f
                                                0x6c3cee50
                                                0x6c3cee64
                                                0x6c3cee8f
                                                0x6c3cee8f
                                                0x6c3cad07
                                                0x6c3cad09
                                                0x6c3cad0c
                                                0x6c3cad15
                                                0x6c3cad18
                                                0x6c3cad18
                                                0x6c3cad15
                                                0x00000000
                                                0x6c3cad09
                                                0x6c3cac50
                                                0x6c3cac74
                                                0x6c3cac74
                                                0x6c3cac84
                                                0x6c3cac8b
                                                0x6c3cac91
                                                0x6c3cee95
                                                0x6c3cee9a
                                                0x6c3cee9f
                                                0x6c3ceea1
                                                0x6c3ceea5
                                                0x6c3ceeaf
                                                0x6c3ceeb2
                                                0x6c3ceeb5
                                                0x6c3ceeb5
                                                0x6c3ceea5
                                                0x6c3ceec0
                                                0x00000000
                                                0x6c3ceec0
                                                0x6c3cac9c
                                                0x6c3caca4
                                                0x6c3caca9
                                                0x6c3cacb0
                                                0x6c3cb7be
                                                0x6c3cb7be
                                                0x6c3cb7c5
                                                0x6c3cacd6
                                                0x6c3cacdd
                                                0x6c3cb7d0
                                                0x6c3cb7d4
                                                0x00000000
                                                0x6c3cb7da
                                                0x00000000
                                                0x6c3cb7da
                                                0x6c3cb7d4
                                                0x6c3cace3
                                                0x6c3cace9
                                                0x6c3cacf0
                                                0x6c3cef04
                                                0x6c3cef09
                                                0x6c3cef0f
                                                0x6c3cef15
                                                0x6c3cef1b
                                                0x6c3cef21
                                                0x6c3cef25
                                                0x6c3cef35
                                                0x6c3cef38
                                                0x6c3cef3b
                                                0x6c3cef3b
                                                0x6c3cef25
                                                0x6c3cef1b
                                                0x6c3cef09
                                                0x00000000
                                                0x6c3cb7cb
                                                0x6c3cacf6
                                                0x6c3cacfb
                                                0x6c3cad01
                                                0x00000000
                                                0x6c3cad01
                                                0x6c3cb7c5
                                                0x6c3cacc2
                                                0x6c3cacc3
                                                0x6c3cacca
                                                0x6c3cacd0
                                                0x6c3ceecb
                                                0x6c3ceed0
                                                0x6c3ceed5
                                                0x6c3ceed7
                                                0x6c3ceedb
                                                0x6c3ceeec
                                                0x6c3ceeef
                                                0x6c3ceef2
                                                0x6c3ceef2
                                                0x6c3ceedb
                                                0x6c3ceefd
                                                0x00000000
                                                0x6c3ceefd
                                                0x00000000
                                                0x6c3cacd0
                                                0x6c3cac6a
                                                0x6c3cac6e
                                                0x6c3cee68
                                                0x6c3cee6d
                                                0x6c3cee72
                                                0x6c3cee74
                                                0x6c3cee78
                                                0x6c3cee82
                                                0x6c3cee85
                                                0x6c3cee88
                                                0x6c3cee88
                                                0x6c3cee78
                                                0x6c3cee8d
                                                0x00000000
                                                0x6c3cee8d
                                                0x00000000
                                                0x6c3cede6
                                                0x6c3cede6
                                                0x6c3cedeb
                                                0x6c3cedf0
                                                0x6c3cedf2
                                                0x6c3cedf6
                                                0x6c3cedff
                                                0x6c3cee02
                                                0x6c3cee05
                                                0x6c3cee05
                                                0x6c3cedf6
                                                0x6c3cee0c
                                                0x6c3cad1d
                                                0x6c3cad1e
                                                0x6c3cad3d
                                                0x6c3cad3d

                                                APIs
                                                • memset.MSVCRT ref: 6C3CAC0D
                                                • EnterCriticalSection.KERNEL32(6C3E0168,00000000,?), ref: 6C3CAC9C
                                                • LeaveCriticalSection.KERNEL32(6C3E0168), ref: 6C3CACFB
                                                • SetLastError.KERNEL32(00000000), ref: 6C3CAD1E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterErrorLastLeavememset
                                                • String ID: Fm*
                                                • API String ID: 3008345650-3000852143
                                                • Opcode ID: 51a525e59cdf6b76bf536acbdd975afbb15769e98260283701e43baef5ae9a1a
                                                • Instruction ID: dc9d837c0e3915a95ac34fa68a9300a12d26c9b4405fae2cb7371fae3b43b775
                                                • Opcode Fuzzy Hash: 51a525e59cdf6b76bf536acbdd975afbb15769e98260283701e43baef5ae9a1a
                                                • Instruction Fuzzy Hash: 447123317413989BCB51DE20CC89FDE3679AF0434CF110495E9249AAA2CB72CD84DFA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CE0FF Relevance: 7.6, APIs: 5, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 34%
                                                			E6C3CE0FF(void* __ecx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct _FILETIME _v20;
				struct _SYSTEMTIME _v36;
				void* __edi;
				void* _t47;
				intOrPtr _t51;
				intOrPtr _t58;
				intOrPtr _t62;
				intOrPtr _t70;
				long _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t89;
				intOrPtr* _t90;
				void* _t91;

				_t91 = __ecx;
				_v12 = 0;
				E6C3CC2FD(__ecx);
				_t47 =  *0x6c3e0034( *((intOrPtr*)(__ecx + 8)), 0);
				_t88 = _t47;
				E6C3CC33D(__ecx);
				if(_t47 == 0) {
					_t89 = E6C3D9546(GetLastError());
					_t51 =  *0x6c3e0088; // 0x6c3e0088
					if(_t51 == 0x6c3e0088 || ( *(_t51 + 0x1c) & 0x00000001) == 0) {
						L5:
						return _t89;
					} else {
						_push(_t89);
						_push(0x6c3ccad8);
						_push(0x38);
						L12:
						_t16 = _t51 + 0x14; // 0x0
						_push( *_t16);
						_t17 = _t51 + 0x10; // 0x1
						_push( *_t17);
						E6C3D99F8();
						goto L5;
					}
				}
				_t89 = E6C3CC4B3(_t91, _t88);
				if(_t89 < 0) {
					_t51 =  *0x6c3e0088; // 0x6c3e0088
					if(_t51 == 0x6c3e0088 || ( *(_t51 + 0x1c) & 0x00000001) == 0) {
						goto L5;
					} else {
						_push(_t89);
						_push(0x6c3ccad8);
						_push(0x39);
						goto L12;
					}
				}
				_v12 = 4;
				E6C3CC2FD(_t91);
				_t90 =  *0x6c3e0030; // 0x6c3ce5e9
				_t58 =  *_t90( *((intOrPtr*)(_t91 + 8)), 0x20000013, 0, _t91 + 0x8c,  &_v12, 0);
				_v8 = _t58;
				if(_t58 != 0 && _a4 != 0) {
					_a4 = 0x10;
					 *_t90( *((intOrPtr*)(_t91 + 8)), 0x4000000b, 0,  &_v36,  &_a4, 0);
					_v8 = 0;
					if(0 != 0) {
						if(SystemTimeToFileTime( &_v36,  &_v20) == 0) {
							_t70 =  *0x6c3e0088; // 0x6c3e0088
							if(_t70 != 0x6c3e0088 && ( *(_t70 + 0x1c) & 0x00000001) != 0) {
								_t71 = GetLastError();
								_t72 =  *0x6c3e0088; // 0x6c3e0088
								_t34 = _t72 + 0x14; // 0x0
								_t35 = _t72 + 0x10; // 0x1
								E6C3D99F8( *_t35,  *_t34, 0x3b, 0x6c3ccad8, _t71);
							}
						}
						 *(_t91 + 0xa0) = _v20.dwLowDateTime;
						 *((intOrPtr*)(_t91 + 0xa4)) = _v20.dwHighDateTime;
					} else {
						_t74 =  *0x6c3e0088; // 0x6c3e0088
						if(_t74 != 0x6c3e0088 && ( *(_t74 + 0x1c) & 0x00000001) != 0) {
							_t75 = GetLastError();
							_t76 =  *0x6c3e0088; // 0x6c3e0088
							_t26 = _t76 + 0x14; // 0x0
							_t27 = _t76 + 0x10; // 0x1
							E6C3D99F8( *_t27,  *_t26, 0x3a, 0x6c3ccad8, _t75);
						}
						_v8 = 1;
					}
				}
				E6C3CC33D(_t91);
				_t89 = 0;
				if(_v8 == 0) {
					_t89 = E6C3D9546(GetLastError());
					_t62 =  *0x6c3e0088; // 0x6c3e0088
					if(_t62 != 0x6c3e0088 && ( *(_t62 + 0x1c) & 0x00000001) != 0) {
						_t44 = _t62 + 0x14; // 0x0
						_t45 = _t62 + 0x10; // 0x1
						E6C3D782C( *_t45,  *_t44, 0x3c, 0x6c3ccad8, _t89, _v12);
					}
				}
				goto L5;
			}





















                                                0x6c3ce10c
                                                0x6c3ce10e
                                                0x6c3ce111
                                                0x6c3ce11a
                                                0x6c3ce122
                                                0x6c3ce124
                                                0x6c3ce12b
                                                0x6c3d3798
                                                0x6c3d379a
                                                0x6c3d37a4
                                                0x6c3ce197
                                                0x6c3ce19d
                                                0x6c3d37b4
                                                0x6c3d37b4
                                                0x6c3d37b5
                                                0x6c3d37ba
                                                0x6c3d37e0
                                                0x6c3d37e0
                                                0x6c3d37e0
                                                0x6c3d37e3
                                                0x6c3d37e3
                                                0x6c3d37e6
                                                0x00000000
                                                0x6c3d37e6
                                                0x6c3d37a4
                                                0x6c3ce138
                                                0x6c3ce13c
                                                0x6c3d37be
                                                0x6c3d37c8
                                                0x00000000
                                                0x6c3d37d8
                                                0x6c3d37d8
                                                0x6c3d37d9
                                                0x6c3d37de
                                                0x00000000
                                                0x6c3d37de
                                                0x6c3d37c8
                                                0x6c3ce144
                                                0x6c3ce14b
                                                0x6c3ce150
                                                0x6c3ce16b
                                                0x6c3ce175
                                                0x6c3ce178
                                                0x6c3d3802
                                                0x6c3d3809
                                                0x6c3d380d
                                                0x6c3d3810
                                                0x6c3d385a
                                                0x6c3d385c
                                                0x6c3d3866
                                                0x6c3d386e
                                                0x6c3d3871
                                                0x6c3d387d
                                                0x6c3d3880
                                                0x6c3d3883
                                                0x6c3d3883
                                                0x6c3d3866
                                                0x6c3d388e
                                                0x6c3d3894
                                                0x6c3d3812
                                                0x6c3d3812
                                                0x6c3d381c
                                                0x6c3d3824
                                                0x6c3d3827
                                                0x6c3d3833
                                                0x6c3d3836
                                                0x6c3d3839
                                                0x6c3d3839
                                                0x6c3d383e
                                                0x6c3d383e
                                                0x6c3d3810
                                                0x6c3ce187
                                                0x6c3ce18c
                                                0x6c3ce191
                                                0x6c3d38a7
                                                0x6c3d38a9
                                                0x6c3d38b3
                                                0x6c3d38ce
                                                0x6c3d38d1
                                                0x6c3d38d4
                                                0x6c3d38d4
                                                0x6c3d38b3
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 6C3CC33D: GetLastError.KERNEL32(6C3E0088,?,6C3CC203,?,?,?,00000000), ref: 6C3CC343
                                                  • Part of subcall function 6C3CC33D: SetLastError.KERNEL32(00000000,?,6C3CC203,?,?,?,00000000), ref: 6C3CC354
                                                • GetLastError.KERNEL32(?,?,?,?,6C3CC008,00000000,?,00000000,00000000,?,?,?,PUT,00000000,?,Function_00007AF4), ref: 6C3D378C
                                                • GetLastError.KERNEL32(?,?,?,?,6C3CC008,00000000), ref: 6C3D3824
                                                • SystemTimeToFileTime.KERNEL32(?,6C3CC008,?,?,?,?,6C3CC008,00000000), ref: 6C3D3852
                                                • GetLastError.KERNEL32(?,?,?,?,6C3CC008,00000000), ref: 6C3D386E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Time$FileSystem
                                                • String ID:
                                                • API String ID: 3446928799-0
                                                • Opcode ID: 7de152e5bf111a7e98dad79a70eca540362cd392f18cc03b94afc25e98417b27
                                                • Instruction ID: 04dd5ab109ff3468997beb8d3fdb798bf3b67adc05f312f037d50bab19b554ad
                                                • Opcode Fuzzy Hash: 7de152e5bf111a7e98dad79a70eca540362cd392f18cc03b94afc25e98417b27
                                                • Instruction Fuzzy Hash: C951EC36600344AFCB85DFA4D884FDE3AB9FB48388F110469E151D7A50CB31ED889FA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C84FC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 117COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 61%
                                                			E6C3C84FC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v38;
				char _v40;
				void _v558;
				char _v560;
				int _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				void* _t48;
				void* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t72;
				int _t73;
				signed int _t75;

				_t70 = __edx;
				_t40 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t40 ^ _t75;
				_t73 = 0;
				_v572 = _a4;
				_t62 = __ecx;
				_t64 = 7;
				_v40 = 0;
				_t71 =  &_v38;
				memset(_t71, 0, _t64 << 2);
				_t72 = _t71 + _t64;
				asm("stosw");
				_v568 = 0;
				_v564 = 0;
				_v560 = 0;
				memset( &_v558, 0, 0x206);
				_push(L"Sampling");
				_push(_v572);
				_t48 = E6C3C18E5( &_v560, 0x104, L"%s\\%s\\%s", L"Software\\Microsoft\\SQMClient");
				if(_t48 < 0) {
					_t66 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t66 - 0x6c3e0088;
					if(_t66 == 0x6c3e0088) {
						L3:
						return E6C3C171F(_t73, _t62, _v8 ^ _t75, _t70, _t72, _t73);
					}
					__eflags =  *(_t66 + 0x1c) & 0x00000001;
					if(( *(_t66 + 0x1c) & 0x00000001) == 0) {
						goto L3;
					}
					_push(_t48);
					_push(0x6c3c7af4);
					_push(0x38);
					L10:
					_t25 = _t66 + 0x14; // 0x0
					_push( *_t25);
					_t26 = _t66 + 0x10; // 0x1
					_push( *_t26);
					E6C3D99F8();
					goto L3;
				}
				_t53 = E6C3C18E5( &_v40, 0x10, 0x6c3c7b04, _a8);
				if(_t53 < 0) {
					_t66 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t66 - 0x6c3e0088;
					if(_t66 == 0x6c3e0088) {
						goto L3;
					}
					__eflags =  *(_t66 + 0x1c) & 0x00000001;
					if(( *(_t66 + 0x1c) & 0x00000001) == 0) {
						goto L3;
					}
					_push(_t53);
					_push(0x6c3c7af4);
					_push(0x39);
					goto L10;
				}
				if(E6C3C85E1(0, 0x80000001,  &_v560,  &_v40,  &_v568) == 0) {
					_t69 = _a16;
					__eflags = _t69 - _v564;
					if(__eflags < 0) {
						goto L3;
					}
					_t58 = _a12;
					if(__eflags > 0) {
						L14:
						_t59 = _t58 - _v568;
						asm("sbb ecx, [ebp-0x230]");
						__eflags = _t69 -  *((intOrPtr*)(_t62 + 0x5c));
						if(__eflags > 0) {
							goto L3;
						}
						if(__eflags < 0) {
							L17:
							_t60 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t60 - 0x6c3e0088;
							if(_t60 != 0x6c3e0088) {
								__eflags =  *(_t60 + 0x1c) & 0x00000004;
								if(( *(_t60 + 0x1c) & 0x00000004) != 0) {
									_t38 = _t60 + 0x14; // 0x0
									_t39 = _t60 + 0x10; // 0x1
									E6C3D99F8( *_t39,  *_t38, 0x3a, 0x6c3c7af4, _a8);
								}
							}
							_t73 = 1;
							goto L3;
						}
						__eflags = _t59 -  *((intOrPtr*)(_t62 + 0x58));
						if(_t59 >=  *((intOrPtr*)(_t62 + 0x58))) {
							goto L3;
						}
						goto L17;
					}
					__eflags = _t58 - _v568;
					if(_t58 <= _v568) {
						goto L3;
					}
					goto L14;
				}
				goto L3;
			}





























                                                0x6c3c84fc
                                                0x6c3c8507
                                                0x6c3c850e
                                                0x6c3c8517
                                                0x6c3c851b
                                                0x6c3c8521
                                                0x6c3c8523
                                                0x6c3c8526
                                                0x6c3c852a
                                                0x6c3c852d
                                                0x6c3c852d
                                                0x6c3c8534
                                                0x6c3c853e
                                                0x6c3c8544
                                                0x6c3c854a
                                                0x6c3c8551
                                                0x6c3c8556
                                                0x6c3c855b
                                                0x6c3c8577
                                                0x6c3c8581
                                                0x6c3d047a
                                                0x6c3d0480
                                                0x6c3d0486
                                                0x6c3c85c9
                                                0x6c3c85d9
                                                0x6c3c85d9
                                                0x6c3d048c
                                                0x6c3d0490
                                                0x00000000
                                                0x00000000
                                                0x6c3d0496
                                                0x6c3d0497
                                                0x6c3d049c
                                                0x6c3d04c4
                                                0x6c3d04c4
                                                0x6c3d04c4
                                                0x6c3d04c7
                                                0x6c3d04c7
                                                0x6c3d04ca
                                                0x00000000
                                                0x6c3d04ca
                                                0x6c3c8595
                                                0x6c3c859f
                                                0x6c3d04a0
                                                0x6c3d04a6
                                                0x6c3d04ac
                                                0x00000000
                                                0x00000000
                                                0x6c3d04b2
                                                0x6c3d04b6
                                                0x00000000
                                                0x00000000
                                                0x6c3d04bc
                                                0x6c3d04bd
                                                0x6c3d04c2
                                                0x00000000
                                                0x6c3d04c2
                                                0x6c3c85c3
                                                0x6c3d04d4
                                                0x6c3d04d7
                                                0x6c3d04dd
                                                0x00000000
                                                0x00000000
                                                0x6c3d04e3
                                                0x6c3d04e6
                                                0x6c3d04f4
                                                0x6c3d04f4
                                                0x6c3d04fa
                                                0x6c3d0500
                                                0x6c3d0503
                                                0x00000000
                                                0x00000000
                                                0x6c3d0509
                                                0x6c3d0514
                                                0x6c3d0514
                                                0x6c3d0519
                                                0x6c3d051e
                                                0x6c3d0520
                                                0x6c3d0524
                                                0x6c3d0530
                                                0x6c3d0533
                                                0x6c3d0536
                                                0x6c3d0536
                                                0x6c3d0524
                                                0x6c3d053d
                                                0x00000000
                                                0x6c3d053d
                                                0x6c3d050b
                                                0x6c3d050e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d050e
                                                0x6c3d04e8
                                                0x6c3d04ee
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d04ee
                                                0x00000000

                                                APIs
                                                • memset.MSVCRT ref: 6C3C8551
                                                  • Part of subcall function 6C3C18E5: _vsnwprintf.MSVCRT ref: 6C3C1913
                                                  • Part of subcall function 6C3C85E1: RegOpenKeyExW.ADVAPI32(6C3C63AF,?,00000000,-00020018,?,00000000,?), ref: 6C3C864C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Open_vsnwprintfmemset
                                                • String ID: %s\%s\%s$Fm*$Sampling$Software\Microsoft\SQMClient
                                                • API String ID: 3302644324-3825131464
                                                • Opcode ID: 5950e500d9b2c9a7c65d80bff31e4be47002f9b6513a7beda9d608efba873c47
                                                • Instruction ID: d1aa69edb47c83f69e6f28a0781aba9c4cdeb592c016c67b170fbeec242f1ba0
                                                • Opcode Fuzzy Hash: 5950e500d9b2c9a7c65d80bff31e4be47002f9b6513a7beda9d608efba873c47
                                                • Instruction Fuzzy Hash: BB419D71601258ABCB54CE54CC84FDE77B9AF09718F200486F915AA991CB75EF88CF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C2671 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E6C3C2671(void* __ebx, void* __ecx) {
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				long _t26;
				intOrPtr _t27;
				signed int _t29;
				intOrPtr _t30;
				void* _t38;
				signed int _t39;
				signed int _t40;
				long _t41;
				void* _t42;

				_t41 = _t40 ^ _t40;
				_t42 =  *0x6c3e009c - _t41; // 0x0
				if(_t42 != 0) {
					_t19 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t19 - 0x6c3e0088;
					if(_t19 != 0x6c3e0088) {
						__eflags =  *(_t19 + 0x1c) & 0x00000001;
						if(( *(_t19 + 0x1c) & 0x00000001) != 0) {
							_t7 = _t19 + 0x14; // 0x0
							_t8 = _t19 + 0x10; // 0x1
							E6C3D5F11( *_t8,  *_t7, 0xa, 0x6c3d5a6c);
						}
					}
					__eflags = 1;
					return 1;
				} else {
					if(InitializeCriticalSectionAndSpinCount(0x6c3e0168, 0xfa0) == 0) {
						_t24 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t24 - 0x6c3e0088;
						if(_t24 != 0x6c3e0088) {
							__eflags =  *(_t24 + 0x1c) & 0x00000001;
							if(( *(_t24 + 0x1c) & 0x00000001) != 0) {
								_t26 = GetLastError();
								_t27 =  *0x6c3e0088; // 0x6c3e0088
								_t12 = _t27 + 0x14; // 0x0
								_t13 = _t27 + 0x10; // 0x1
								E6C3D99F8( *_t13,  *_t12, 0xb, 0x6c3d5a6c, _t26);
							}
						}
						_t25 = 0;
					} else {
						_t29 = E6C3C17EB(0xc);
						_pop(_t38);
						if(_t29 == 0) {
							_t29 = 0;
						} else {
							 *_t29 =  *_t29 & _t41;
							 *(_t29 + 8) =  *(_t29 + 8) & _t41;
							 *((intOrPtr*)(_t29 + 4)) = 0x1f;
						}
						 *0x6c3e00a4 = _t29;
						if(_t29 == 0) {
							_t30 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t30 - 0x6c3e0088;
							if(_t30 != 0x6c3e0088) {
								__eflags =  *(_t30 + 0x1c) & 0x00000001;
								if(( *(_t30 + 0x1c) & 0x00000001) != 0) {
									_t17 = _t30 + 0x14; // 0x0
									_t18 = _t30 + 0x10; // 0x1
									E6C3D99F8( *_t18,  *_t17, 0xc, 0x6c3d5a6c, 0xc);
								}
							}
							_t39 =  *0x6c3e00a4; // 0x0
							__eflags = _t39;
							_t41 = 0xe;
							if(__eflags != 0) {
								E6C3C1ED9(_t39, __eflags, 1);
								 *0x6c3e00a4 =  *0x6c3e00a4 & 0x00000000;
								__eflags =  *0x6c3e00a4;
							}
							DeleteCriticalSection(0x6c3e0168);
						} else {
							E6C3C26E8(_t38);
							 *0x6c3e009c = 1;
						}
						SetLastError(_t41);
						_t25 =  *0x6c3e009c; // 0x0
					}
					return _t25;
				}
			}















                                                0x6c3c2674
                                                0x6c3c2676
                                                0x6c3c267c
                                                0x6c3cf4e5
                                                0x6c3cf4ea
                                                0x6c3cf4ef
                                                0x6c3cf4f1
                                                0x6c3cf4f5
                                                0x6c3cf4fe
                                                0x6c3cf501
                                                0x6c3cf504
                                                0x6c3cf504
                                                0x6c3cf4f5
                                                0x6c3cf50b
                                                0x6c3cf50d
                                                0x6c3c2682
                                                0x6c3c2696
                                                0x6c3cf50e
                                                0x6c3cf513
                                                0x6c3cf518
                                                0x6c3cf51a
                                                0x6c3cf51e
                                                0x6c3cf520
                                                0x6c3cf527
                                                0x6c3cf533
                                                0x6c3cf536
                                                0x6c3cf539
                                                0x6c3cf539
                                                0x6c3cf51e
                                                0x6c3cf53e
                                                0x6c3c269c
                                                0x6c3c269e
                                                0x6c3c26a5
                                                0x6c3c26a6
                                                0x6c3c26df
                                                0x6c3c26a8
                                                0x6c3c26a8
                                                0x6c3c26aa
                                                0x6c3c26ad
                                                0x6c3c26ad
                                                0x6c3c26b6
                                                0x6c3c26bb
                                                0x6c3cf545
                                                0x6c3cf54a
                                                0x6c3cf54f
                                                0x6c3cf551
                                                0x6c3cf555
                                                0x6c3cf560
                                                0x6c3cf563
                                                0x6c3cf566
                                                0x6c3cf566
                                                0x6c3cf555
                                                0x6c3cf56b
                                                0x6c3cf571
                                                0x6c3cf575
                                                0x6c3cf576
                                                0x6c3cf57a
                                                0x6c3cf57f
                                                0x6c3cf57f
                                                0x6c3cf57f
                                                0x6c3cf587
                                                0x6c3c26c1
                                                0x6c3c26c1
                                                0x6c3c26c6
                                                0x6c3c26c6
                                                0x6c3c26d1
                                                0x6c3c26d7
                                                0x6c3c26d7
                                                0x6c3c26de
                                                0x6c3c26de

                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(6C3E0168,00000FA0,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C268E
                                                • GetLastError.KERNEL32(?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3CF520
                                                  • Part of subcall function 6C3C17EB: malloc.MSVCRT ref: 6C3C17F6
                                                • SetLastError.KERNEL32(00000000,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C26D1
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CountCriticalInitializeSectionSpinmalloc
                                                • String ID:
                                                • API String ID: 2914686227-0
                                                • Opcode ID: dc6877b812871e5d46de1cd3267b04ec6ebd82348038b675d352e3fa3f7fc07d
                                                • Instruction ID: 2b851800c4edd389f9da83c7f3a7107e0a8367bbe2efe2dee75f9a035557603b
                                                • Opcode Fuzzy Hash: dc6877b812871e5d46de1cd3267b04ec6ebd82348038b675d352e3fa3f7fc07d
                                                • Instruction Fuzzy Hash: 6521B6713512409FEB91DF25CD88FDE3BB8AB49318F110455E255DAAA2CB72CC44AF22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D89C4 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 75COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E6C3D89C4(intOrPtr __ebx, intOrPtr __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				void _v526;
				char _v528;
				char _v532;
				void* __edi;
				void* __esi;
				signed int _t22;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr _t41;
				int _t42;
				intOrPtr _t43;
				signed int _t44;

				_t41 = __edx;
				_t37 = __ebx;
				_t22 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t22 ^ _t44;
				_t43 = _a4;
				_t42 = 0;
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_v532 = 0;
				if(_t43 != 0) {
					_push(_t43);
					if(E6C3C18E5( &_v528, 0x104, L"%s\\%s", L"Software\\Microsoft\\SQMClient") >= 0) {
						if(E6C3C3E29(_t43, 0x80000002,  &_v528, L"MaxUploadFileSize",  &_v532) == 0) {
							asm("sbb edi, edi");
							_t42 = 1;
						}
					} else {
						_t40 =  *0x6c3e0088; // 0x6c3e0088
						if(_t40 != 0x6c3e0088 && ( *(_t40 + 0x1c) & 0x00000001) != 0) {
							_t15 = _t40 + 0x14; // 0x0
							_t16 = _t40 + 0x10; // 0x1
							E6C3D99F8( *_t16,  *_t15, 0x49, 0x6c3c7af4, _t27);
						}
					}
				} else {
					_t35 =  *0x6c3e0088; // 0x6c3e0088
					if(_t35 != 0x6c3e0088 && ( *(_t35 + 0x1c) & 0x00000001) != 0) {
						_t9 = _t35 + 0x14; // 0x0
						_t10 = _t35 + 0x10; // 0x1
						E6C3D5F11( *_t10,  *_t9, 0x48, 0x6c3c7af4);
					}
				}
				return E6C3C171F(_t42, _t37, _v8 ^ _t44, _t41, _t42, _t43);
			}

















                                                0x6c3d89c4
                                                0x6c3d89c4
                                                0x6c3d89cf
                                                0x6c3d89d6
                                                0x6c3d89da
                                                0x6c3d89de
                                                0x6c3d89ed
                                                0x6c3d89f4
                                                0x6c3d89fe
                                                0x6c3d8a04
                                                0x6c3d8a34
                                                0x6c3d8a55
                                                0x6c3d8a9f
                                                0x6c3d8aaa
                                                0x6c3d8aac
                                                0x6c3d8aac
                                                0x6c3d8a57
                                                0x6c3d8a57
                                                0x6c3d8a63
                                                0x6c3d8a73
                                                0x6c3d8a76
                                                0x6c3d8a79
                                                0x6c3d8a79
                                                0x6c3d8a63
                                                0x6c3d8a06
                                                0x6c3d8a06
                                                0x6c3d8a10
                                                0x6c3d8a27
                                                0x6c3d8a2a
                                                0x6c3d8a2d
                                                0x6c3d8a2d
                                                0x6c3d8a10
                                                0x6c3d8abc

                                                APIs
                                                • memset.MSVCRT ref: 6C3D89F4
                                                  • Part of subcall function 6C3D5F11: EtwTraceMessage.NTDLL ref: 6C3D5F26
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTracememset
                                                • String ID: %s\%s$Fm*$MaxUploadFileSize$Software\Microsoft\SQMClient
                                                • API String ID: 1506953324-3763247472
                                                • Opcode ID: 4979c4f047230c9538f40dbc3338fa79287de509e3c6b1320de716dae6be7cc2
                                                • Instruction ID: b6b3724a7967c869345ae9fc980a5280c950bf60d43e61f3825fd0093eecc315
                                                • Opcode Fuzzy Hash: 4979c4f047230c9538f40dbc3338fa79287de509e3c6b1320de716dae6be7cc2
                                                • Instruction Fuzzy Hash: 2121D376640248AACB50CF15CC84EDE77B8BF45308F1204D6E96496A50C771FE898FA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AE9FF Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6C7AEA1F
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C7AEA35
                                                • TranslateMessage.USER32(?), ref: 6C7AEA3F
                                                • DispatchMessageW.USER32(?), ref: 6C7AEA49
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C7AEA58
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                • String ID:
                                                • API String ID: 2015114452-0
                                                • Opcode ID: 6937700ae029c81757b9338bf8a80770101575073721fad3feda294def66fb01
                                                • Instruction ID: 57f0f8d69a3e3d75bf9581d10248a092fbc714e043493b47dd5a0b0580d280c5
                                                • Opcode Fuzzy Hash: 6937700ae029c81757b9338bf8a80770101575073721fad3feda294def66fb01
                                                • Instruction Fuzzy Hash: C5014C72901229AADF109AE28D08EEF7A7CFF4A665F144231FA11E2080D674D645C6B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D1EDB Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __getptd.LIBCMT ref: 6C7D1EE7
                                                  • Part of subcall function 6C7CD3D1: __getptd_noexit.LIBCMT ref: 6C7CD3D4
                                                  • Part of subcall function 6C7CD3D1: __amsg_exit.LIBCMT ref: 6C7CD3E1
                                                • __getptd.LIBCMT ref: 6C7D1EFE
                                                • __amsg_exit.LIBCMT ref: 6C7D1F0C
                                                • __lock.LIBCMT ref: 6C7D1F1C
                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 6C7D1F30
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                • String ID:
                                                • API String ID: 938513278-0
                                                • Opcode ID: 9d2937487a13c991803e488750d8f667249a47bcca3c0bc346d8793eb263ec18
                                                • Instruction ID: fa0be0816488a9aed6745d2666d6c111b101eb21cb372bbe66f91369e09a5794
                                                • Opcode Fuzzy Hash: 9d2937487a13c991803e488750d8f667249a47bcca3c0bc346d8793eb263ec18
                                                • Instruction Fuzzy Hash: 83F09632A4A7069FD7109BA4D60EB8D37A06F00739F124619D41067FD0CB74A9458A6B
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DB397 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 380COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E6C3DB397(void* __eflags, short* _a4, char _a8, wchar_t* _a12, signed int _a16) {
				intOrPtr _v8;
				char _v12;
				wchar_t* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _t121;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t128;
				intOrPtr* _t129;
				signed int _t133;
				intOrPtr* _t134;
				signed short* _t145;
				wchar_t* _t146;
				wchar_t* _t147;
				signed int _t149;
				intOrPtr _t153;
				signed int _t154;
				signed int _t157;
				intOrPtr _t158;
				wchar_t* _t160;
				signed int _t164;
				intOrPtr _t171;
				wchar_t* _t177;
				signed int _t179;
				wchar_t* _t184;
				signed short* _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				signed short* _t189;
				long _t191;
				intOrPtr* _t196;
				void* _t198;
				long* _t199;
				wchar_t* _t201;
				short _t202;
				char _t203;
				void* _t205;
				void* _t206;
				short* _t207;
				short* _t208;
				intOrPtr _t209;
				wchar_t* _t210;
				signed int _t211;

				_t203 = _a8;
				_v20 = 0;
				_t121 = E6C3C173D(_a4, _t203, 0x6c3d5b60);
				_v8 = _t121;
				if(_t121 < 0) {
					return _t121;
				} else {
					if(_t203 > 0x8000) {
						return 0x80070057;
					}
					if(_t203 <= 0x104) {
						_a16 = _a16 & 0xfffffffe;
					}
					_t184 = _a16 & 0x00000001;
					_v16 = _t184;
					if(_t184 == 0 && _t203 > 0x104) {
						_t203 = 0x104;
						_a8 = 0x104;
					}
					_t177 = _a12;
					_v12 = _t203;
					_t124 = E6C3DAF90(_t177,  &_a12);
					_v24 = _t124;
					if(_t124 == 0) {
						_t204 = L"\\\\?\\";
						_t201 = _t177;
						_a16 = _a4;
						_t126 = E6C3DAB86(_t177, L"\\\\?\\", 4);
						if(_t126 == 0) {
							if( *_t177 != 0 && _t177[0] == 0x3a) {
								_t126 = 1;
							}
						} else {
							_t184 =  &(_t177[2]);
							if( *_t184 == 0 || _t177[2] != 0x3a) {
								_t126 = 0;
							} else {
								_t201 = _t184;
							}
						}
						if(_v16 == 0) {
							goto L31;
						}
						if(_t126 == 0) {
							goto L25;
						}
						_v20 = 4;
						_t171 = E6C3DAD23(_t184, _a4, _a8, _t204,  &_a16,  &_v12, 0);
						goto L24;
					} else {
						_push(0);
						_push( &_v12);
						_push( &_a16);
						if(_v16 == 0) {
							_push(L"\\\\");
						} else {
							_v20 = 6;
							_push(L"\\\\?\\UNC\\");
						}
						_push(_t203);
						_push(_a4);
						_t171 = E6C3DAD23(_t184);
						_t201 = _a12;
						L24:
						_v8 = _t171;
						L25:
						if(_v16 != 0) {
							_t164 = _v20;
							if(_t164 != 0 && _a8 <= _t164 + 0x104) {
								if(_a8 > 0x104) {
									_a8 = 0x104;
								}
								_v20 = _v20 & 0x00000000;
								_v12 = _a8;
								_t201 = _t177;
								_a16 = _a4;
								_v8 = E6C3C173D(_a4, _a8, 0x6c3d5b60);
							}
						}
						L31:
						if(_v8 < 0) {
							L80:
							E6C3C173D(_a4, _a8, 0x6c3d5b60);
							_t128 = _v8;
							if(_t128 != 0x8007007a) {
								L115:
								return _t128;
							}
							if(_v16 != 0) {
								L84:
								if(_a8 != 0x8000) {
									goto L115;
								}
								L85:
								_t128 = 0x800700ce;
								goto L115;
							}
							if(_a8 == 0x104) {
								goto L85;
							}
							if(_v16 == 0) {
								goto L115;
							}
							goto L84;
						}
						while( *_t201 != 0) {
							_t146 = wcschr(_t201, 0x5c);
							_t209 = 0;
							_pop(_t191);
							if(_t146 == 0) {
								_t147 = _t201;
								_t199 =  &(_t147[0]);
								do {
									_t191 =  *_t147;
									_t147 =  &(_t147[0]);
								} while (_t191 != 0);
								_t149 = _t147 - _t199;
								L38:
								_t179 = _t149 >> 1;
								if(_t179 <= 0x100 || _v16 != _t209) {
									if(_t179 >= 0x8000) {
										goto L77;
									}
									if(_t179 != 1) {
										if(_t179 != 2) {
											if(_t179 == _t209 &&  *_t201 == 0x5c) {
												_t179 = 1;
											}
											L64:
											_t153 = E6C3DAE47(_t191, _a16, _v12, _t201, _t179,  &_a16,  &_v12, _t209);
											_v8 = _t153;
											if(_t153 != 0x8007007a || _t179 != 1 ||  *_t201 != 0x5c) {
												L74:
												_t201 = _t201 + _t179 * 2;
												L75:
												if(_v8 < _t209) {
													break;
												}
												continue;
											} else {
												_t154 = _t201[0] & 0x0000ffff;
												if(_t154 == _t209 || _t154 == 0x2e && _t201[1] == _t209) {
													_v8 = _t209;
													break;
												} else {
													if(_v12 == 1 && _t154 == 0x2e && _t201[1] == _t154) {
														_a16 = _a16 + 2;
														 *_a16 = _t209;
														_v12 = _t209;
														_v8 = _t209;
													}
													goto L74;
												}
											}
										}
										if( *_t201 != 0x2e) {
											goto L64;
										}
										_t210 =  &(_t201[0]);
										if( *_t210 != 0x2e) {
											_t209 = 0;
											goto L64;
										}
										_t181 = _a16;
										if(_a16 <= _a4 || E6C3DAFFD(_a4) != 0) {
											if(_t201[1] == 0x5c) {
												_t201 = _t210;
											}
										} else {
											_t211 = _a4;
											_t157 = E6C3DABDF(_t211, _t181 + 0xfffffffe);
											_a16 = _t157;
											_t158 = _a8;
											if(_t157 == 0) {
												_a16 = _t211;
											} else {
												_t158 = _t158 - (_a16 - _t211 >> 1);
											}
											_v12 = _t158;
											_v8 = E6C3C173D(_a16, _t158, 0x6c3d5b60);
										}
										_t201 =  &(_t201[1]);
										_t209 = 0;
										goto L75;
									}
									if( *_t201 != 0x2e) {
										goto L64;
									}
									_t160 =  &(_t201[0]);
									if( *_t160 != _t209) {
										_t201 =  &(_t201[1]);
									} else {
										_t201 = _t160;
										_t161 = _a4;
										if(_a16 > _a4 && E6C3DAFFD(_t161) == 0) {
											_a16 = _a16 - 2;
											_v12 = _v12 + 1;
											_v8 = E6C3C173D(_a16, _v12, 0x6c3d5b60);
										}
									}
									goto L75;
								} else {
									L77:
									_v8 = 0x800700ce;
									goto L80;
								}
							}
							_t149 = _t146 - _t201;
							goto L38;
						}
						if(_v8 >= 0) {
							_t185 = _a16;
							_t196 = _a4;
							if(_t185 <= _t196) {
								L93:
								_t129 = _t196;
								_t205 = _t129 + 2;
								do {
									_t186 =  *_t129;
									_t129 = _t129 + 2;
								} while (_t186 != 0);
								_t206 = _t196 + (_t129 - _t205 >> 1) * 2;
								if(_t206 < _t196 + 0xe) {
									L98:
									_t202 = 0;
									L99:
									_t133 = _v20;
									_t207 = _a4;
									if(_t133 == _t202) {
										L107:
										if(_a8 > 1 &&  *_t207 == _t202) {
											 *_t207 = 0x5c;
											 *((short*)(_t207 + 2)) = _t202;
										}
										if(_a8 > 3 &&  *((short*)(_t207 + 2)) == 0x3a &&  *((intOrPtr*)(_t207 + 4)) == _t202) {
											 *((short*)(_t207 + 4)) = 0x5c;
											 *((short*)(_t207 + 6)) = _t202;
										}
										_t128 = 0;
										goto L115;
									}
									_t134 = _t207 + _t133 * 2;
									_t198 = _t134 + 2;
									do {
										_t187 =  *_t134;
										_t134 = _t134 + 2;
									} while (_t187 != _t202);
									if(_t134 - _t198 >> 1 < 0x104) {
										if(_v24 == _t202) {
											_push(_t207 + 8);
											_push(_a8);
											_push(_t207);
										} else {
											_push(_t207 + 0x10);
											_push(_a8 + 0xfffffffe);
											_push(_t207 + 4);
										}
										E6C3C173D();
									}
									goto L107;
								}
								_t208 = _t206 - 0xe;
								if(E6C3DAB86(_t208, L"::$DATA", 7) == 0) {
									goto L98;
								}
								_t202 = 0;
								 *_t208 = 0;
								goto L99;
							}
							_t189 = _t185;
							if( *_t189 != 0x2e) {
								goto L93;
							}
							while(_t189 != _t196) {
								_t145 = _t189 - 2;
								if( *_t145 == 0x2a) {
									goto L93;
								}
								 *_t189 =  *_t189 & 0x00000000;
								_t189 = _t145;
								if( *_t145 != 0x2e) {
									goto L93;
								}
							}
							 *_t189 =  *_t189 & 0x00000000;
							goto L93;
						}
						goto L80;
					}
				}
			}















































                                                0x6c3db3a0
                                                0x6c3db3af
                                                0x6c3db3b2
                                                0x6c3db3b9
                                                0x6c3db3bc
                                                0x6c3db7de
                                                0x6c3db3c2
                                                0x6c3db3c8
                                                0x00000000
                                                0x6c3db3ca
                                                0x6c3db3db
                                                0x6c3db3dd
                                                0x6c3db3dd
                                                0x6c3db3e4
                                                0x6c3db3e7
                                                0x6c3db3ea
                                                0x6c3db3f0
                                                0x6c3db3f2
                                                0x6c3db3f2
                                                0x6c3db3f6
                                                0x6c3db3fe
                                                0x6c3db401
                                                0x6c3db408
                                                0x6c3db40b
                                                0x6c3db441
                                                0x6c3db448
                                                0x6c3db44a
                                                0x6c3db44d
                                                0x6c3db454
                                                0x6c3db472
                                                0x6c3db47d
                                                0x6c3db47d
                                                0x6c3db456
                                                0x6c3db456
                                                0x6c3db45d
                                                0x6c3db46a
                                                0x6c3db466
                                                0x6c3db466
                                                0x6c3db466
                                                0x6c3db45d
                                                0x6c3db482
                                                0x00000000
                                                0x00000000
                                                0x6c3db486
                                                0x00000000
                                                0x00000000
                                                0x6c3db496
                                                0x6c3db4a0
                                                0x00000000
                                                0x6c3db40d
                                                0x6c3db410
                                                0x6c3db414
                                                0x6c3db418
                                                0x6c3db419
                                                0x6c3db435
                                                0x6c3db41b
                                                0x6c3db41b
                                                0x6c3db422
                                                0x6c3db422
                                                0x6c3db427
                                                0x6c3db428
                                                0x6c3db42b
                                                0x6c3db430
                                                0x6c3db4a5
                                                0x6c3db4a5
                                                0x6c3db4a8
                                                0x6c3db4ac
                                                0x6c3db4ae
                                                0x6c3db4b3
                                                0x6c3db4c7
                                                0x6c3db4c9
                                                0x6c3db4c9
                                                0x6c3db4d2
                                                0x6c3db4dd
                                                0x6c3db4e0
                                                0x6c3db4e2
                                                0x6c3db4ea
                                                0x6c3db4ea
                                                0x6c3db4b3
                                                0x6c3db4ed
                                                0x6c3db4f1
                                                0x6c3db6a6
                                                0x6c3db6b1
                                                0x6c3db6b6
                                                0x6c3db6be
                                                0x6c3db7da
                                                0x00000000
                                                0x6c3db7da
                                                0x6c3db6c8
                                                0x6c3db6dd
                                                0x6c3db6e4
                                                0x00000000
                                                0x00000000
                                                0x6c3db6ea
                                                0x6c3db6ea
                                                0x00000000
                                                0x6c3db6ea
                                                0x6c3db6d1
                                                0x00000000
                                                0x00000000
                                                0x6c3db6d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3db6d7
                                                0x6c3db4f7
                                                0x6c3db504
                                                0x6c3db509
                                                0x6c3db50e
                                                0x6c3db50f
                                                0x6c3db515
                                                0x6c3db517
                                                0x6c3db51a
                                                0x6c3db51a
                                                0x6c3db51e
                                                0x6c3db51f
                                                0x6c3db524
                                                0x6c3db526
                                                0x6c3db528
                                                0x6c3db530
                                                0x6c3db541
                                                0x00000000
                                                0x00000000
                                                0x6c3db54a
                                                0x6c3db5a4
                                                0x6c3db616
                                                0x6c3db620
                                                0x6c3db620
                                                0x6c3db625
                                                0x6c3db636
                                                0x6c3db640
                                                0x6c3db643
                                                0x6c3db687
                                                0x6c3db687
                                                0x6c3db68a
                                                0x6c3db68d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3db650
                                                0x6c3db650
                                                0x6c3db657
                                                0x6c3db69d
                                                0x00000000
                                                0x6c3db665
                                                0x6c3db669
                                                0x6c3db67a
                                                0x6c3db67e
                                                0x6c3db681
                                                0x6c3db684
                                                0x6c3db684
                                                0x00000000
                                                0x6c3db669
                                                0x6c3db657
                                                0x6c3db643
                                                0x6c3db5aa
                                                0x00000000
                                                0x00000000
                                                0x6c3db5ac
                                                0x6c3db5b3
                                                0x6c3db623
                                                0x00000000
                                                0x6c3db623
                                                0x6c3db5b5
                                                0x6c3db5bb
                                                0x6c3db609
                                                0x6c3db60b
                                                0x6c3db60b
                                                0x6c3db5c9
                                                0x6c3db5c9
                                                0x6c3db5d1
                                                0x6c3db5d6
                                                0x6c3db5db
                                                0x6c3db5de
                                                0x6c3db5eb
                                                0x6c3db5e0
                                                0x6c3db5e7
                                                0x6c3db5e7
                                                0x6c3db5f7
                                                0x6c3db5ff
                                                0x6c3db5ff
                                                0x6c3db60d
                                                0x6c3db610
                                                0x00000000
                                                0x6c3db610
                                                0x6c3db550
                                                0x00000000
                                                0x00000000
                                                0x6c3db556
                                                0x6c3db55c
                                                0x6c3db599
                                                0x6c3db55e
                                                0x6c3db55e
                                                0x6c3db560
                                                0x6c3db566
                                                0x6c3db57a
                                                0x6c3db57e
                                                0x6c3db591
                                                0x6c3db591
                                                0x6c3db566
                                                0x00000000
                                                0x6c3db694
                                                0x6c3db694
                                                0x6c3db694
                                                0x00000000
                                                0x6c3db694
                                                0x6c3db530
                                                0x6c3db511
                                                0x00000000
                                                0x6c3db511
                                                0x6c3db6a4
                                                0x6c3db6f4
                                                0x6c3db6f7
                                                0x6c3db6fc
                                                0x6c3db725
                                                0x6c3db725
                                                0x6c3db727
                                                0x6c3db72a
                                                0x6c3db72a
                                                0x6c3db72e
                                                0x6c3db72f
                                                0x6c3db738
                                                0x6c3db740
                                                0x6c3db75d
                                                0x6c3db75d
                                                0x6c3db75f
                                                0x6c3db75f
                                                0x6c3db764
                                                0x6c3db767
                                                0x6c3db7a7
                                                0x6c3db7ab
                                                0x6c3db7b2
                                                0x6c3db7b7
                                                0x6c3db7b7
                                                0x6c3db7bf
                                                0x6c3db7ce
                                                0x6c3db7d4
                                                0x6c3db7d4
                                                0x6c3db7d8
                                                0x00000000
                                                0x6c3db7d8
                                                0x6c3db769
                                                0x6c3db76c
                                                0x6c3db76f
                                                0x6c3db76f
                                                0x6c3db773
                                                0x6c3db774
                                                0x6c3db782
                                                0x6c3db787
                                                0x6c3db79d
                                                0x6c3db79e
                                                0x6c3db7a1
                                                0x6c3db789
                                                0x6c3db78c
                                                0x6c3db793
                                                0x6c3db797
                                                0x6c3db797
                                                0x6c3db7a2
                                                0x6c3db7a2
                                                0x00000000
                                                0x6c3db782
                                                0x6c3db749
                                                0x6c3db754
                                                0x00000000
                                                0x00000000
                                                0x6c3db756
                                                0x6c3db758
                                                0x00000000
                                                0x6c3db758
                                                0x6c3db6ff
                                                0x6c3db704
                                                0x00000000
                                                0x00000000
                                                0x6c3db706
                                                0x6c3db70a
                                                0x6c3db711
                                                0x00000000
                                                0x00000000
                                                0x6c3db713
                                                0x6c3db71b
                                                0x6c3db71d
                                                0x00000000
                                                0x00000000
                                                0x6c3db71f
                                                0x6c3db721
                                                0x00000000
                                                0x6c3db721
                                                0x00000000
                                                0x6c3db6a4
                                                0x6c3db40b

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: wcschr
                                                • String ID: ::$DATA$\\?\$\\?\UNC\
                                                • API String ID: 1497570035-1379090233
                                                • Opcode ID: 9463ede12fea6d6992bc2dc6fac89eff404ed9c12dc2b438074b00a2971da136
                                                • Instruction ID: 4417e0ec323a291977618e8fabf43fbe16ceef938b8804d10d67068c69b42e21
                                                • Opcode Fuzzy Hash: 9463ede12fea6d6992bc2dc6fac89eff404ed9c12dc2b438074b00a2971da136
                                                • Instruction Fuzzy Hash: 2FD17B7790120AEBCB20CF55C940A9E77B9FF0035CF56811AE8559F950E3B6BA90CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D97BA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL$|Z=l
                                                • API String ID: 471583391-3130892913
                                                • Opcode ID: ea06ddb097ae59bd1ca75313a32957dc5b9c17277771b1b9c9d0eb066e152414
                                                • Instruction ID: 298173e74159463bde55b54520e59fc16f1ab8010ba7ebc0c9d8fc143ed7ac79
                                                • Opcode Fuzzy Hash: ea06ddb097ae59bd1ca75313a32957dc5b9c17277771b1b9c9d0eb066e152414
                                                • Instruction Fuzzy Hash: 8331F477A04306EBCB055F48C861A9A3735FB86B0CF178255E6556B950EF71FAC08FA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A4C39 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7A4C43
                                                • _memset.LIBCMT ref: 6C7A4C57
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 6C7A4C97
                                                  • Part of subcall function 6C7C8C9E: _memcpy_s.LIBCMT ref: 6C7C8CE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CurrentH_prolog3_Process_memcpy_s_memset
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3477395303-3733053543
                                                • Opcode ID: d5ed75bb6ffa36911a9f16512a8402542b0ebe99a87afda28326041e51086ef1
                                                • Instruction ID: 5e929c91aa4f30f486419a6b6b41e59896fd675ee8491493b95809feb54b5b74
                                                • Opcode Fuzzy Hash: d5ed75bb6ffa36911a9f16512a8402542b0ebe99a87afda28326041e51086ef1
                                                • Instruction Fuzzy Hash: 6D411670A00219AFCB209F94CE89EDEB7B8FF89704F004599F609A7650CB309A85CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C3E29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 55%
                                                			E6C3C3E29(void* __esi, void* _a4, short* _a8, short* _a12, char* _a16) {
				void* _v8;
				int _v12;
				int _v16;
				short* _t33;
				intOrPtr _t34;
				void* _t35;
				intOrPtr _t43;
				short* _t45;
				signed int _t47;
				long _t53;

				_t33 = _a8;
				_v12 = 0;
				_v16 = 4;
				_v8 = 0;
				if(_t33 == 0 ||  *_t33 == 0) {
					_t34 =  *0x6c3e0088; // 0x6c3e0088
					if(_t34 == 0x6c3e0088 || ( *(_t34 + 0x1c) & 0x00000001) == 0) {
						goto L26;
					} else {
						_push(0x6c3d5ab8);
						_push(0x14);
						goto L25;
					}
				} else {
					_t45 = _a12;
					if(_t45 == 0 ||  *_t45 == 0) {
						_t34 =  *0x6c3e0088; // 0x6c3e0088
						if(_t34 == 0x6c3e0088 || ( *(_t34 + 0x1c) & 0x00000001) == 0) {
							goto L26;
						} else {
							_push(0x6c3d5ab8);
							_push(0x15);
							goto L25;
						}
					} else {
						if(_a16 == 0) {
							_t34 =  *0x6c3e0088; // 0x6c3e0088
							if(_t34 == 0x6c3e0088 || ( *(_t34 + 0x1c) & 0x00000001) == 0) {
								L26:
								_t35 = 0x57;
								return _t35;
							} else {
								_push(0x6c3d5ab8);
								_push(0x16);
								L25:
								_t31 = _t34 + 0x14; // 0x0
								_push( *_t31);
								_t32 = _t34 + 0x10; // 0x1
								_push( *_t32);
								E6C3D5F11();
								goto L26;
							}
						}
						_t47 =  *0x6c3e04d4; // 0x1
						asm("sbb ecx, ecx");
						_t53 = RegOpenKeyExW(_a4, _t33, 0, ( ~_t47 & 0x00000100) + 0x20019,  &_v8);
						if(_t53 != 0) {
							L8:
							if(_v8 != 0) {
								RegCloseKey(_v8);
							}
							return _t53;
						}
						_t53 = RegQueryValueExW(_v8, _t45, 0,  &_v12, _a16,  &_v16);
						if(_t53 == 0 && _v12 != 4) {
							_t43 =  *0x6c3e0088; // 0x6c3e0088
							if(_t43 != 0x6c3e0088 && ( *(_t43 + 0x1c) & 0x00000001) != 0) {
								_t23 = _t43 + 0x14; // 0x0
								_t24 = _t43 + 0x10; // 0x1
								E6C3D77B8( *_t24,  *_t23, 0x17, 0x6c3d5ab8, _t45, _v12);
							}
							_t53 = 0xd;
						}
						goto L8;
					}
				}
			}













                                                0x6c3c3e31
                                                0x6c3c3e3a
                                                0x6c3c3e3d
                                                0x6c3c3e44
                                                0x6c3c3e47
                                                0x6c3cf6c2
                                                0x6c3cf6cc
                                                0x00000000
                                                0x6c3cf6d4
                                                0x6c3cf6d4
                                                0x6c3cf6d9
                                                0x00000000
                                                0x6c3cf6d9
                                                0x6c3c3e56
                                                0x6c3c3e56
                                                0x6c3c3e5b
                                                0x6c3cf6a7
                                                0x6c3cf6b1
                                                0x00000000
                                                0x6c3cf6b9
                                                0x6c3cf6b9
                                                0x6c3cf6be
                                                0x00000000
                                                0x6c3cf6be
                                                0x6c3c3e6a
                                                0x6c3c3e6d
                                                0x6c3cf65c
                                                0x6c3cf666
                                                0x6c3cf6e6
                                                0x6c3cf6e8
                                                0x00000000
                                                0x6c3cf66e
                                                0x6c3cf66e
                                                0x6c3cf673
                                                0x6c3cf6db
                                                0x6c3cf6db
                                                0x6c3cf6db
                                                0x6c3cf6de
                                                0x6c3cf6de
                                                0x6c3cf6e1
                                                0x00000000
                                                0x6c3cf6e1
                                                0x6c3cf666
                                                0x6c3c3e78
                                                0x6c3c3e80
                                                0x6c3c3e9a
                                                0x6c3c3e9e
                                                0x6c3c3ec6
                                                0x6c3c3ec9
                                                0x6c3c3ece
                                                0x6c3c3ece
                                                0x00000000
                                                0x6c3c3ed6
                                                0x6c3c3eb6
                                                0x6c3c3eba
                                                0x6c3cf677
                                                0x6c3cf681
                                                0x6c3cf694
                                                0x6c3cf697
                                                0x6c3cf69a
                                                0x6c3cf69a
                                                0x6c3cf6a1
                                                0x6c3cf6a1
                                                0x00000000
                                                0x6c3c3eba
                                                0x6c3c3e5b

                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C3C3E94
                                                • RegQueryValueExW.ADVAPI32(00000000,00000002,00000000,?,?,00000004), ref: 6C3C3EB0
                                                • RegCloseKey.ADVAPI32(00000000), ref: 6C3C3ECE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: CEIPEnable
                                                • API String ID: 3677997916-1389088331
                                                • Opcode ID: 17eeee1f7e986721756383dd9adf72e9e9d75758719b9e311341dfa3321c9b13
                                                • Instruction ID: 841edfa3922c33d5cafe1ae98be24b6d95475d74786b035820f55fc5e83e37d5
                                                • Opcode Fuzzy Hash: 17eeee1f7e986721756383dd9adf72e9e9d75758719b9e311341dfa3321c9b13
                                                • Instruction Fuzzy Hash: 2D31D432744158ABCB12CE54C880FDE7779EB4934CF210156EA10AB9B0C773DD94AF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B5F0B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBCMT ref: 6C7B600F
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                • __EH_prolog3.LIBCMT ref: 6C7B5F12
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C79DBB0: __EH_prolog3.LIBCMT ref: 6C79DBB7
                                                Strings
                                                • In CartmanExeInstaller::CartmanExeInstaller, xrefs: 6C7B5F6B
                                                • In IronManExeInstaller::IronManExeInstaller, xrefs: 6C7B5FB3
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser_malloc
                                                • String ID: In CartmanExeInstaller::CartmanExeInstaller$In IronManExeInstaller::IronManExeInstaller
                                                • API String ID: 3653670741-4107417756
                                                • Opcode ID: 89bad0077f215c3eac7482f59cdba8be918da8afa0d99f375a1ac2cf693dbc8d
                                                • Instruction ID: 24c9f13d25aa016d1ecb0aeb09119a5cc8249b9b8cfef38ec75ea82dd1f3d211
                                                • Opcode Fuzzy Hash: 89bad0077f215c3eac7482f59cdba8be918da8afa0d99f375a1ac2cf693dbc8d
                                                • Instruction Fuzzy Hash: 9941F3B1505346EFDF11CF65DB4AB8E7FA4AF19318F108419FA04ABA90C771CA50DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C797DA1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 6C797DEB
                                                • ReadFile.KERNEL32(6C798045,00000000,00100000,?,00000000,?), ref: 6C797E4E
                                                • CloseHandle.KERNEL32(6C798045,?), ref: 6C797E9F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleRead
                                                • String ID:
                                                • API String ID: 1035965006-3916222277
                                                • Opcode ID: 9ed8f8d9f33d7c70f9bc12e5732ed30b149497de9a0f43eb8100536600afe396
                                                • Instruction ID: c58742447e1572878202b669e0939949e87d1b8c9a24e13d3add799894210a2d
                                                • Opcode Fuzzy Hash: 9ed8f8d9f33d7c70f9bc12e5732ed30b149497de9a0f43eb8100536600afe396
                                                • Instruction Fuzzy Hash: DE318D31A00208EFCF14CF64D988FEE7B79EF49355F204169F515AB290C7719A45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C779A19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C779A20
                                                  • Part of subcall function 6C7CBA61: __fassign.LIBCMT ref: 6C7CBA6D
                                                • __itow_s.LIBCMT ref: 6C779A65
                                                  • Part of subcall function 6C7CBB8B: _xtow_s@20.LIBCMT ref: 6C7CBBAE
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C779B2F
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                • schema validation failure: non-numeric value, %s, for %s, xrefs: 6C779AAF
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser__fassign__itow_s_wcsnlen_xtow_s@20
                                                • String ID: schema validation failure: non-numeric value, %s, for %s
                                                • API String ID: 2893151999-2423109837
                                                • Opcode ID: 43ed41e52b2bbc9bd5f3d25d94f426ef0c63d0d241d84657758a014af42c0426
                                                • Instruction ID: 68aff505580d88663a6de22010de1084301eb81c4099c2212cf32bac4e3a5e74
                                                • Opcode Fuzzy Hash: 43ed41e52b2bbc9bd5f3d25d94f426ef0c63d0d241d84657758a014af42c0426
                                                • Instruction Fuzzy Hash: 7A413071A00109AFDB00DFA8CA4DAEE77B9AF14318F144555E524E7791DB31DA088B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C889B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C88A2
                                                • FormatMessageW.KERNEL32(00001300,00000000,6C76A794,?,?,00000000,00000000,00000008,6C7782F5,-00000960,?,?,?,6C7B695F,6C76A794), ref: 6C7C88DB
                                                • LocalFree.KERNEL32(?,-00000960,?,?,6C7B695F,6C76A794,?,?,?,UiInfo.xml,?,00000000,00000044,6C7B36D8,-00000960,?), ref: 6C7C8904
                                                  • Part of subcall function 6C7C8E8C: __CxxThrowException@8.LIBCMT ref: 6C7C8EA0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow
                                                • String ID: HRESULT 0x%8.8x
                                                • API String ID: 567734482-2887418326
                                                • Opcode ID: 62a4f9ce0485b1136fa46147174fade1740ed392666b3ecd4b7f808fe627ecc4
                                                • Instruction ID: d2f2eb9e5a2e373d3f3b094496f48d51a4b402feeb09dccdedc43e45a999a8dc
                                                • Opcode Fuzzy Hash: 62a4f9ce0485b1136fa46147174fade1740ed392666b3ecd4b7f808fe627ecc4
                                                • Instruction Fuzzy Hash: 9221A27070051BAFCB019F94CA889EE7775FF05318B54852AF914ABB10CB358E15DB53
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7AE922 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7AE929
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A17B7: __EH_prolog3.LIBCMT ref: 6C7A17BE
                                                  • Part of subcall function 6C77395E: __EH_prolog3.LIBCMT ref: 6C773965
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: complete$Action$Copying Items
                                                • API String ID: 431132790-1386866621
                                                • Opcode ID: dc599b494681415ad3015c4c2c3074280c534464e14b8e995f57112bec90b21b
                                                • Instruction ID: e8c02baf0893c7ca7c387553354639d3b4e7ebd85fcb28fa6fe3fa09459d5c21
                                                • Opcode Fuzzy Hash: dc599b494681415ad3015c4c2c3074280c534464e14b8e995f57112bec90b21b
                                                • Instruction Fuzzy Hash: E4213BB1900209AFDB10DBE8CA4DFEEBBB8AF18308F144549E415B7B41C774AA098B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B8E7D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B8E84
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • SysAllocString.OLEAUT32(?), ref: 6C7B8F31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$AllocString
                                                • String ID: </MsiPatch>$<MsiPatch
                                                • API String ID: 99483316-2338456224
                                                • Opcode ID: 05f4c0d5c22c0e38216a67543490ea143d8d575b538118072f0878405be056e8
                                                • Instruction ID: ef150e090d8c6aaac1d97237972a77b5fe95aa98ccfe0f096ebd38f4817238b2
                                                • Opcode Fuzzy Hash: 05f4c0d5c22c0e38216a67543490ea143d8d575b538118072f0878405be056e8
                                                • Instruction Fuzzy Hash: BC213B71600249EFCB04EFB8CA485DD7B61BF05328F24866AE435ABB91CB30DA09C752
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77C9D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6C77C9DF
                                                • __CxxThrowException@8.LIBCMT ref: 6C77CA34
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
                                                • String ID: 1$AssignmentType
                                                • API String ID: 2496864217-340370839
                                                • Opcode ID: 0344d305ba75da897c6d45ac03a8df6c2925af2d5a1215ec0aa921df9394ece0
                                                • Instruction ID: 66931f59a43f3cfdf3fb933f88ce8d28211009a89bc9b28fddd91ea9b315e665
                                                • Opcode Fuzzy Hash: 0344d305ba75da897c6d45ac03a8df6c2925af2d5a1215ec0aa921df9394ece0
                                                • Instruction Fuzzy Hash: 0C21F071E11208AFDF04DFA8DA849DDBBB5BF0C305F518829E115EB650D770AA49CB24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C776CC4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C776CCB
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C775A22: __EH_prolog3.LIBCMT ref: 6C775A29
                                                  • Part of subcall function 6C775A22: #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6C776D4B,?,?,?), ref: 6C775AF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: MsiPatchMetadata$Value$`Property` = 'DisplayName'
                                                • API String ID: 431132790-332461799
                                                • Opcode ID: 69c0b3b7d8743d1ffb680a64221c9191a7bb069a6b9d8a266b32ee8f56e25bc3
                                                • Instruction ID: 98d12a3cc293d816899100ca377e4fd0aea9ea0bd0c19aabfbdbb43bcebd93fd
                                                • Opcode Fuzzy Hash: 69c0b3b7d8743d1ffb680a64221c9191a7bb069a6b9d8a266b32ee8f56e25bc3
                                                • Instruction Fuzzy Hash: D9213E7290014DAFCF10DFE8CA88ADEBBB9BF04318F144656E924A7750C730AB199B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79CE95 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CountTick__aulldiv
                                                • String ID: (ActionData)$Setting Progress: ticks, soFar = %d, %d %s
                                                • API String ID: 3746106513-4185375322
                                                • Opcode ID: 2d8b2bad2a93452fc3a21f509f3d060beb33046a81350c7be6b83e42ccc42af2
                                                • Instruction ID: 652ae22815c3d0388436b94ed69c4c901289b9b8ec5374ffff8611a92d50f782
                                                • Opcode Fuzzy Hash: 2d8b2bad2a93452fc3a21f509f3d060beb33046a81350c7be6b83e42ccc42af2
                                                • Instruction Fuzzy Hash: DF01D6726006497FDB10AA68CE49EAA3B5E9F453A9F148215F919CBAC1C721DC4087F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C791D32 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • ParameterInfo.xml, xrefs: 6C791D78
                                                • schema validation failure: Install action is not supported in the ActionTable for RelatedProducts., xrefs: 6C791D66
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw
                                                • String ID: ParameterInfo.xml$schema validation failure: Install action is not supported in the ActionTable for RelatedProducts.
                                                • API String ID: 3670251406-470515384
                                                • Opcode ID: ab854bc4f89d85caa91d2d462048e8ff5e81543d1c35ade310f2b68d5f305cad
                                                • Instruction ID: fd048041fc11face8242d0cfeb73cce9432f71eaa104411f6bf303ef504ad1d5
                                                • Opcode Fuzzy Hash: ab854bc4f89d85caa91d2d462048e8ff5e81543d1c35ade310f2b68d5f305cad
                                                • Instruction Fuzzy Hash: EF11A072500608DFDF24DBA4CA0DFED33B8BF04318F504669E1209BAA0CB34E698CB21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C84A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemTime.KERNEL32(00000000,00000000,?,?,?,6C3C833E,?), ref: 6C3C84AF
                                                • SystemTimeToFileTime.KERNEL32(6C3C833E,6C3C833E,?,?,?,6C3C833E,?), ref: 6C3C84BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Time$System$File
                                                • String ID: MSQM$x
                                                • API String ID: 2838179519-3648152566
                                                • Opcode ID: 6a2b8a02f766f34f55bf5bbfe0d212c5cf1f0edd8d6c37115c0381f94a90ee7f
                                                • Instruction ID: 67689d5611f3bb20242e0e1e9b3f8b02f893424aa40e4e6fa53c9c773aed7923
                                                • Opcode Fuzzy Hash: 6a2b8a02f766f34f55bf5bbfe0d212c5cf1f0edd8d6c37115c0381f94a90ee7f
                                                • Instruction Fuzzy Hash: 2211AD75B10208ABCB06DE65C8C4ECD3BBDAB09358F100465E500DBA60C771ED84CF66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA611 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E6C3DA611(void* _a4, char* _a8, char* _a12) {
				signed int _v8;
				char _v268;
				void* _v272;
				int _v276;
				int _v280;
				void* __edi;
				void* __esi;
				signed int _t13;
				signed int _t22;
				intOrPtr _t24;
				char* _t29;
				int* _t30;
				signed int _t33;

				_t13 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t13 ^ _t33;
				_t29 = _a12;
				_t28 =  &_v272;
				_t30 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 1,  &_v272) == 0) {
					_v276 = 0x104;
					_t22 = RegQueryValueExA(_v272, _t29, 0,  &_v280,  &_v268,  &_v276);
					asm("sbb esi, esi");
					_t30 =  ~_t22 + 1;
					RegCloseKey(_v272);
				}
				return E6C3C171F(_t30, _t24, _v8 ^ _t33, _t28, _t29, _t30);
			}
















                                                0x6c3da61c
                                                0x6c3da623
                                                0x6c3da62e
                                                0x6c3da631
                                                0x6c3da63a
                                                0x6c3da647
                                                0x6c3da666
                                                0x6c3da670
                                                0x6c3da680
                                                0x6c3da682
                                                0x6c3da683
                                                0x6c3da683
                                                0x6c3da698

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6C3DA63F
                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 6C3DA670
                                                • RegCloseKey.ADVAPI32(?), ref: 6C3DA683
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Fm*
                                                • API String ID: 3677997916-3000852143
                                                • Opcode ID: 8830c6efd759b842e2017328475bdc6b380c56fc0b05584d8b91175db2f9d477
                                                • Instruction ID: 96f044ba088ab3f052e733a151248e661e604c4ab0944a4529f44177246e6262
                                                • Opcode Fuzzy Hash: 8830c6efd759b842e2017328475bdc6b380c56fc0b05584d8b91175db2f9d477
                                                • Instruction Fuzzy Hash: 12014076A0012CABCB20CF65CC09EDFBB7CEB49754F004296A94993140DAB0AA84DFD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B78AF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B78B6
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C775A22: __EH_prolog3.LIBCMT ref: 6C775A29
                                                  • Part of subcall function 6C775A22: #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6C776D4B,?,?,?), ref: 6C775AF2
                                                Strings
                                                • MsiPatchMetadata, xrefs: 6C7B78E8
                                                • `Company` = 'Microsoft Corporation' AND `Property` = 'Baseline', xrefs: 6C7B78D6
                                                • Value, xrefs: 6C7B78F9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: MsiPatchMetadata$Value$`Company` = 'Microsoft Corporation' AND `Property` = 'Baseline'
                                                • API String ID: 431132790-557274228
                                                • Opcode ID: c5018c5ab4c839d7d5146e92d389597d46d2e041463a91a84920d474833b3acb
                                                • Instruction ID: 5e4e43adfc934aec6b5011b83aa658bf4606129dbdf33479146619af3e5d8165
                                                • Opcode Fuzzy Hash: c5018c5ab4c839d7d5146e92d389597d46d2e041463a91a84920d474833b3acb
                                                • Instruction Fuzzy Hash: 7311F17290011D9FCB10DBE4CA4DBEEB779BF04318F104655E120A7780C7349B599BA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C793A7D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • ParameterInfo.xml, xrefs: 6C793D52
                                                • No product drive hints found!, xrefs: 6C793D44
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_free
                                                • String ID: No product drive hints found!$ParameterInfo.xml
                                                • API String ID: 2248394366-1693167656
                                                • Opcode ID: ddc12303a6c330ba2823460281254743c1d560a36d31dce5456a925f3d985c9b
                                                • Instruction ID: 817ecb89f7b828c74f26d5a162e561f4c4ff00fb58e7b108ec43611b1e1abbb5
                                                • Opcode Fuzzy Hash: ddc12303a6c330ba2823460281254743c1d560a36d31dce5456a925f3d985c9b
                                                • Instruction Fuzzy Hash: 960119716007028FC720DF5AD7C951AF7E2FB44704B51887EE16E9BE10CB34B8858B45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B2A3F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43registryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7C847A: RegCloseKey.ADVAPI32(?,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C84BA
                                                • RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\VisualStudio\Setup,?,00000000), ref: 6C7B2AA7
                                                  • Part of subcall function 6C7C83D2: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,6C784685,?,?,6C7842F8,00000034,00000034,00000034,00000034), ref: 6C7C83F4
                                                • RegCloseKey.ADVAPI32(00000000,00000000,IsInCorpnetHook,000000FF,80000001,Software\Microsoft\VisualStudio\Setup,?,00000000), ref: 6C7B2A95
                                                Strings
                                                • Software\Microsoft\VisualStudio\Setup, xrefs: 6C7B2A4B
                                                • IsInCorpnetHook, xrefs: 6C7B2A77
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Close$QueryValue
                                                • String ID: IsInCorpnetHook$Software\Microsoft\VisualStudio\Setup
                                                • API String ID: 2393043351-2117743171
                                                • Opcode ID: 3c6cfbfee1bd0650e3efe53b4139b8921bedb3713699be455ab01eb5403a2683
                                                • Instruction ID: 30dc4dcebee55f0bbe868b05a3d5a57a42576e5f9f3d54749b2fcfd47691c92f
                                                • Opcode Fuzzy Hash: 3c6cfbfee1bd0650e3efe53b4139b8921bedb3713699be455ab01eb5403a2683
                                                • Instruction Fuzzy Hash: B3016D30D0122AEFCF20DF968E089DEBB78FF45755B510966EC20F2544D7709A01DA91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBDC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E6C3CBDC3(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct _OSVERSIONINFOW _v284;
				signed int _t12;
				int _t17;
				intOrPtr _t18;
				long _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				signed int _t30;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = __ebx;
				_t12 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t12 ^ _t30;
				memset( &(_v284.dwMajorVersion), 0, 0x110);
				_v284.dwOSVersionInfoSize = 0x114;
				_t17 = GetVersionExW( &_v284);
				if(_t17 == 0) {
					_t18 =  *0x6c3e0088; // 0x6c3e0088
					if(_t18 != 0x6c3e0088 && ( *(_t18 + 0x1c) & 0x00000001) != 0) {
						_t21 = GetLastError();
						_t22 =  *0x6c3e0088; // 0x6c3e0088
						_t10 = _t22 + 0x14; // 0x0
						_t11 = _t22 + 0x10; // 0x1
						E6C3D99F8( *_t11,  *_t10, 0x2d, 0x6c3d5b28, _t21);
					}
					_t19 = 0;
					L2:
					return E6C3C171F(_t19, _t24, _v8 ^ _t30, _t27, _t28, _t29);
				}
				asm("sbb eax, eax");
				_t19 = _t17 + 1;
				goto L2;
			}















                                                0x6c3cbdc3
                                                0x6c3cbdc3
                                                0x6c3cbdc3
                                                0x6c3cbdc3
                                                0x6c3cbdce
                                                0x6c3cbdd5
                                                0x6c3cbde6
                                                0x6c3cbdf5
                                                0x6c3cbdff
                                                0x6c3cbe07
                                                0x6c3d222d
                                                0x6c3d2237
                                                0x6c3d223f
                                                0x6c3d2246
                                                0x6c3d2252
                                                0x6c3d2255
                                                0x6c3d2258
                                                0x6c3d2258
                                                0x6c3d225d
                                                0x6c3cbe17
                                                0x6c3cbe22
                                                0x6c3cbe22
                                                0x6c3cbe14
                                                0x6c3cbe16
                                                0x00000000

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLastVersionmemset
                                                • String ID: Fm*
                                                • API String ID: 173866510-3000852143
                                                • Opcode ID: c324ce3605d3780af8d6617255f79db4836f3a0cfd85a9a5a140f47baf8e58ea
                                                • Instruction ID: f79339c4e001e1e5b4cba231a357be32b12f5550c258e7d37e03e0f5ca66fd2d
                                                • Opcode Fuzzy Hash: c324ce3605d3780af8d6617255f79db4836f3a0cfd85a9a5a140f47baf8e58ea
                                                • Instruction Fuzzy Hash: D401D4726002489FCB94CF64CD4AFCD77F8AB09708F5100A4A606D6980DB72EE489F62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C2F7A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C2F81
                                                • CoInitialize.OLE32(00000000), ref: 6C7C2FAC
                                                  • Part of subcall function 6C7A1D31: __EH_prolog3.LIBCMT ref: 6C7A1D38
                                                • GetCurrentThreadId.KERNEL32 ref: 6C7C2FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$CurrentInitializeThread
                                                • String ID: PBH
                                                • API String ID: 1175431296-622276336
                                                • Opcode ID: 640f078704fedc496db7de20818dd113c8e1df428a3d2376b870a677ef68dc17
                                                • Instruction ID: dcd442a5cb149f1844a0491ddb5323493ae602ab7d09652c7f577f4be1cdac8f
                                                • Opcode Fuzzy Hash: 640f078704fedc496db7de20818dd113c8e1df428a3d2376b870a677ef68dc17
                                                • Instruction Fuzzy Hash: 640125B0500B05CFDB52CF6ACA4D68AFBE8BF44304F50480EE4AA87710C774A609DF21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C598F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5996
                                                • GetLastError.KERNEL32(?,?,?,6C7C4247,00000000,?), ref: 6C7C59C6
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorLast
                                                • String ID: GET$WinHttpOpenRequest
                                                • API String ID: 1123136255-4115601440
                                                • Opcode ID: 620b1242c078d6306bce6b5dc4542dc8e4982e62f736da4f7a8190eb3d0ed8b8
                                                • Instruction ID: b06e93e752dc64da020134ebd84f35fda0f85a3af8e43d37d425b4c20bdd545b
                                                • Opcode Fuzzy Hash: 620b1242c078d6306bce6b5dc4542dc8e4982e62f736da4f7a8190eb3d0ed8b8
                                                • Instruction Fuzzy Hash: 95F0BE31200601AFC7219F7ACE0DE8B7AA5AFC8324F11480AF495CBB50CB309551DA21
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A2E60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsValidSid.ADVAPI32(?,|tzl,6C7A2CCC,0000000F,?,?,6C7A48E0), ref: 6C7A2E68
                                                • GetLengthSid.ADVAPI32(?,?,?,6C7A48E0), ref: 6C7A2E7F
                                                • CopySid.ADVAPI32(00000000,?,?,?,?,6C7A48E0), ref: 6C7A2E96
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: CopyLengthValid
                                                • String ID: |tzl
                                                • API String ID: 125619644-3263282363
                                                • Opcode ID: 0cdfcfebae37436b1e1c80d6ebfff886bbd1021e914e9cca4f4177e4c9c6566e
                                                • Instruction ID: 44240ff36a648da933fae9b15020a95b853af8ba90499e8cd79849fce44c515e
                                                • Opcode Fuzzy Hash: 0cdfcfebae37436b1e1c80d6ebfff886bbd1021e914e9cca4f4177e4c9c6566e
                                                • Instruction Fuzzy Hash: D0F0E530208185EFCB106FB7DD0CB4B3E7CAB02389F504638F10E94910DB32D4919B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DA6A0() {
				_Unknown_base(*)()* _t1;
				void* _t2;
				void* _t5;
				void* _t6;

				_t1 =  *0x6c3e0544; // 0xffffffff
				if(_t1 == 0xffffffff) {
					if(E6C3C2429(_t5, _t6, 7) == 0) {
						_t1 = 0;
					} else {
						_t1 = GetProcAddress(LoadLibraryA("netapi32"), "NetGetJoinInformation");
					}
					 *0x6c3e0544 = _t1;
				}
				if(_t1 != 0) {
					goto __eax;
				}
				_t2 = 0x7f;
				return _t2;
			}







                                                0x6c3da6a5
                                                0x6c3da6ad
                                                0x6c3da6b8
                                                0x6c3da6d3
                                                0x6c3da6ba
                                                0x6c3da6cb
                                                0x6c3da6cb
                                                0x6c3da6d5
                                                0x6c3da6d5
                                                0x6c3da6dc
                                                0x6c3da6df
                                                0x6c3da6df
                                                0x6c3da6e3
                                                0x6c3da6e5

                                                APIs
                                                • LoadLibraryA.KERNEL32(netapi32,NetGetJoinInformation,00000007), ref: 6C3DA6C4
                                                • GetProcAddress.KERNEL32(00000000), ref: 6C3DA6CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: NetGetJoinInformation$netapi32
                                                • API String ID: 2574300362-2552388246
                                                • Opcode ID: 59528cbb3fdd6de309fd198dce73309f4b285a8b0975d4f3d8b2a802dd945d35
                                                • Instruction ID: 0ba42d125cee6b71412a7e10f6f5d13f9a4112fffa7b0c0cd8a259e5619976e9
                                                • Opcode Fuzzy Hash: 59528cbb3fdd6de309fd198dce73309f4b285a8b0975d4f3d8b2a802dd945d35
                                                • Instruction Fuzzy Hash: F5E0267338C302DBEA10427A5F08ABA33BD8711369B220912F429D1CC0DB29F500EE24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA703 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3DA703() {
				_Unknown_base(*)()* _t1;
				void* _t2;
				void* _t5;
				void* _t6;

				_t1 =  *0x6c3e0548; // 0xffffffff
				if(_t1 == 0xffffffff) {
					if(E6C3C2429(_t5, _t6, 7) == 0) {
						_t1 = 0;
					} else {
						_t1 = GetProcAddress(GetModuleHandleA("netapi32"), "NetApiBufferFree");
					}
					 *0x6c3e0548 = _t1;
				}
				if(_t1 != 0) {
					goto __eax;
				}
				_t2 = 0x7f;
				return _t2;
			}







                                                0x6c3da708
                                                0x6c3da710
                                                0x6c3da71b
                                                0x6c3da736
                                                0x6c3da71d
                                                0x6c3da72e
                                                0x6c3da72e
                                                0x6c3da738
                                                0x6c3da738
                                                0x6c3da73f
                                                0x6c3da742
                                                0x6c3da742
                                                0x6c3da746
                                                0x6c3da748

                                                APIs
                                                • GetModuleHandleA.KERNEL32(netapi32,NetApiBufferFree,00000007), ref: 6C3DA727
                                                • GetProcAddress.KERNEL32(00000000), ref: 6C3DA72E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: NetApiBufferFree$netapi32
                                                • API String ID: 1646373207-4116497281
                                                • Opcode ID: b45eb9c237b58c4beb533e173c1fcbe7ff8395e83155e531e530877a71d230db
                                                • Instruction ID: 4d49e0164e6bf1064f4ec50ec98ea2ff332619d28edfbebeee5708bfc3079edb
                                                • Opcode Fuzzy Hash: b45eb9c237b58c4beb533e173c1fcbe7ff8395e83155e531e530877a71d230db
                                                • Instruction Fuzzy Hash: 4CE02673B4820297E66047FA4E48A7A33BC8701324B230911F529C5CC0CB2AF800DE20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DA8F1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E6C3DA8F1() {
				signed int _t3;
				void* _t5;
				long _t6;

				_t6 = 0;
				_t5 = OpenEventA(0x100000, 0, "Global\\TabletHardwarePresent");
				if(_t5 != 0) {
					_t3 = WaitForSingleObject(_t5, 0);
					asm("sbb esi, esi");
					_t6 =  ~_t3 + 1;
					CloseHandle(_t5);
				}
				return _t6;
			}






                                                0x6c3da8fa
                                                0x6c3da908
                                                0x6c3da90c
                                                0x6c3da910
                                                0x6c3da91a
                                                0x6c3da91d
                                                0x6c3da91e
                                                0x6c3da91e
                                                0x6c3da928

                                                APIs
                                                • OpenEventA.KERNEL32(00100000,00000000,Global\TabletHardwarePresent), ref: 6C3DA902
                                                • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 6C3DA910
                                                • CloseHandle.KERNEL32(00000000), ref: 6C3DA91E
                                                Strings
                                                • Global\TabletHardwarePresent, xrefs: 6C3DA8F5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CloseEventHandleObjectOpenSingleWait
                                                • String ID: Global\TabletHardwarePresent
                                                • API String ID: 1727428665-3144360101
                                                • Opcode ID: e966cb4a358987d2f6479245a5a88204f8586f1a850ae4c0e26e1b9a83598b75
                                                • Instruction ID: 7bc13a14d2afafcc1531f09ba8fdebe98e01e209ad22ae4a5482ad2491f8ac09
                                                • Opcode Fuzzy Hash: e966cb4a358987d2f6479245a5a88204f8586f1a850ae4c0e26e1b9a83598b75
                                                • Instruction Fuzzy Hash: CED01733301130678671123AAC0CEAFAE7CDBCBEF57070210F84AD36008A68EA02D9E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C62BF Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 378COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E6C3C62BF(intOrPtr __ecx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				void _v146;
				char _v148;
				void _v4546;
				char _v4548;
				int _v4552;
				intOrPtr* _v4556;
				int _v4560;
				char _v4564;
				intOrPtr _v4568;
				char _v4592;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t148;
				signed int _t149;
				intOrPtr _t156;
				char _t159;
				intOrPtr* _t163;
				intOrPtr _t169;
				intOrPtr _t173;
				signed int _t179;
				intOrPtr _t180;
				signed int _t184;
				intOrPtr _t186;
				void* _t192;
				signed int _t194;
				intOrPtr _t195;
				intOrPtr _t198;
				intOrPtr _t203;
				signed int _t205;
				char* _t207;
				intOrPtr _t210;
				intOrPtr _t215;
				intOrPtr* _t218;
				intOrPtr _t219;
				void* _t228;
				intOrPtr _t251;
				void* _t253;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t261;

				_push(0xffffffff);
				_push(E6C3DDC41);
				_push( *[fs:0x0]);
				E6C3C45B4(0x11e0);
				_t148 =  *0x6c3e01a0; // 0xeb2a6d46
				_t149 = _t148 ^ _t261;
				_v20 = _t149;
				_push(_t149);
				 *[fs:0x0] =  &_v16;
				_t218 = _a4;
				_t258 = __ecx;
				_v4556 = _t218;
				E6C3C7CB0( &_v4592);
				_v8 = 0;
				_v4552 = 0;
				_v4560 = 0;
				_v148 = 0;
				memset( &_v146, 0, 0x7e);
				_v4548 = 0;
				memset( &_v4546, 0, 0x112e);
				if(_t218 == 0) {
					_t156 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t156 - 0x6c3e0088;
					if(_t156 == 0x6c3e0088) {
						L26:
						_v8 = _v8 | 0xffffffff;
						E6C3CC2C1( &_v4592);
						_t159 = 1;
						L21:
						 *[fs:0x0] = _v16;
						_pop(_t251);
						_pop(_t259);
						_pop(_t219);
						return E6C3C171F(_t159, _t219, _v20 ^ _t261, _t248, _t251, _t259);
					}
					__eflags =  *(_t156 + 0x1c) & 0x00000001;
					if(( *(_t156 + 0x1c) & 0x00000001) != 0) {
						_push(0x6c3c7af4);
						_push(0x2c);
						L25:
						_t63 = _t156 + 0x14; // 0x0
						_push( *_t63);
						_t64 = _t156 + 0x10; // 0x1
						_push( *_t64);
						E6C3D5F11();
					}
					goto L26;
				}
				if( *((intOrPtr*)(_t258 + 0xc)) == 0) {
					_t156 =  *0x6c3e0088; // 0x6c3e0088
					__eflags = _t156 - 0x6c3e0088;
					if(_t156 == 0x6c3e0088) {
						goto L26;
					}
					__eflags =  *(_t156 + 0x1c) & 0x00000001;
					if(( *(_t156 + 0x1c) & 0x00000001) == 0) {
						goto L26;
					} else {
						_push(0x6c3c7af4);
						_push(0x2d);
						goto L25;
					}
				} else {
					_t252 =  *((intOrPtr*)(_t258 + 0xc));
					_v4568 =  *((intOrPtr*)( *((intOrPtr*)(_t258 + 0xc)) + 0x18));
					_t163 = _t218;
					_t228 = _t163 + 2;
					do {
						_t248 =  *_t163;
						_t163 = _t163 + 2;
					} while (_t248 != 0);
					if(E6C3C7FAF( &_v148, 0x40, _t218, _t163 - _t228 >> 1) != 1) {
						_t169 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t169 - 0x6c3e0088;
						if(_t169 != 0x6c3e0088) {
							__eflags =  *(_t169 + 0x1c) & 0x00000001;
							if(( *(_t169 + 0x1c) & 0x00000001) != 0) {
								_t74 = _t169 + 0x14; // 0x0
								_t75 = _t169 + 0x10; // 0x1
								E6C3D774A( *_t75,  *_t74, 0x2e, 0x6c3c7af4, _t218);
							}
						}
						goto L26;
					}
					if(E6C3C84FC(_t258, _t248,  &_v148, _v4568,  *((intOrPtr*)(_t252 + 0x40)),  *((intOrPtr*)(_t252 + 0x44))) != 0) {
						_t173 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t173 - 0x6c3e0088;
						if(_t173 != 0x6c3e0088) {
							__eflags =  *(_t173 + 0x1c) & 0x00000004;
							if(( *(_t173 + 0x1c) & 0x00000004) != 0) {
								_t81 = _t173 + 0x14; // 0x0
								_t82 = _t173 + 0x10; // 0x1
								E6C3D88BE( *_t82,  *_t81, 0x2f, 0x6c3c7af4, _v4568,  &_v148);
							}
						}
						_v4552 = 0x193;
						L61:
						_t253 = 0;
						L16:
						_v4564 = E6C3CDF93(_t258, _v4552, _t253);
						E6C3CE442(_t258, _t248,  &_v148, _v4568, _v4552);
						if(_v4564 == 0 || _v4560 != 0) {
							L20:
							_v8 = _v8 | 0xffffffff;
							E6C3CC2C1( &_v4592);
							_t159 = _v4564;
							goto L21;
						} else {
							if(_t253 < 0) {
								__eflags = _t253 - 0x80072efe;
								if(_t253 == 0x80072efe) {
									goto L19;
								}
								L66:
								_t179 = E6C3C17EB(4);
								__eflags = _t179;
								if(_t179 == 0) {
									_t254 = 0;
									__eflags = 0;
								} else {
									 *_t179 = _v4552;
									_t254 = _t179;
								}
								__eflags = _t254;
								if(_t254 == 0) {
									_t180 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t180 - 0x6c3e0088;
									if(_t180 != 0x6c3e0088) {
										__eflags =  *(_t180 + 0x1c) & 0x00000001;
										if(( *(_t180 + 0x1c) & 0x00000001) != 0) {
											_t143 = _t180 + 0x14; // 0x0
											_t144 = _t180 + 0x10; // 0x1
											E6C3D99F8( *_t144,  *_t143, 0x37, 0x6c3c7af4, 4);
										}
									}
								} else {
									E6C3C7C43( &_v4560, _v4556);
									_v8 = 1;
									_t184 = E6C3D8B37(_t258 + 0x20,  &_v4560, _t254);
									_t260 = _t184;
									_v8 = 0;
									 *0x6c3e001c(_v4560);
									__eflags = _t260;
									if(_t260 < 0) {
										_t186 =  *0x6c3e0088; // 0x6c3e0088
										__eflags = _t186 - 0x6c3e0088;
										if(_t186 != 0x6c3e0088) {
											__eflags =  *(_t186 + 0x1c) & 0x00000001;
											if(( *(_t186 + 0x1c) & 0x00000001) != 0) {
												_t138 = _t186 + 0x14; // 0x0
												_t139 = _t186 + 0x10; // 0x1
												E6C3D8844( *_t139,  *_t138, 0x36, 0x6c3c7af4, _v4556,  *_t254, _t260);
											}
										}
										_push(_t254);
										E6C3C1816();
									}
								}
								goto L20;
							}
							L19:
							if(_v4552 != 0xc8) {
								__eflags = _v4552 - 0x193;
								if(_v4552 == 0x193) {
									goto L20;
								}
								__eflags = _v4552;
								if(_v4552 == 0) {
									goto L20;
								}
								goto L66;
							}
							goto L20;
						}
					}
					E6C3C7C43( &_v4564, _v4556);
					_t192 = E6C3C8673(_t258 + 0x20,  &_v4564,  &_v4560);
					_t255 = _t192;
					 *0x6c3e001c(_v4564);
					if(_t192 >= 0) {
						_t194 = _v4560;
						__eflags = _t194;
						if(_t194 == 0) {
							_t195 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t195 - 0x6c3e0088;
							if(_t195 != 0x6c3e0088) {
								__eflags =  *(_t195 + 0x1c) & 0x00000001;
								if(( *(_t195 + 0x1c) & 0x00000001) != 0) {
									_t97 = _t195 + 0x14; // 0x0
									_t98 = _t195 + 0x10; // 0x1
									E6C3D774A( *_t98,  *_t97, 0x31, 0x6c3c7af4, _v4556);
								}
							}
							goto L7;
						}
						_t253 = 0x80000110;
						_v4552 =  *_t194;
						_t215 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t215 - 0x6c3e0088;
						if(_t215 != 0x6c3e0088) {
							__eflags =  *(_t215 + 0x1c) & 0x00000004;
							if(( *(_t215 + 0x1c) & 0x00000004) != 0) {
								_t91 = _t215 + 0x14; // 0x0
								_t92 = _t215 + 0x10; // 0x1
								E6C3D77B8( *_t92,  *_t91, 0x30, 0x6c3c7af4, _v4556, _v4552);
							}
						}
						goto L16;
					}
					L7:
					E6C3C816D(0x6c3c7af4, _t248, _t255,  *((intOrPtr*)(_t258 + 0xc)),  &_v148);
					_t198 =  *((intOrPtr*)(_t258 + 0xc));
					_t272 =  *(_t198 + 0x6c) & 0x00000001;
					if(( *(_t198 + 0x6c) & 0x00000001) == 0) {
						L9:
						if( *((intOrPtr*)(_t258 + 0x64)) != 0) {
							_push(_v4556);
							 *( *((intOrPtr*)(_t258 + 0xc)) + 8) =  *( *((intOrPtr*)(_t258 + 0xc)) + 8) | 0x00000080;
							_t256 = E6C3C18E5( &_v4548, 0x898, L"%s?Partner=%s",  *((intOrPtr*)(_t258 + 0x64)));
							__eflags = _t256;
							if(_t256 >= 0) {
								goto L10;
							}
							_t203 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t203 - 0x6c3e0088;
							if(_t203 == 0x6c3e0088) {
								L15:
								if(_t253 == 0x80072efe) {
									_t205 = E6C3D89C4(0x6c3c7af4, _t248,  &_v148,  *((intOrPtr*)(_t258 + 0x10)));
									__eflags = _t205;
									if(_t205 == 0) {
										goto L16;
									}
									_v4552 = 0xc8;
									goto L61;
								}
								goto L16;
							}
							__eflags =  *(_t203 + 0x1c) & 0x00000001;
							if(( *(_t203 + 0x1c) & 0x00000001) == 0) {
								goto L15;
							}
							_push(_t256);
							_push(0x6c3c7af4);
							_push(0x33);
							L47:
							_t102 = _t203 + 0x14; // 0x0
							_push( *_t102);
							_t103 = _t203 + 0x10; // 0x1
							_push( *_t103);
							E6C3D99F8();
							goto L15;
						}
						L10:
						_t253 = E6C3C6521( &_v4592,  *((intOrPtr*)(_t258 + 0xc)),  *((intOrPtr*)(_t258 + 0x10)));
						if(_t253 < 0) {
							_t203 =  *0x6c3e0088; // 0x6c3e0088
							__eflags = _t203 - 0x6c3e0088;
							if(_t203 == 0x6c3e0088) {
								goto L15;
							}
							__eflags =  *(_t203 + 0x1c) & 0x00000001;
							if(( *(_t203 + 0x1c) & 0x00000001) == 0) {
								goto L15;
							}
							_push(_t253);
							_push(0x6c3c7af4);
							_push(0x34);
							goto L47;
						} else {
							_t207 =  &_v4548;
							if( *((intOrPtr*)(_t258 + 0x64)) == 0) {
								_t207 = _v4556;
							}
							_t248 =  &_v4592;
							_t253 = E6C3CBE6B( *((intOrPtr*)(_t258 + 0x60)),  &_v4592, _t207, 0, 0,  &_v4592, 0);
							if(_t253 < 0) {
								__eflags = _t253 - 0x80072efe;
								if(_t253 != 0x80072efe) {
									_t210 =  *0x6c3e0088; // 0x6c3e0088
									__eflags = _t210 - 0x6c3e0088;
									if(_t210 != 0x6c3e0088) {
										__eflags =  *(_t210 + 0x1c) & 0x00000001;
										if(( *(_t210 + 0x1c) & 0x00000001) != 0) {
											_t119 = _t210 + 0x14; // 0x0
											_t120 = _t210 + 0x10; // 0x1
											E6C3D99F8( *_t120,  *_t119, 0x35, 0x6c3c7af4, _t253);
										}
									}
								}
							}
							_v4552 = E6C3CE004( *((intOrPtr*)(_t258 + 0x60)));
							goto L15;
						}
					}
					_t253 = E6C3C6125(0x6c3c7af4, _t258, _t248, _t255, _t258, _t272);
					if(_t253 < 0) {
						_t203 =  *0x6c3e0088; // 0x6c3e0088
						__eflags = _t203 - 0x6c3e0088;
						if(_t203 == 0x6c3e0088) {
							goto L15;
						}
						__eflags =  *(_t203 + 0x1c) & 0x00000001;
						if(( *(_t203 + 0x1c) & 0x00000001) == 0) {
							goto L15;
						}
						_push(_t253);
						_push(0x6c3c7af4);
						_push(0x32);
						goto L47;
					}
					goto L9;
				}
			}



















































                                                0x6c3c62c4
                                                0x6c3c62c6
                                                0x6c3c62d1
                                                0x6c3c62d7
                                                0x6c3c62dc
                                                0x6c3c62e1
                                                0x6c3c62e3
                                                0x6c3c62e9
                                                0x6c3c62ed
                                                0x6c3c62f3
                                                0x6c3c62f6
                                                0x6c3c62fe
                                                0x6c3c6304
                                                0x6c3c6315
                                                0x6c3c6318
                                                0x6c3c631e
                                                0x6c3c6324
                                                0x6c3c632b
                                                0x6c3c633d
                                                0x6c3c6344
                                                0x6c3c634e
                                                0x6c3d06ee
                                                0x6c3d06f3
                                                0x6c3d06f8
                                                0x6c3d0712
                                                0x6c3d0712
                                                0x6c3d071c
                                                0x6c3d0723
                                                0x6c3c6500
                                                0x6c3c6503
                                                0x6c3c650b
                                                0x6c3c650c
                                                0x6c3c650d
                                                0x6c3c6519
                                                0x6c3c6519
                                                0x6c3d06fa
                                                0x6c3d06fe
                                                0x6c3d0700
                                                0x6c3d0705
                                                0x6c3d0707
                                                0x6c3d0707
                                                0x6c3d0707
                                                0x6c3d070a
                                                0x6c3d070a
                                                0x6c3d070d
                                                0x6c3d070d
                                                0x00000000
                                                0x6c3d06fe
                                                0x6c3c6357
                                                0x6c3d0729
                                                0x6c3d072e
                                                0x6c3d0733
                                                0x00000000
                                                0x00000000
                                                0x6c3d0735
                                                0x6c3d0739
                                                0x00000000
                                                0x6c3d073b
                                                0x6c3d073b
                                                0x6c3d0740
                                                0x00000000
                                                0x6c3d0740
                                                0x6c3c635d
                                                0x6c3c635d
                                                0x6c3c6363
                                                0x6c3c6369
                                                0x6c3c636b
                                                0x6c3c636e
                                                0x6c3c636e
                                                0x6c3c6372
                                                0x6c3c6373
                                                0x6c3c638f
                                                0x6c3d0744
                                                0x6c3d0749
                                                0x6c3d074e
                                                0x6c3d0750
                                                0x6c3d0754
                                                0x6c3d075e
                                                0x6c3d0761
                                                0x6c3d0764
                                                0x6c3d0764
                                                0x6c3d0754
                                                0x00000000
                                                0x6c3d074e
                                                0x6c3c63b6
                                                0x6c3d076b
                                                0x6c3d0770
                                                0x6c3d0775
                                                0x6c3d0777
                                                0x6c3d077b
                                                0x6c3d078d
                                                0x6c3d0790
                                                0x6c3d0793
                                                0x6c3d0793
                                                0x6c3d077b
                                                0x6c3d0798
                                                0x6c3d092e
                                                0x6c3d092e
                                                0x6c3c6493
                                                0x6c3c64a7
                                                0x6c3c64bc
                                                0x6c3c64c9
                                                0x6c3c64eb
                                                0x6c3c64eb
                                                0x6c3c64f5
                                                0x6c3c64fa
                                                0x00000000
                                                0x6c3c64d3
                                                0x6c3c64d5
                                                0x6c3d0935
                                                0x6c3d093b
                                                0x00000000
                                                0x00000000
                                                0x6c3d095f
                                                0x6c3d0961
                                                0x6c3d0966
                                                0x6c3d0969
                                                0x6c3d0977
                                                0x6c3d0977
                                                0x6c3d096b
                                                0x6c3d0971
                                                0x6c3d0973
                                                0x6c3d0973
                                                0x6c3d0979
                                                0x6c3d097b
                                                0x6c3d09f1
                                                0x6c3d09f6
                                                0x6c3d09fb
                                                0x6c3d0a01
                                                0x6c3d0a05
                                                0x6c3d0a10
                                                0x6c3d0a13
                                                0x6c3d0a16
                                                0x6c3d0a16
                                                0x6c3d0a05
                                                0x6c3d097d
                                                0x6c3d0989
                                                0x6c3d0999
                                                0x6c3d099d
                                                0x6c3d09a8
                                                0x6c3d09aa
                                                0x6c3d09ae
                                                0x6c3d09b4
                                                0x6c3d09b6
                                                0x6c3d09bc
                                                0x6c3d09c1
                                                0x6c3d09c6
                                                0x6c3d09c8
                                                0x6c3d09cc
                                                0x6c3d09da
                                                0x6c3d09dd
                                                0x6c3d09e0
                                                0x6c3d09e0
                                                0x6c3d09cc
                                                0x6c3d09e5
                                                0x6c3d09e6
                                                0x6c3d09eb
                                                0x6c3d09b6
                                                0x00000000
                                                0x6c3d097b
                                                0x6c3c64db
                                                0x6c3c64e5
                                                0x6c3d0943
                                                0x6c3d094d
                                                0x00000000
                                                0x00000000
                                                0x6c3d0953
                                                0x6c3d0959
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3d0959
                                                0x00000000
                                                0x6c3c64e5
                                                0x6c3c64c9
                                                0x6c3c63c8
                                                0x6c3c63de
                                                0x6c3c63e9
                                                0x6c3c63eb
                                                0x6c3c63f3
                                                0x6c3d07a7
                                                0x6c3d07ad
                                                0x6c3d07af
                                                0x6c3d07f7
                                                0x6c3d07fc
                                                0x6c3d0801
                                                0x6c3d0807
                                                0x6c3d080b
                                                0x6c3d081a
                                                0x6c3d081d
                                                0x6c3d0820
                                                0x6c3d0820
                                                0x6c3d080b
                                                0x00000000
                                                0x6c3d0801
                                                0x6c3d07b3
                                                0x6c3d07b8
                                                0x6c3d07be
                                                0x6c3d07c3
                                                0x6c3d07c8
                                                0x6c3d07ce
                                                0x6c3d07d2
                                                0x6c3d07e7
                                                0x6c3d07ea
                                                0x6c3d07ed
                                                0x6c3d07ed
                                                0x6c3d07d2
                                                0x00000000
                                                0x6c3d07c8
                                                0x6c3c63f9
                                                0x6c3c6405
                                                0x6c3c640a
                                                0x6c3c640d
                                                0x6c3c6411
                                                0x6c3c6424
                                                0x6c3c6428
                                                0x6c3d0858
                                                0x6c3d0861
                                                0x6c3d0881
                                                0x6c3d0886
                                                0x6c3d0888
                                                0x00000000
                                                0x00000000
                                                0x6c3d088e
                                                0x6c3d0893
                                                0x6c3d0898
                                                0x6c3c6487
                                                0x6c3c648d
                                                0x6c3d0917
                                                0x6c3d091c
                                                0x6c3d091e
                                                0x00000000
                                                0x00000000
                                                0x6c3d0924
                                                0x00000000
                                                0x6c3d0924
                                                0x00000000
                                                0x6c3c648d
                                                0x6c3d089e
                                                0x6c3d08a2
                                                0x00000000
                                                0x00000000
                                                0x6c3d08a8
                                                0x6c3d08a9
                                                0x6c3d08aa
                                                0x6c3d0848
                                                0x6c3d0848
                                                0x6c3d0848
                                                0x6c3d084b
                                                0x6c3d084b
                                                0x6c3d084e
                                                0x00000000
                                                0x6c3d084e
                                                0x6c3c642e
                                                0x6c3c643f
                                                0x6c3c6445
                                                0x6c3d08ae
                                                0x6c3d08b3
                                                0x6c3d08b8
                                                0x00000000
                                                0x00000000
                                                0x6c3d08be
                                                0x6c3d08c2
                                                0x00000000
                                                0x00000000
                                                0x6c3d08c8
                                                0x6c3d08c9
                                                0x6c3d08ca
                                                0x00000000
                                                0x6c3c644b
                                                0x6c3c644e
                                                0x6c3c6454
                                                0x6c3c6456
                                                0x6c3c6456
                                                0x6c3c645d
                                                0x6c3c646f
                                                0x6c3c6473
                                                0x6c3d08d1
                                                0x6c3d08d7
                                                0x6c3d08dd
                                                0x6c3d08e2
                                                0x6c3d08e7
                                                0x6c3d08ed
                                                0x6c3d08f1
                                                0x6c3d08fb
                                                0x6c3d08fe
                                                0x6c3d0901
                                                0x6c3d0901
                                                0x6c3d08f1
                                                0x6c3d08e7
                                                0x6c3d08d7
                                                0x6c3c6481
                                                0x00000000
                                                0x6c3c6481
                                                0x6c3c6445
                                                0x6c3c641a
                                                0x6c3c641e
                                                0x6c3d082a
                                                0x6c3d082f
                                                0x6c3d0834
                                                0x00000000
                                                0x00000000
                                                0x6c3d083a
                                                0x6c3d083e
                                                0x00000000
                                                0x00000000
                                                0x6c3d0844
                                                0x6c3d0845
                                                0x6c3d0846
                                                0x00000000
                                                0x6c3d0846
                                                0x00000000
                                                0x6c3c641e

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memset
                                                • String ID: %s?Partner=%s$Fm*
                                                • API String ID: 2221118986-1299535850
                                                • Opcode ID: 0c106a97fb091078909c2025126486571a218635f3087656ee395e64264e1c4d
                                                • Instruction ID: 67796eb9e02e9ea4a6c4f1698d9fcd6a0ad4674375e2505de228dae8ecaaede6
                                                • Opcode Fuzzy Hash: 0c106a97fb091078909c2025126486571a218635f3087656ee395e64264e1c4d
                                                • Instruction Fuzzy Hash: C8E1D1326402949FDB65CE60CC80FED7BB9BB05748F1100D9E65896AA0CB36EE84DF52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C787B Relevance: 6.4, APIs: 5, Instructions: 108COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E6C3C787B(void* __ecx, signed int __edx, void* __eflags, unsigned int _a4) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t41;
				int _t46;
				int _t55;
				signed int _t59;
				unsigned int _t72;
				unsigned int _t77;
				signed int _t80;
				signed int _t82;
				int _t87;
				signed int _t88;
				void* _t89;
				int _t91;
				unsigned int _t94;
				void* _t101;

				_t101 = __eflags;
				_t82 = __edx;
				_t70 = __ecx;
				_push(__ecx);
				_t94 = _a4;
				_push(_t89);
				 *((char*)(_t94 + 0x981)) = 0;
				E6C3C9A50(0, _t89, _t94, 0,  *(_t94 + 0x24),  *((intOrPtr*)(_t94 + 0x28)),  &_a4,  &_v8);
				E6C3C78E4(_t70, _t82, _v8, _t94, _t101, _a4);
				_t41 =  *(_t94 + 0x24);
				if(_a4 != _t41) {
					_t72 = _a4 >> 3;
					_t15 = (_t41 >> 3) - _t72 + 1; // 0x1
					_t91 = _t15;
					asm("cdq");
					_t46 = 0x2000 - ((_t82 & 0x00000007) + _a4 >> 3);
					__eflags = _t91 - 0x2000;
					if(_t91 >= 0x2000) {
						_t91 = _t46;
					}
					memmove( *(_t94 + 0x34),  *(_t94 + 0x34) + _t72, _t91);
					memset(( *(_t94 + 0x24) - _a4 >> 3) +  *(_t94 + 0x34) + 1, 0, 0x1fff - ( *(_t94 + 0x24) - _a4 >> 3));
					_t77 = _a4;
					_t55 =  *(_t94 + 0x24) - _t77;
					_t87 = 0x10000 - _t77;
					__eflags = _t55 - 0x10000;
					if(_t55 < 0x10000) {
						_t87 = _t55;
					}
					memmove( *(_t94 + 0x30), _t77 +  *(_t94 + 0x30), _t87);
					_t88 = _v8;
					_t59 =  *((intOrPtr*)(_t94 + 0x28)) - _t88;
					_t80 = 0x8000 - _t88;
					__eflags = _t59 - 0x8000;
					if(_t59 >= 0x8000) {
						_t59 = _t80;
					}
					memmove( *(_t94 + 0x2c),  *(_t94 + 0x2c) + _t88 * 4, _t59 << 2);
					 *(_t94 + 0x24) =  *(_t94 + 0x24) - _a4;
					 *((intOrPtr*)(_t94 + 0x28)) =  *((intOrPtr*)(_t94 + 0x28)) - _v8;
					L2:
					return E6C3C7599(_t94);
				}
				memset( *(_t94 + 0x34), 0, 0x2000);
				 *(_t94 + 0x24) = 0;
				 *((intOrPtr*)(_t94 + 0x28)) = 0;
				goto L2;
			}





















                                                0x6c3c787b
                                                0x6c3c787b
                                                0x6c3c787b
                                                0x6c3c7880
                                                0x6c3c7883
                                                0x6c3c7886
                                                0x6c3c7897
                                                0x6c3c789f
                                                0x6c3c78aa
                                                0x6c3c78af
                                                0x6c3c78b5
                                                0x6c3d545c
                                                0x6c3d5461
                                                0x6c3d5461
                                                0x6c3d5467
                                                0x6c3d5475
                                                0x6c3d5477
                                                0x6c3d5479
                                                0x6c3d547b
                                                0x6c3d547b
                                                0x6c3d5485
                                                0x6c3d54a4
                                                0x6c3d54a9
                                                0x6c3d54b4
                                                0x6c3d54b6
                                                0x6c3d54bb
                                                0x6c3d54bd
                                                0x6c3d54bf
                                                0x6c3d54bf
                                                0x6c3d54c9
                                                0x6c3d54ce
                                                0x6c3d54d9
                                                0x6c3d54db
                                                0x6c3d54e0
                                                0x6c3d54e2
                                                0x6c3d54e4
                                                0x6c3d54e4
                                                0x6c3d54f2
                                                0x6c3d54fa
                                                0x6c3d5503
                                                0x6c3c78d2
                                                0x6c3c78dc
                                                0x6c3c78dc
                                                0x6c3c78c4
                                                0x6c3c78cc
                                                0x6c3c78cf
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: memmove$memset
                                                • String ID:
                                                • API String ID: 3790616698-0
                                                • Opcode ID: 077d26f26fda551de48103a5ceb68b6a756d6473fb55a76aeae2e47fc2184c85
                                                • Instruction ID: 5082e1796babcfe536a4c1bef00f993a88d3133257b912f1d48104d6beca5af2
                                                • Opcode Fuzzy Hash: 077d26f26fda551de48103a5ceb68b6a756d6473fb55a76aeae2e47fc2184c85
                                                • Instruction Fuzzy Hash: EE3132B2700604AFD714DE69C9849AF77E9EB48254705462DF94AC7B00D630FE45CF52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C095F Relevance: 6.2, APIs: 4, Instructions: 239memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SysAllocString.OLEAUT32(00000010), ref: 6C7C0A96
                                                • SysFreeString.OLEAUT32(?), ref: 6C7C0ABE
                                                • SysAllocString.OLEAUT32(?), ref: 6C7C0B43
                                                • SysFreeString.OLEAUT32(?), ref: 6C7C0B70
                                                  • Part of subcall function 6C7B657A: _free.LIBCMT ref: 6C7B65A2
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: String$AllocFree$_free
                                                • String ID:
                                                • API String ID: 2188470744-0
                                                • Opcode ID: c9a2bdb7716de054c7a404d720a1892c01980d2a942d864f5cd1e52f382fc8a2
                                                • Instruction ID: 6dce92328ce987257ceb075e135eda0f6d4e68ffe05932f8007debeb719872b2
                                                • Opcode Fuzzy Hash: c9a2bdb7716de054c7a404d720a1892c01980d2a942d864f5cd1e52f382fc8a2
                                                • Instruction Fuzzy Hash: F791A2B46087868FCB11DF28CA88A9EBBF0FF95708F144A6DE49497651C730D909CB93
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C83E5 Relevance: 6.1, APIs: 4, Instructions: 125fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E6C3C83E5(long _a4) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				void* __esi;
				void* __ebp;
				void* _t42;
				void* _t43;
				long _t45;
				intOrPtr _t46;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				void* _t61;
				void* _t69;

				_push(_t61);
				_push(_t61);
				_t69 = _t61;
				_v8 = 0;
				_t42 = CreateFileW(_a4, 0x80010000, 1, 0, 3, 0x80, 0);
				_v12 = _t42;
				if(_t42 == 0xffffffff) {
					L9:
					_t43 =  *(_t69 + 0xc);
					if(_t43 != 0) {
						_push(_t43);
						E6C3C4994();
						 *(_t69 + 0xc) = 0;
						 *(_t69 + 0x10) = 0;
					}
					L8:
					return _v8;
				}
				_t45 = GetFileSize(_t42, 0);
				 *(_t69 + 0x10) = _t45;
				if(_t45 < 0x78) {
					_t46 =  *0x6c3e0088; // 0x6c3e0088
					if(_t46 != 0x6c3e0088 && ( *(_t46 + 0x1c) & 1) != 0) {
						_t38 = _t46 + 0x14; // 0x0
						_t39 = _t46 + 0x10; // 0x1
						E6C3D774A( *_t39,  *_t38, 0x20, 0x6c3c7af4, _a4);
					}
					L7:
					CloseHandle(_v12);
					if(_v8 == 0) {
						goto L9;
					}
					goto L8;
				}
				_t49 = E6C3C1967(_t69, _t45);
				 *(_t69 + 0xc) = _t49;
				if(_t49 == 0) {
					_t50 =  *0x6c3e0088; // 0x6c3e0088
					if(_t50 != 0x6c3e0088 && ( *(_t50 + 0x1c) & 1) != 0) {
						_t32 = _t50 + 0x14; // 0x0
						_t33 = _t50 + 0x10; // 0x1
						E6C3D99F8( *_t33,  *_t32, 0x1f, 0x6c3c7af4,  *(_t69 + 0x10));
					}
					goto L7;
				}
				if(ReadFile(_v12, _t49,  *(_t69 + 0x10),  &_a4, 0) == 0) {
					_t53 =  *0x6c3e0088; // 0x6c3e0088
					if(_t53 != 0x6c3e0088 && ( *(_t53 + 0x1c) & 1) != 0) {
						_push(0x6c3c7af4);
						_push(0x1c);
						L20:
						_t26 = _t53 + 0x14; // 0x0
						_push( *_t26);
						_t27 = _t53 + 0x10; // 0x1
						_push( *_t27);
						E6C3D5F11();
					}
					goto L7;
				}
				_t55 =  *(_t69 + 0x10);
				if(_a4 !=  *(_t69 + 0x10)) {
					_t53 =  *0x6c3e0088; // 0x6c3e0088
					if(_t53 == 0x6c3e0088 || ( *(_t53 + 0x1c) & 1) == 0) {
						goto L7;
					} else {
						_push(0x6c3c7af4);
						_push(0x1d);
						goto L20;
					}
				}
				if(E6C3C84A3( *(_t69 + 0xc), _t55) == 0) {
					_t53 =  *0x6c3e0088; // 0x6c3e0088
					if(_t53 == 0x6c3e0088 || ( *(_t53 + 0x1c) & 1) == 0) {
						goto L7;
					} else {
						_push(0x6c3c7af4);
						_push(0x1e);
						goto L20;
					}
				} else {
					_v8 = 1;
					goto L7;
				}
			}
















                                                0x6c3c83ea
                                                0x6c3c83eb
                                                0x6c3c8406
                                                0x6c3c8408
                                                0x6c3c840b
                                                0x6c3c8414
                                                0x6c3c8417
                                                0x6c3c8491
                                                0x6c3c8491
                                                0x6c3c8496
                                                0x6c3d023c
                                                0x6c3d023d
                                                0x6c3d0243
                                                0x6c3d0246
                                                0x6c3d0246
                                                0x6c3c8487
                                                0x6c3c848e
                                                0x6c3c848e
                                                0x6c3c841b
                                                0x6c3c8424
                                                0x6c3c8427
                                                0x6c3d0209
                                                0x6c3d0213
                                                0x6c3d022c
                                                0x6c3d022f
                                                0x6c3d0232
                                                0x6c3d0232
                                                0x6c3c8479
                                                0x6c3c847c
                                                0x6c3c8485
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3c8485
                                                0x6c3c842e
                                                0x6c3c8436
                                                0x6c3c8439
                                                0x6c3d01d6
                                                0x6c3d01e0
                                                0x6c3d01f9
                                                0x6c3d01fc
                                                0x6c3d01ff
                                                0x6c3d01ff
                                                0x00000000
                                                0x6c3d01e0
                                                0x6c3c8453
                                                0x6c3d0162
                                                0x6c3d016c
                                                0x6c3d017b
                                                0x6c3d0180
                                                0x6c3d01c6
                                                0x6c3d01c6
                                                0x6c3d01c6
                                                0x6c3d01c9
                                                0x6c3d01c9
                                                0x6c3d01cc
                                                0x6c3d01cc
                                                0x00000000
                                                0x6c3d016c
                                                0x6c3c8459
                                                0x6c3c845f
                                                0x6c3d0184
                                                0x6c3d018e
                                                0x00000000
                                                0x6c3d019d
                                                0x6c3d019d
                                                0x6c3d01a2
                                                0x00000000
                                                0x6c3d01a2
                                                0x6c3d018e
                                                0x6c3c8470
                                                0x6c3d01a6
                                                0x6c3d01b0
                                                0x00000000
                                                0x6c3d01bf
                                                0x6c3d01bf
                                                0x6c3d01c4
                                                0x00000000
                                                0x6c3d01c4
                                                0x6c3c8476
                                                0x6c3c8476
                                                0x00000000
                                                0x6c3c8476

                                                APIs
                                                • CreateFileW.KERNEL32(6C3C833E,80010000,00000001,00000000,00000003,00000080,00000000,Function_00007AF4,?,00000000,?,?,?,6C3C833E,?), ref: 6C3C840B
                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,6C3C833E,?), ref: 6C3C841B
                                                • CloseHandle.KERNEL32(6C3C833E,?,00000000,?,?,?,6C3C833E,?), ref: 6C3C847C
                                                  • Part of subcall function 6C3C1967: malloc.MSVCRT(?,6C3E0554), ref: 6C3C1979
                                                • ReadFile.KERNEL32(6C3C833E,00000000,?,6C3C833E,00000000,?,00000000,?,?,?,6C3C833E,?), ref: 6C3C844B
                                                  • Part of subcall function 6C3C84A3: GetSystemTime.KERNEL32(00000000,00000000,?,?,?,6C3C833E,?), ref: 6C3C84AF
                                                  • Part of subcall function 6C3C84A3: SystemTimeToFileTime.KERNEL32(6C3C833E,6C3C833E,?,?,?,6C3C833E,?), ref: 6C3C84BD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: File$Time$System$CloseCreateHandleReadSizemalloc
                                                • String ID:
                                                • API String ID: 1717276877-0
                                                • Opcode ID: 4e8f80035d23f8a272aa0aa7ccf4e16445ddc57c93761b67fb2f3e636d338425
                                                • Instruction ID: cf8700498b3aa457a828217cb70309f17edd63bd805e467697e395d7a819ce54
                                                • Opcode Fuzzy Hash: 4e8f80035d23f8a272aa0aa7ccf4e16445ddc57c93761b67fb2f3e636d338425
                                                • Instruction Fuzzy Hash: 8E41A175241284BFCB108E208C80E9E7F79BB06358B20455AF5A1DAD60D73AEE44EF63
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D3AAF Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C7D3AE3
                                                • __isleadbyte_l.LIBCMT ref: 6C7D3B16
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,6C7CB385,?,00000000,00000000,?,?,?,?,6C7CB385,00000000), ref: 6C7D3B47
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,6C7CB385,00000001,00000000,00000000,?,?,?,?,6C7CB385,00000000), ref: 6C7D3BB5
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 7b1984b2556c020d5cc5d035e83eb4ddc068fa64a7319fdca88b45800bef7ccf
                                                • Instruction ID: 9932f86d2080df88b814fa7840a7aec581ee3df8490f1d0db94cda93b6728f45
                                                • Opcode Fuzzy Hash: 7b1984b2556c020d5cc5d035e83eb4ddc068fa64a7319fdca88b45800bef7ccf
                                                • Instruction Fuzzy Hash: 0C31FE31B01386EFDB10CFA8CA84AAA3BB5FF41315F1A85B9F0609B591E731E940CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBE6B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 66%
                                                			E6C3CBE6B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v528;
				char _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1592;
				char* _v1596;
				intOrPtr _v1616;
				intOrPtr _v1620;
				char* _v1624;
				intOrPtr _v1628;
				void _v1636;
				char _v1640;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t48;
				intOrPtr _t58;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int _t74;

				_t70 = __edx;
				_t42 =  *0x6c3e01a0; // 0xeb2a6d46
				_v8 = _t42 ^ _t74;
				_t65 = _a8;
				_t72 = _a4;
				_v1580 = _a12;
				_v1576 = _a16;
				_v1572 = __ecx;
				_v1640 = 0;
				memset( &_v1636, 0, 0x38);
				if(_t72 == 0) {
					_t73 = 0x80070057;
					_t48 =  *0x6c3e0088; // 0x6c3e0088
					if(_t48 != 0x6c3e0088 && ( *(_t48 + 0x1c) & 0x00000001) != 0) {
						_t35 = _t48 + 0x14; // 0x0
						_t36 = _t48 + 0x10; // 0x1
						E6C3D5F11( *_t36,  *_t35, 0x65, 0x6c3ccad8);
					}
				} else {
					_v1624 =  &_v528;
					_v1596 =  &_v1568;
					_push( &_v1640);
					_push(0x80000000);
					_push(0);
					_push(_t72);
					_v1568 = 0;
					_v528 = 0;
					_v1640 = 0x3c;
					_v1620 = 0x104;
					_v1592 = 0x208;
					if( *0x6c3e003c() == 0) {
						_t73 = E6C3D9546(GetLastError());
						_t58 =  *0x6c3e0088; // 0x6c3e0088
						if(_t58 != 0x6c3e0088 && ( *(_t58 + 0x1c) & 0x00000001) != 0) {
							_t40 = _t58 + 0x14; // 0x0
							_t41 = _t58 + 0x10; // 0x1
							E6C3D99F8( *_t41,  *_t40, 0x66, 0x6c3ccad8, _t73);
						}
					} else {
						_t73 = E6C3CBF7A(_v1572, _t70,  &_v528,  &_v1568, 0 | _v1628 == 0x00000002, _v1576, _t65, _v1580, _a20, _v1616, 0);
					}
				}
				return E6C3C171F(_t73, _t65, _v8 ^ _t74, _t70, 0, _t73);
			}




























                                                0x6c3cbe6b
                                                0x6c3cbe76
                                                0x6c3cbe7d
                                                0x6c3cbe84
                                                0x6c3cbe88
                                                0x6c3cbe8c
                                                0x6c3cbe99
                                                0x6c3cbea7
                                                0x6c3cbead
                                                0x6c3cbeb3
                                                0x6c3cbebd
                                                0x6c3d3abe
                                                0x6c3d3ac3
                                                0x6c3d3acd
                                                0x6c3d3ae4
                                                0x6c3d3ae7
                                                0x6c3d3aea
                                                0x6c3d3aea
                                                0x6c3cbec3
                                                0x6c3cbec9
                                                0x6c3cbed5
                                                0x6c3cbee1
                                                0x6c3cbee2
                                                0x6c3cbee7
                                                0x6c3cbee8
                                                0x6c3cbee9
                                                0x6c3cbef0
                                                0x6c3cbef7
                                                0x6c3cbf01
                                                0x6c3cbf0b
                                                0x6c3cbf1d
                                                0x6c3d3b00
                                                0x6c3d3b02
                                                0x6c3d3b0c
                                                0x6c3d3b24
                                                0x6c3d3b27
                                                0x6c3d3b2a
                                                0x6c3d3b2a
                                                0x6c3cbf23
                                                0x6c3cbf60
                                                0x6c3cbf60
                                                0x6c3cbf1d
                                                0x6c3cbf72

                                                APIs
                                                • memset.MSVCRT ref: 6C3CBEB3
                                                • GetLastError.KERNEL32(?,Function_00007AF4), ref: 6C3D3AF4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorLastmemset
                                                • String ID: <$Fm*
                                                • API String ID: 3276359510-2410511320
                                                • Opcode ID: 2e6e122bacf55b02287b565734cfc2a73b6da01e7e7728865623d3dabb960404
                                                • Instruction ID: 7d0e6a89f07cf298e93583a2fd1f6f24fd3849aa45c5036475850e26533cfc5d
                                                • Opcode Fuzzy Hash: 2e6e122bacf55b02287b565734cfc2a73b6da01e7e7728865623d3dabb960404
                                                • Instruction Fuzzy Hash: 2D416071A012589BDB61CF54CC44FCEBBBAAF88344F1141DAE508A7650DB32DEA4DF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A2C0A Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C7A2C11
                                                • GetSidLengthRequired.ADVAPI32(?,00000050,6C7A2F2A,6C760B54,00000002,00000020,00000222,00000000,?,?,6C7A48E0), ref: 6C7A2C75
                                                • InitializeSid.ADVAPI32(0000000F,00000009,?,?,?,6C7A48E0), ref: 6C7A2C88
                                                • GetSidSubAuthority.ADVAPI32(0000000F,00000000,?,?,6C7A48E0), ref: 6C7A2CAF
                                                  • Part of subcall function 6C7C84F6: GetLastError.KERNEL32(6C7A2C97,?,?,6C7A48E0), ref: 6C7C84F6
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: AuthorityErrorH_prolog3_InitializeLastLengthRequired
                                                • String ID:
                                                • API String ID: 1730150861-0
                                                • Opcode ID: 6acccbc9fd7b3d275f7589b6e0f5643901a45aa23c6ccbfa5efefc3b09c8c33a
                                                • Instruction ID: 353929e26dda919001ab269fd9c4317a8ca1e57688396a557f5300d2e80c9f72
                                                • Opcode Fuzzy Hash: 6acccbc9fd7b3d275f7589b6e0f5643901a45aa23c6ccbfa5efefc3b09c8c33a
                                                • Instruction Fuzzy Hash: E621B270A0029AEFDB00CFE5C68C7DDBBB8BF04309F104428D509ABB40CB34AA0D9B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C3FAB Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C3FB2
                                                • CoInitialize.OLE32(00000000), ref: 6C7C3FD4
                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C7C3FF0
                                                • InitializeCriticalSection.KERNEL32(?), ref: 6C7C405A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Initialize$CreateCriticalEventH_prolog3Section
                                                • String ID:
                                                • API String ID: 1191084466-0
                                                • Opcode ID: 26bd560a47075ce091b39db5aebbe95fca2c8fed4d5eb6af116a3b17d0b3accc
                                                • Instruction ID: 09b9dff2231e28aafbe1955c3faf8231632561e284b8425ab1e8157bdd16c2af
                                                • Opcode Fuzzy Hash: 26bd560a47075ce091b39db5aebbe95fca2c8fed4d5eb6af116a3b17d0b3accc
                                                • Instruction Fuzzy Hash: FC211770940202DFCB11CF5AC688586FBF8FFA5304F1484BFA8498B626C7749544DF22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7D8A1E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: 7885726e51710dfb409d83f47fda806ed7f39660f26e99df1c6e86efa9305941
                                                • Instruction ID: c7e3fe653abe588eb9b0fa78011a5dddc0122df7bc0ac4e05d7d036e948f1910
                                                • Opcode Fuzzy Hash: 7885726e51710dfb409d83f47fda806ed7f39660f26e99df1c6e86efa9305941
                                                • Instruction Fuzzy Hash: 01117E3604014AFBCF024F84CE459EE3F62BB59358F5A9456FA6858930C336E5B1ABC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C776961 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C776968
                                                • #205.MSI(?,00000000,?,00000010,?,?,SkipProduct,?,?,VersionMaxInclusive,?,00000000,?,?,?,VersionMaxInclusive), ref: 6C7769C3
                                                Strings
                                                • skipped after applying Relation criteria, xrefs: 6C776C29
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: #205H_prolog3
                                                • String ID: skipped after applying Relation criteria
                                                • API String ID: 2698596250-1982174377
                                                • Opcode ID: f48c7c8b2f836d170b259985123586f5b9438e680a0d2f4f1184a3e91e933fdf
                                                • Instruction ID: 7531bce947a3e1ddb9ef44634885661db5e37f27d2b4f01838d084cd25a9ab1e
                                                • Opcode Fuzzy Hash: f48c7c8b2f836d170b259985123586f5b9438e680a0d2f4f1184a3e91e933fdf
                                                • Instruction Fuzzy Hash: 57B16F31A0014ADFDF10CFA8CA88BDDB7B9AF05318F144665E520E7795DB74EA09CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C788E28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C788E2F
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7C8EAB: _memcpy_s.LIBCMT ref: 6C7C8EFC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$_memcpy_s
                                                • String ID: EstimatedInstallTime$LogFileHint
                                                • API String ID: 1663610674-3554194153
                                                • Opcode ID: 5f421839bf57de1ae21354845eaaa178db5b100b37ccc911255c787f78a8829b
                                                • Instruction ID: 8a78c5445b375e46b95cae8b3c1463609a9ac4494d98ac92e44c9b8d175bf423
                                                • Opcode Fuzzy Hash: 5f421839bf57de1ae21354845eaaa178db5b100b37ccc911255c787f78a8829b
                                                • Instruction Fuzzy Hash: 0E9104B1501249EFDB10CFA8CA89BD97BA4FF09308F1485AAED589FB51C731DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C778D44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • schema validation failure: child element not found - , xrefs: 6C778E7D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Exception@8H_prolog3Throw
                                                • String ID: schema validation failure: child element not found -
                                                • API String ID: 3670251406-3859288074
                                                • Opcode ID: adff87a78591e5e3278df4c84090a0b4c0fb96eb58fbc222f18d1caea9a121c8
                                                • Instruction ID: 01e93ca166f076430552a1bd49f4cf0fe500e60cb9d09677ca2cef178d0754bb
                                                • Opcode Fuzzy Hash: adff87a78591e5e3278df4c84090a0b4c0fb96eb58fbc222f18d1caea9a121c8
                                                • Instruction Fuzzy Hash: DD713D7190125DDFCF01CFA4CA48AEE7BB9BF49718F244556F421AB740C770AA45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7A29FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127registryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6C7C847A: RegCloseKey.ADVAPI32(?,?,?,6C78463B,00000034,00000034,00000000), ref: 6C7C84BA
                                                • RegCloseKey.ADVAPI32(?,80000001,Software\Microsoft\VisualStudio\Setup,342C82DB,?,?,6C7FEE70,?,6C7DF89B,000000FF,?,6C7BF067,?), ref: 6C7A2BBD
                                                  • Part of subcall function 6C7C81D3: RegQueryValueExW.ADVAPI32(-00000960,DownloadServer,00000000,-00000960,00000000,?,?,?,6C7A2A88,?,80000001,Software\Microsoft\VisualStudio\Setup,342C82DB,?,?,6C7FEE70), ref: 6C7C81F8
                                                  • Part of subcall function 6C7C8AFC: _wcsnlen.LIBCMT ref: 6C7C8B0C
                                                  • Part of subcall function 6C7C7CCF: __EH_prolog3_GS.LIBCMT ref: 6C7C7CD9
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7C7A4F: __wcsicoll.LIBCMT ref: 6C7C7A77
                                                  • Part of subcall function 6C7C8516: swprintf.LIBCMT ref: 6C7C856D
                                                  • Part of subcall function 6C7C7BDC: _wcsnlen.LIBCMT ref: 6C7C7BEC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Close_wcsnlen$H_prolog3H_prolog3_QueryValue__wcsicollswprintf
                                                • String ID: Software\Microsoft\VisualStudio\Setup$http
                                                • API String ID: 2136381466-2495782829
                                                • Opcode ID: bd400c4d1118f3b49de9b3471d688ea08dc765cfc1b2fbdc1253066d8518b0fb
                                                • Instruction ID: d2fd30ba7390c5b99afbfa727d553ce3cdc919ca742067b56a76ac695bed523f
                                                • Opcode Fuzzy Hash: bd400c4d1118f3b49de9b3471d688ea08dc765cfc1b2fbdc1253066d8518b0fb
                                                • Instruction Fuzzy Hash: 1A416371A1012A9FDB20DF65CD4C9CEB7B5EF04318F4006A6E529A3750DF30AE898F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B28C7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B28CE
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7CC0AA: std::exception::exception.LIBCMT ref: 6C7CC0F9
                                                  • Part of subcall function 6C7CC0AA: std::exception::exception.LIBCMT ref: 6C7CC113
                                                  • Part of subcall function 6C7CC0AA: __CxxThrowException@8.LIBCMT ref: 6C7CC124
                                                Strings
                                                • Creating new Performer for Exe item, xrefs: 6C7B28DA
                                                • GetAction returned an invalid action type; creating DoNothingPerformer, xrefs: 6C7B2911
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: std::exception::exception$Exception@8H_prolog3Throw_malloc
                                                • String ID: Creating new Performer for Exe item$GetAction returned an invalid action type; creating DoNothingPerformer
                                                • API String ID: 2311266369-913560595
                                                • Opcode ID: d38b6474c98d8ac47823afd265d2c8344424bda67f59cea0df1b4b2baa2a375e
                                                • Instruction ID: 7a40f63db3aebce4bb4f36f3a99e93e240f81b0615a568ce1238f320e9d744aa
                                                • Opcode Fuzzy Hash: d38b6474c98d8ac47823afd265d2c8344424bda67f59cea0df1b4b2baa2a375e
                                                • Instruction Fuzzy Hash: FD419871546506FFDB04CFA5CA4DAA8BBB0BF18314F244129E919A7E50CB70E9A48FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7749CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7749D3
                                                  • Part of subcall function 6C773A16: __EH_prolog3.LIBCMT ref: 6C773A1D
                                                  • Part of subcall function 6C773C8F: __EH_prolog3.LIBCMT ref: 6C773C96
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8C24: __EH_prolog3.LIBCMT ref: 6C7A8C2B
                                                  • Part of subcall function 6C7A8C7A: __EH_prolog3.LIBCMT ref: 6C7A8C81
                                                  • Part of subcall function 6C7AFF21: _wcsnlen.LIBCMT ref: 6C7AFF54
                                                  • Part of subcall function 6C7AFF21: _memcpy_s.LIBCMT ref: 6C7AFF8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$_memcpy_s_wcsnlen
                                                • String ID: switch requires a $The /
                                                • API String ID: 2603297733-1851487679
                                                • Opcode ID: 1c8433cdff5c30295392dccd58c47d5e2182c94dde5458736394605da29aa8ac
                                                • Instruction ID: 4423771e58e053147d1d06a8869cb984d006892f35f1f3fccbd2c6aa660a4120
                                                • Opcode Fuzzy Hash: 1c8433cdff5c30295392dccd58c47d5e2182c94dde5458736394605da29aa8ac
                                                • Instruction Fuzzy Hash: F9415E72500049AFCF11DBE8CA4CEEDB7B9AF09318F184659F124E7791DB30DA199B26
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79AAE3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C79AAEA
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8F9E: PathStripPathW.SHLWAPI(00000000,?,?,6C7BF516), ref: 6C7A8FAE
                                                  • Part of subcall function 6C7A8F73: PathRemoveFileSpecW.SHLWAPI(00000000,2806C750,00000010,80004005,6C775DB8,6C7AF845,00000010,?,6C7A831D,00000000), ref: 6C7A8F84
                                                • PathRelativePathToW.SHLWAPI(00000010,?,00000010,?,00000080,?,00000014,6C79A118,?,?), ref: 6C79AB8B
                                                Strings
                                                • Exe Log File: <a href="%s">%s</a>, xrefs: 6C79ABE7
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: Path$H_prolog3$FileRelativeRemoveSpecStrip
                                                • String ID: Exe Log File: <a href="%s">%s</a>
                                                • API String ID: 2749740144-4230338525
                                                • Opcode ID: bf20dcf963ddefc5c12ebbeb3c5afaf8697195e5621bb284002ee760a90565f2
                                                • Instruction ID: 86fc999f5b6baf83c8f7970fe2ee838834ff7c7ec208b16e9a6854e032175ef2
                                                • Opcode Fuzzy Hash: bf20dcf963ddefc5c12ebbeb3c5afaf8697195e5621bb284002ee760a90565f2
                                                • Instruction Fuzzy Hash: BF413C71A0021ADFCF00DFA4CA48BEDBBB5FF48318F104656E520AB790D7749A09CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3DB21B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E6C3DB21B(wchar_t* _a4, intOrPtr* _a8) {
				intOrPtr* _t16;
				void* _t18;
				wchar_t* _t19;
				wchar_t* _t20;
				wchar_t* _t23;
				wchar_t* _t25;
				intOrPtr* _t30;
				wchar_t* _t35;
				long _t38;
				wchar_t* _t41;
				long* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				wchar_t* _t47;
				wchar_t* _t49;

				_t46 = _a4;
				if(_t46 == 0 ||  *_t46 == 0) {
					L27:
					return 0x80070057;
				} else {
					_t16 = _a8;
					if(_t16 == 0) {
						goto L27;
					}
					 *_t16 = 0;
					_t18 = E6C3DAF90(_t46,  &_a4);
					_push(0x5c);
					if(_t18 == 0) {
						_pop(_t44);
						__eflags =  *_t46 - _t44;
						if(__eflags != 0) {
							L17:
							_t19 = E6C3DACD3(__eflags, _t46);
							__eflags = _t19;
							if(_t19 == 0) {
								_t20 = E6C3DAB86(_t46, L"\\\\?\\", 4);
								__eflags = _t20;
								if(_t20 != 0) {
									_t46 = _t46 + 8;
									__eflags = _t46;
								}
								__eflags =  *_t46;
								if( *_t46 == 0) {
									goto L27;
								} else {
									__eflags =  *((short*)(_t46 + 2)) - 0x3a;
									if( *((short*)(_t46 + 2)) != 0x3a) {
										goto L27;
									}
									_t47 = _t46 + 4;
									__eflags = _t47;
									L24:
									__eflags =  *_t47 - _t44;
									if( *_t47 != _t44) {
										L26:
										 *_a8 = _t47;
										return 0;
									}
									L25:
									_t47 = _t47 + 2;
									__eflags = _t47;
									goto L26;
								}
							}
							_t47 = _t46 + 0x60;
							goto L24;
						}
						_t23 = _t46 + 2;
						__eflags =  *_t23 - _t44;
						if(__eflags == 0) {
							goto L17;
						}
						_t47 = _t23;
						goto L26;
					}
					_t49 = _a4;
					_t45 = wcschr(_t49, ??);
					if(_t45 == 0) {
						_t25 = _t49;
						_t42 =  &(_t25[0]);
						do {
							_t38 =  *_t25;
							_t25 =  &(_t25[0]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t47 = _t49 + (_t25 - _t42 >> 1) * 2;
						goto L26;
					}
					_t5 = _t45 + 2; // 0x2
					_t35 = _t5;
					_t47 = wcschr(_t35, 0x5c);
					if(_t47 == 0) {
						_t30 = _t45;
						_t6 = _t30 + 2; // 0x2
						_t43 = _t6;
						do {
							_t41 =  *_t30;
							_t30 = _t30 + 2;
							__eflags = _t41;
						} while (_t41 != 0);
						_t47 = _t45 + (_t30 - _t43 >> 1) * 2;
						goto L26;
					}
					if(_t47 != _t35) {
						goto L25;
					}
					goto L26;
				}
			}




















                                                0x6c3db222
                                                0x6c3db22a
                                                0x6c3db304
                                                0x00000000
                                                0x6c3db239
                                                0x6c3db239
                                                0x6c3db23e
                                                0x00000000
                                                0x00000000
                                                0x6c3db244
                                                0x6c3db24b
                                                0x6c3db252
                                                0x6c3db254
                                                0x6c3db2b0
                                                0x6c3db2b1
                                                0x6c3db2b4
                                                0x6c3db2c2
                                                0x6c3db2c3
                                                0x6c3db2c8
                                                0x6c3db2ca
                                                0x6c3db2d9
                                                0x6c3db2de
                                                0x6c3db2e0
                                                0x6c3db2e2
                                                0x6c3db2e2
                                                0x6c3db2e2
                                                0x6c3db2e5
                                                0x6c3db2e8
                                                0x00000000
                                                0x6c3db2ea
                                                0x6c3db2ea
                                                0x6c3db2ef
                                                0x00000000
                                                0x00000000
                                                0x6c3db2f1
                                                0x6c3db2f1
                                                0x6c3db2f4
                                                0x6c3db2f4
                                                0x6c3db2f7
                                                0x6c3db2fb
                                                0x6c3db2fe
                                                0x00000000
                                                0x6c3db300
                                                0x6c3db2f9
                                                0x6c3db2fa
                                                0x6c3db2fa
                                                0x00000000
                                                0x6c3db2fa
                                                0x6c3db2e8
                                                0x6c3db2cc
                                                0x00000000
                                                0x6c3db2cc
                                                0x6c3db2b6
                                                0x6c3db2b9
                                                0x6c3db2bc
                                                0x00000000
                                                0x00000000
                                                0x6c3db2be
                                                0x00000000
                                                0x6c3db2be
                                                0x6c3db256
                                                0x6c3db25f
                                                0x6c3db265
                                                0x6c3db298
                                                0x6c3db29a
                                                0x6c3db29d
                                                0x6c3db29d
                                                0x6c3db2a1
                                                0x6c3db2a2
                                                0x6c3db2a2
                                                0x6c3db2ab
                                                0x00000000
                                                0x6c3db2ab
                                                0x6c3db267
                                                0x6c3db267
                                                0x6c3db272
                                                0x6c3db278
                                                0x6c3db280
                                                0x6c3db282
                                                0x6c3db282
                                                0x6c3db285
                                                0x6c3db285
                                                0x6c3db289
                                                0x6c3db28a
                                                0x6c3db28a
                                                0x6c3db293
                                                0x00000000
                                                0x6c3db293
                                                0x6c3db27c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6c3db27e

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: wcschr
                                                • String ID: \\?\
                                                • API String ID: 1497570035-4282027825
                                                • Opcode ID: 85f81e51685dbac8102d8c1ed2987725b9358981b2d6fc78e28c7673807090ee
                                                • Instruction ID: 710ff9ba50d33eac0ccdc70ef2e9a672e55ac14792d1a68ff6d21b97322ff955
                                                • Opcode Fuzzy Hash: 85f81e51685dbac8102d8c1ed2987725b9358981b2d6fc78e28c7673807090ee
                                                • Instruction Fuzzy Hash: AD3121335406129AA7119E1ACC4099F33B8EF057AC7174625EAD79FA40EB62FE418FE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C30E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E6C3C30E7(intOrPtr* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ebp;
				signed int _t32;
				intOrPtr* _t38;
				signed int* _t39;
				signed int _t42;
				signed int _t45;
				void* _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;

				_push(__ecx);
				_t67 = __ecx;
				if(_a8 == 0) {
					_v8 = 0x80070057;
				} else {
					_t32 = E6C3C31BA(__ecx,  *(__ecx + 4));
					_v8 = _t32;
					if(_t32 >= 0) {
						_t45 =  *_a4 %  *(__ecx + 4);
						_t64 = E6C3C304A(__ecx, _a4, _t45);
						if(_t64 != 0) {
							_t49 =  *((intOrPtr*)(_t64 + 0xc));
							if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
								E6C3CABAB(_t49, 1);
							}
							 *((intOrPtr*)(_t64 + 0xc)) = _a8;
						} else {
							_v8 = 0x8007000e;
							_t38 = E6C3C17EB(0x10);
							if(_t38 == 0) {
								_t65 = 0;
							} else {
								 *_t38 = 0;
								 *((intOrPtr*)(_t38 + 4)) = 0;
								 *((intOrPtr*)(_t38 + 8)) = 0;
								 *((intOrPtr*)(_t38 + 0xc)) = 0;
								_t65 = _t38;
							}
							if(_t65 != 0) {
								 *(_t65 + 4) = _t45;
								_t39 = E6C3C17EB(4);
								if(_t39 == 0) {
									_t39 = 0;
								} else {
									 *_t39 =  *_a4;
								}
								 *(_t65 + 8) = _t39;
								 *((intOrPtr*)(_t65 + 0xc)) = _a8;
								if(_t39 == 0) {
									E6C3CAB5D(_t65, 1);
								} else {
									 *((intOrPtr*)(_t67 + 8)) =  *((intOrPtr*)(_t67 + 8)) + 1;
									_t42 = _t45 << 2;
									_v8 = _v8 & 0x00000000;
									 *_t65 =  *((intOrPtr*)(_t42 +  *_t67));
									 *((intOrPtr*)(_t42 +  *_t67)) = _t65;
								}
							}
						}
					}
				}
				return _v8;
			}













                                                0x6c3c30ec
                                                0x6c3c30f4
                                                0x6c3c30f6
                                                0x6c3c31ac
                                                0x6c3c30fc
                                                0x6c3c30ff
                                                0x6c3c3106
                                                0x6c3c3109
                                                0x6c3c3119
                                                0x6c3c3124
                                                0x6c3c3128
                                                0x6c3ceab9
                                                0x6c3ceabe
                                                0x6c3ceac2
                                                0x6c3ceac2
                                                0x6c3ceaca
                                                0x6c3c312e
                                                0x6c3c3130
                                                0x6c3c3137
                                                0x6c3c3141
                                                0x6c3c3199
                                                0x6c3c3143
                                                0x6c3c3143
                                                0x6c3c3145
                                                0x6c3c3148
                                                0x6c3c314b
                                                0x6c3c314e
                                                0x6c3c314e
                                                0x6c3c3152
                                                0x6c3c3156
                                                0x6c3c3159
                                                0x6c3c3161
                                                0x6c3c319d
                                                0x6c3c3163
                                                0x6c3c3168
                                                0x6c3c3168
                                                0x6c3c316f
                                                0x6c3c3172
                                                0x6c3c3175
                                                0x6c3c31a5
                                                0x6c3c3177
                                                0x6c3c3177
                                                0x6c3c317e
                                                0x6c3c3184
                                                0x6c3c3188
                                                0x6c3c318c
                                                0x6c3c318c
                                                0x6c3c3175
                                                0x6c3c3152
                                                0x6c3c3128
                                                0x6c3c3109
                                                0x6c3c3196

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ctype$malloc
                                                • String ID: W
                                                • API String ID: 624949309-655174618
                                                • Opcode ID: 7f0c1b1a179a3b09a6a19488affd130c8792208395edcda6b02c07f58ac75aa6
                                                • Instruction ID: 51627c4c26801f74828987108141ecb71cdb0741c8ed47c6f8101d7f0f286299
                                                • Opcode Fuzzy Hash: 7f0c1b1a179a3b09a6a19488affd130c8792208395edcda6b02c07f58ac75aa6
                                                • Instruction Fuzzy Hash: D8317CB5301205EFD748EF59D840AADB7A6EF89328B21C02DD45A8BB50CB75DD00CF96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C796E46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C796E4D
                                                  • Part of subcall function 6C7950B2: __EH_prolog3.LIBCMT ref: 6C7950B9
                                                  • Part of subcall function 6C7950B2: GetLastError.KERNEL32(00000000,LoadLibrary,00000000,0000000C,6C796E7F,00000000,?), ref: 6C795110
                                                  • Part of subcall function 6C7950B2: __CxxThrowException@8.LIBCMT ref: 6C79512D
                                                • GetCommandLineW.KERNEL32(00000000,?), ref: 6C796E8F
                                                  • Part of subcall function 6C773E77: __EH_prolog3.LIBCMT ref: 6C773E7E
                                                  • Part of subcall function 6C773A16: __EH_prolog3.LIBCMT ref: 6C773A1D
                                                  • Part of subcall function 6C79516F: FreeLibrary.KERNEL32(00000000,?,6C7950F8,00000000,0000000C,6C796E7F,00000000,?), ref: 6C79517C
                                                  • Part of subcall function 6C79516F: LoadLibraryW.KERNEL32(?,?,?,6C7950F8,00000000,0000000C,6C796E7F,00000000,?), ref: 6C795194
                                                  • Part of subcall function 6C7CC0AA: _malloc.LIBCMT ref: 6C7CC0C4
                                                  • Part of subcall function 6C7BABA1: __EH_prolog3.LIBCMT ref: 6C7BABA8
                                                  • Part of subcall function 6C7BABA1: GetProcAddress.KERNEL32(00000004,CreateClassFactory), ref: 6C7BABB8
                                                  • Part of subcall function 6C7BABA1: GetLastError.KERNEL32 ref: 6C7BABC6
                                                  • Part of subcall function 6C7BABA1: __CxxThrowException@8.LIBCMT ref: 6C7BAC7D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorException@8LastLibraryThrow$AddressCommandFreeLineLoadProc_malloc
                                                • String ID: passive
                                                • API String ID: 304155978-1995439567
                                                • Opcode ID: 769240e94e812c9d180327974dc003995e5ad75b84f7cfb1011033ae3a89c8b0
                                                • Instruction ID: 4592460b75d8fcd7bc1026dc4e3ec822e32bef66418b6e36256bb8ba6bba6d38
                                                • Opcode Fuzzy Hash: 769240e94e812c9d180327974dc003995e5ad75b84f7cfb1011033ae3a89c8b0
                                                • Instruction Fuzzy Hash: 9131C17191121A9FDF10DFA4DA0C7DDBBB6BF04318F044A69D866A7F80CB7096088BE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C781EBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C781EC6
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7819AD: __EH_prolog3.LIBCMT ref: 6C7819B4
                                                  • Part of subcall function 6C7819AD: __CxxThrowException@8.LIBCMT ref: 6C781ADE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$Exception@8Throw
                                                • String ID: BlockIf$DisplayText
                                                • API String ID: 2489616738-2498774408
                                                • Opcode ID: 3d1d48fdce0b77552b34309e5f556d1ca80c6623ac34e33451f7f77f759fa5db
                                                • Instruction ID: 6091c9e4f3de8f0b6c42d994801576d3ba34ff7eae68d51f06a0ecfd77d42e60
                                                • Opcode Fuzzy Hash: 3d1d48fdce0b77552b34309e5f556d1ca80c6623ac34e33451f7f77f759fa5db
                                                • Instruction Fuzzy Hash: ED310F7191124AAFCB00DFA8CA49ADE77B9BF45358F144559F924AB740C730EA09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D98D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: cc67db07396c069d1f52fb74be6cc53b200e87e867b1ff177151b36a4b5c1682
                                                • Instruction ID: 261b0ff4efeff226bb457209749778fee7532ae2c68219af562b1e640d5593ca
                                                • Opcode Fuzzy Hash: cc67db07396c069d1f52fb74be6cc53b200e87e867b1ff177151b36a4b5c1682
                                                • Instruction Fuzzy Hash: 8A21F133604306DADB014F09CC60BA73779EB86718F068114EA559B990DF71FA918F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C77BA4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C77BA53
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: FilesInUseSetting$Prompt
                                                • API String ID: 431132790-2040230194
                                                • Opcode ID: 1568137390b628ac9e08d87b511d3c30448b0bc746550720e65073761bc10a11
                                                • Instruction ID: 7d7c49636bb9f58d998fe936a5cb535e988cd828644b96dee15c9e7ca8954459
                                                • Opcode Fuzzy Hash: 1568137390b628ac9e08d87b511d3c30448b0bc746550720e65073761bc10a11
                                                • Instruction Fuzzy Hash: CC31417160024AAFDF14DFA8CA49BEE7BA9BF05318F144159F424EB781C731EA05C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D877C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: 931bca4e354a4e66049b85c2ade76b0481b63987c00427d30a84b3a06adcda1c
                                                • Instruction ID: 69e1ab04db345426dd98fbd174d02f1622a8135693bb722e45b50833efc91a95
                                                • Opcode Fuzzy Hash: 931bca4e354a4e66049b85c2ade76b0481b63987c00427d30a84b3a06adcda1c
                                                • Instruction Fuzzy Hash: AF21C237A0420ADED7125F09CC00AA73779EB85718F169117E9108BA80EBB5F9918FD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C78D8A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: RepairOverride$UninstallOverride
                                                • API String ID: 431132790-715699446
                                                • Opcode ID: d49230099e2107a342541efc2bed6ac5b4038476483d3c32d381efeee5dbb9b5
                                                • Instruction ID: 27bc5fa1c89daa648de1ad5b0390b7ede1827ec54bd2063ddf2c3db4dacf2c68
                                                • Opcode Fuzzy Hash: d49230099e2107a342541efc2bed6ac5b4038476483d3c32d381efeee5dbb9b5
                                                • Instruction Fuzzy Hash: BC3181B1500349DFCB10CFA5CA4ABDEBBB9BF15314F10895EE9699BB50C730A604CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7789B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7789BE
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C7A8CD5: __EH_prolog3.LIBCMT ref: 6C7A8CDC
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C778415: __EH_prolog3.LIBCMT ref: 6C77841C
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C778A89
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                • schema validation error: element name is wrong: , xrefs: 6C778A0C
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: schema validation error: element name is wrong:
                                                • API String ID: 3417717588-568579515
                                                • Opcode ID: c6da059e530487ccc1997f95165e667d8f089fd41c38f67d1ef2ca6a8e6e7ce6
                                                • Instruction ID: 8128e0cdbf69dd157371daf45ae0adf7eb704c04afe85d4258862e1d8e02c28f
                                                • Opcode Fuzzy Hash: c6da059e530487ccc1997f95165e667d8f089fd41c38f67d1ef2ca6a8e6e7ce6
                                                • Instruction Fuzzy Hash: E5312D71901149EFDF01DBE4CA4CBEEB7B9AF15318F144696E121E7680DB34AB09CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C778AAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C778AB3
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                  • Part of subcall function 6C77838A: __EH_prolog3.LIBCMT ref: 6C778391
                                                  • Part of subcall function 6C77A378: __EH_prolog3.LIBCMT ref: 6C77A37F
                                                • __CxxThrowException@8.LIBCMT ref: 6C778B39
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                Strings
                                                • schema validation error: cannot get the parent element., xrefs: 6C778AE4
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                • String ID: schema validation error: cannot get the parent element.
                                                • API String ID: 3417717588-3625153524
                                                • Opcode ID: 8cd55ef8e4680a93feb9d8e6330653e1c19d57ed95fcc74bc0b554b4c3b26317
                                                • Instruction ID: b5c413d810a55e682f91124d2aabea81e51fa346f4c9429978b8cda5cc68ede5
                                                • Opcode Fuzzy Hash: 8cd55ef8e4680a93feb9d8e6330653e1c19d57ed95fcc74bc0b554b4c3b26317
                                                • Instruction Fuzzy Hash: 8C211D71900619AFCB00DFA8CA889EE7B79BF48718F248556F515EBB50C730DA45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D9AFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3D9AFF(short* _a4, char* _a8, char _a12) {
				intOrPtr _t17;
				intOrPtr* _t20;
				intOrPtr _t28;
				void* _t33;
				intOrPtr _t34;
				char* _t35;
				void* _t36;

				_t35 = _a8;
				if(_t35 == 0) {
					L11:
					_t17 =  *0x6c3e0088; // 0x6c3e0088
					if(_t17 != 0x6c3e0088 && ( *(_t17 + 0x1c) & 0x00000001) != 0) {
						_t15 = _t17 + 0x14; // 0x0
						_t16 = _t17 + 0x10; // 0x1
						E6C3D5F11( *_t16,  *_t15, 0xa, 0x6c3d5b48);
					}
					return 0x80070057;
				}
				 *_t35 = 0;
				if(_a12 == 0) {
					goto L11;
				}
				_t20 = _a4;
				_t33 = _t20 + 2;
				do {
					_t34 =  *_t20;
					_t20 = _t20 + 2;
				} while (_t34 != 0);
				_t5 =  &_a12; // 0x6c3d2e56
				if(WideCharToMultiByte(0, 0, _a4, (_t20 - _t33 >> 1) + 1, _t35,  *_t5, 0, 0) == 0 ||  *_t35 == 0) {
					_t36 = E6C3D9546(GetLastError());
					_t28 =  *0x6c3e0088; // 0x6c3e0088
					if(_t28 != 0x6c3e0088 && ( *(_t28 + 0x1c) & 0x00000001) != 0) {
						_t10 = _t28 + 0x14; // 0x0
						_t11 = _t28 + 0x10; // 0x1
						E6C3D99F8( *_t11,  *_t10, 0xb, 0x6c3d5b48, _t36);
					}
					return _t36;
				} else {
					return 0;
				}
			}










                                                0x6c3d9b06
                                                0x6c3d9b0d
                                                0x6c3d9b80
                                                0x6c3d9b80
                                                0x6c3d9b8a
                                                0x6c3d9b99
                                                0x6c3d9b9c
                                                0x6c3d9b9f
                                                0x6c3d9b9f
                                                0x00000000
                                                0x6c3d9ba4
                                                0x6c3d9b12
                                                0x6c3d9b14
                                                0x00000000
                                                0x00000000
                                                0x6c3d9b16
                                                0x6c3d9b19
                                                0x6c3d9b1c
                                                0x6c3d9b1c
                                                0x6c3d9b20
                                                0x6c3d9b21
                                                0x6c3d9b28
                                                0x6c3d9b3f
                                                0x6c3d9b55
                                                0x6c3d9b57
                                                0x6c3d9b61
                                                0x6c3d9b71
                                                0x6c3d9b74
                                                0x6c3d9b77
                                                0x6c3d9b77
                                                0x00000000
                                                0x6c3d9b45
                                                0x00000000
                                                0x6c3d9b45

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,V.=l,00000000,00000000,?,00000000,?,6C3D2E56,?,?,00000100,?), ref: 6C3D9B37
                                                • GetLastError.KERNEL32(?,6C3D2E56,?,?,00000100,?,?,00000000), ref: 6C3D9B49
                                                  • Part of subcall function 6C3D99F8: EtwTraceMessage.NTDLL ref: 6C3D9A13
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: ByteCharErrorLastMessageMultiTraceWide
                                                • String ID: V.=l
                                                • API String ID: 1881890961-3541926213
                                                • Opcode ID: 229382d864d8640fde7c68d04989fb850aaf1fd4c0f7071e75534b80e528cfa9
                                                • Instruction ID: 68998972a8c4f3cbf83e5d410cdeb8e3930ad14d86d83a27534d20263429ea94
                                                • Opcode Fuzzy Hash: 229382d864d8640fde7c68d04989fb850aaf1fd4c0f7071e75534b80e528cfa9
                                                • Instruction Fuzzy Hash: 7011D333161384AFDB119E648CA4EE67B5DEF0534CB130454F5558BA61CA63EC44DF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C792DBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C792DC3
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: ImageName$ProcessBlock
                                                • API String ID: 431132790-2988717093
                                                • Opcode ID: 73ec23b1800e2b7feb3c6da488a6a877810f2636e0238cc66d7553b205e5c202
                                                • Instruction ID: f56f15b7a954910540d6da1813ba96375a5e3bf54742d45ee58d6d67c91a027b
                                                • Opcode Fuzzy Hash: 73ec23b1800e2b7feb3c6da488a6a877810f2636e0238cc66d7553b205e5c202
                                                • Instruction Fuzzy Hash: 7621217060020AAFCB14DFA8CA8DB9D7BB9BF49318F108559F424EB780C730DA05CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C797F3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBCMT ref: 6C797F72
                                                  • Part of subcall function 6C7D14AA: KiUserExceptionDispatcher.NTDLL(?,?,6C7CC129,00000C00,?,?,?,?,6C7CC129,00000C00,6C7EBA3C,6C8076D4,00000C00,00000020,6C7AF845,?), ref: 6C7D14EC
                                                • _wcstoul.LIBCMT ref: 6C797FAA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: DispatcherExceptionException@8ThrowUser_wcstoul
                                                • String ID: W
                                                • API String ID: 3061576314-655174618
                                                • Opcode ID: 5197425df01e14ebebd8b046e77e38e18e89262fe65b5cea41bdbfb7a7224cc5
                                                • Instruction ID: 2ee48b34569370c8266968259f25c6b942873ed3d8907230da0bda278259a9ef
                                                • Opcode Fuzzy Hash: 5197425df01e14ebebd8b046e77e38e18e89262fe65b5cea41bdbfb7a7224cc5
                                                • Instruction Fuzzy Hash: CE117076E0020DEBDB00CFA5D944AEEF3B8FF04314F10456AE465B7240D774AA05CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B2E83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7B2E8A
                                                • _wcstoul.LIBCMT ref: 6C7B2EF4
                                                  • Part of subcall function 6C7CB6D0: wcstoxl.LIBCMT ref: 6C7CB6E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3_wcstoulwcstoxl
                                                • String ID: 0x%x
                                                • API String ID: 3147468384-1033910204
                                                • Opcode ID: de262154a22a35720e34445e808823b0e6e939f094d303fc5dbfb057e454c003
                                                • Instruction ID: 992bd0ef02500332affeff2129a95f85737ab2159da2b672d25036005f44dcc7
                                                • Opcode Fuzzy Hash: de262154a22a35720e34445e808823b0e6e939f094d303fc5dbfb057e454c003
                                                • Instruction Fuzzy Hash: 5D119EB2A10109AFDB00DF54CE09BAE77A5AF10315F048926F814EBB50C7749F1997D6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D8844 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: 8ba7383c0f144fc0a281d4c27edb70a121929353a72d06b0d98427efcaa6bd60
                                                • Instruction ID: a59abc842bce27e2600b1b0bd882ef01066309b71a8cb125c59b998dee8d3eb7
                                                • Opcode Fuzzy Hash: 8ba7383c0f144fc0a281d4c27edb70a121929353a72d06b0d98427efcaa6bd60
                                                • Instruction Fuzzy Hash: 2701D47364020AAEEB099E44CC02FB73739FB85704F0A9516FA105A890D7B1F9D0CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3C198C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E6C3C198C(void* __ebx, void* __ecx, void* __esi, struct HINSTANCE__* _a4, intOrPtr _a8) {
				void* __ebp;
				intOrPtr _t16;
				void* _t21;
				intOrPtr _t25;
				void* _t28;

				_t29 = __esi;
				_t28 = __ecx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						_t16 =  *0x6c3e0088; // 0x6c3e0088
						if(_t16 != 0x6c3e0088 && ( *(_t16 + 0x1c) & 0x00000004) != 0) {
							_t12 = _t16 + 0x14; // 0x0
							_t13 = _t16 + 0x10; // 0x1
							E6C3D5F11( *_t13,  *_t12, 0xb, E6C3CE83C);
						}
						E6C3C1E30(E6C3C1E75(_t29));
					}
				} else {
					_push(__esi);
					E6C3C247C();
					_t21 = E6C3C2513(0x6c3e0180);
					 *0x6c3e0094 = 0x6c3c19f4;
					 *0x6c3e0088 = 0x6c3e0180;
					E6C3C25FF(_t21, _t28, L"Microsoft\\Windows\\SoftwareQualityMetricsClient");
					E6C3C2671(__ebx, _t28);
					DisableThreadLibraryCalls(_a4);
					_t25 =  *0x6c3e0088; // 0x6c3e0088
					if(_t25 != 0x6c3e0088 && ( *(_t25 + 0x1c) & 0x00000004) != 0) {
						_t10 = _t25 + 0x14; // 0x0
						_t11 = _t25 + 0x10; // 0x1
						E6C3D5F11( *_t11,  *_t10, 0xa, E6C3CE83C);
					}
				}
				return 1;
			}








                                                0x6c3c198c
                                                0x6c3c198c
                                                0x6c3c1995
                                                0x6c3c1e00
                                                0x6c3c1e06
                                                0x6c3c1e10
                                                0x6c3ce82c
                                                0x6c3ce82f
                                                0x6c3ce832
                                                0x6c3ce832
                                                0x6c3c1e21
                                                0x6c3c1e21
                                                0x6c3c199b
                                                0x6c3c199b
                                                0x6c3c199c
                                                0x6c3c19a7
                                                0x6c3c19b1
                                                0x6c3c19bb
                                                0x6c3c19c1
                                                0x6c3c19c6
                                                0x6c3c19ce
                                                0x6c3c19d4
                                                0x6c3c19df
                                                0x6c3ce815
                                                0x6c3ce818
                                                0x6c3ce81b
                                                0x6c3ce81b
                                                0x6c3c19df
                                                0x6c3c19ef

                                                APIs
                                                • SqmCleanup.SQMAPI(?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C1E1C
                                                  • Part of subcall function 6C3C247C: LoadLibraryW.KERNEL32(advapi32,?,6C3C19A1,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C2484
                                                  • Part of subcall function 6C3C247C: GetProcAddress.KERNEL32(00000000,TraceMessage), ref: 6C3C24A1
                                                  • Part of subcall function 6C3C247C: GetProcAddress.KERNEL32(00000000,TraceMessageVa), ref: 6C3C24C0
                                                  • Part of subcall function 6C3C247C: FreeLibrary.KERNEL32(00000000,?,6C3C19A1,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C24D0
                                                  • Part of subcall function 6C3C2671: InitializeCriticalSectionAndSpinCount.KERNEL32(6C3E0168,00000FA0,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C268E
                                                  • Part of subcall function 6C3C2671: SetLastError.KERNEL32(00000000,?,?,6C3C19CB,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C26D1
                                                • DisableThreadLibraryCalls.KERNEL32(?,Microsoft\Windows\SoftwareQualityMetricsClient,6C3E0180,00000000,?,6C3C1C30,?,?,?,6C3C1C70,0000002C), ref: 6C3C19CE
                                                Strings
                                                • Microsoft\Windows\SoftwareQualityMetricsClient, xrefs: 6C3C19AC
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: Library$AddressProc$CallsCleanupCountCriticalDisableErrorFreeInitializeLastLoadSectionSpinThread
                                                • String ID: Microsoft\Windows\SoftwareQualityMetricsClient
                                                • API String ID: 1374315629-2483579846
                                                • Opcode ID: 2246e4338e8c877b2f6f1f19b7599e892d7c05d232d7a040be1d0d5e3abcaa0e
                                                • Instruction ID: a3ee8d3608360f42cb14e75474c77b5dbd3941b9df713105a8f18e377e876159
                                                • Opcode Fuzzy Hash: 2246e4338e8c877b2f6f1f19b7599e892d7c05d232d7a040be1d0d5e3abcaa0e
                                                • Instruction Fuzzy Hash: BC01D635344384ABCB519B61C885FCD3A38AF0271CF014055E5549ADA2CB36CD58BFA7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D88BE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: 4a596ceaf3c4fda44898565ca3c28a801e73b5934868389acc65900e07e16794
                                                • Instruction ID: 6dc6153afd400521837a3caf34504ac67a3c029f834967633bb06538595c9c7c
                                                • Opcode Fuzzy Hash: 4a596ceaf3c4fda44898565ca3c28a801e73b5934868389acc65900e07e16794
                                                • Instruction Fuzzy Hash: 2301A27364020AAEEB015E09CC01FA73B39EB85708F169012FA509A990D771F9E18FD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D77B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: cb40f902c73fdde5377d9ed1c5074388304eaf280a5eabb224d0405bbb49339b
                                                • Instruction ID: f0f3ea6b041d35d02a7e86f599565a0d1c59b81761bac9e1eb740b0058d706b1
                                                • Opcode Fuzzy Hash: cb40f902c73fdde5377d9ed1c5074388304eaf280a5eabb224d0405bbb49339b
                                                • Instruction Fuzzy Hash: 0F01D67764020AABEB015E08CC52FB73B39EB86704F168415FA104E898D7B1F991CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D774A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: MessageTrace
                                                • String ID: <NULL>$NULL
                                                • API String ID: 471583391-888386124
                                                • Opcode ID: 19d2f86706d55312f3c3c4f01cc0dff3d76f93f23629706ea9a266e8a1752b54
                                                • Instruction ID: cdc7310158a7b67c1c5d78075cb4321dc39bcd4122181d96f200901368f8928c
                                                • Opcode Fuzzy Hash: 19d2f86706d55312f3c3c4f01cc0dff3d76f93f23629706ea9a266e8a1752b54
                                                • Instruction Fuzzy Hash: 0A01A47764020AAAEB115E48CC45FB7373AEB86714F168851FA109E998D771F9908B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C79B918 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Error Mapping NOT FOUND.$Error Mapping found
                                                • API String ID: 431132790-2092252497
                                                • Opcode ID: c6f785ac908dcf724c0250c950c1bd9ffdc7f6df9e0f334a3a6abb45676c47cb
                                                • Instruction ID: 0085d9b3e48aa9128175b3a1e8d43dd9257cfa530178edec73840900252f0e87
                                                • Opcode Fuzzy Hash: c6f785ac908dcf724c0250c950c1bd9ffdc7f6df9e0f334a3a6abb45676c47cb
                                                • Instruction Fuzzy Hash: 2C014071610510DFC710DF68CA8CF99BBA4BF10329F064654E929ABB91C730ED05CA91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7B0857 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Failed to record Operation UI Mode, xrefs: 6C7B08BA
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3Last
                                                • String ID: Failed to record Operation UI Mode
                                                • API String ID: 685212868-1990955872
                                                • Opcode ID: ed56745170b934b620951549fb68287ef87a02d0d1adc28f91a2911e28c1bcf6
                                                • Instruction ID: 44ac71eea6b99b7d6d092d52d98145eb3426e87ff4409d924b1443afd4615b25
                                                • Opcode Fuzzy Hash: ed56745170b934b620951549fb68287ef87a02d0d1adc28f91a2911e28c1bcf6
                                                • Instruction Fuzzy Hash: 3201B5B1500381EFE7209F62CB0DB967AB4FF41348F108529A814DAA91CB75E74ACBD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3D616D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                Download Yara Rule
                                                APIs
                                                • SqmCreateNewId.SQMAPI(00000000), ref: 6C3D61A7
                                                • SqmWriteSharedMachineId.SQMAPI(00000000,00000000), ref: 6C3D61B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CreateMachineSharedWrite
                                                • String ID: Fm*
                                                • API String ID: 3877408143-3000852143
                                                • Opcode ID: 246d93c1788012274853f25b42f72aa129d561aca986dd8a8f3df6a496be52aa
                                                • Instruction ID: 3311bb8837e5939ff679c91eff550d607c2055bad706f848f91c8b3494fe9ccb
                                                • Opcode Fuzzy Hash: 246d93c1788012274853f25b42f72aa129d561aca986dd8a8f3df6a496be52aa
                                                • Instruction Fuzzy Hash: 78F0A432A01619A7DB10DBF8C504BDFB3B8AB49314F520C29D951E7100DB34E9098AD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7939DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7939E1
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6C793A1E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$DirectorySystem
                                                • String ID: C:\
                                                • API String ID: 105093994-3404278061
                                                • Opcode ID: b553887dff251b9325c937dc7395a856491bf942ff1f2b94ab067425b26dba40
                                                • Instruction ID: 2696d464f4b878dfec39fe068807af1f741b3c13276869dabc56e252747273bd
                                                • Opcode Fuzzy Hash: b553887dff251b9325c937dc7395a856491bf942ff1f2b94ab067425b26dba40
                                                • Instruction Fuzzy Hash: 91018F71A005169FCB00DFA4CA4CAEEB374FF05319F458A55E522ABB90CB30A905CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7BFC46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7BFC4D
                                                • GetLastError.KERNEL32(?,?,?,6C7BCE79,00000000,6C7BBCC4,?,80070057,?,InvalidArguments,?,00000000,?,ParameterInfo.xml,?,?), ref: 6C7BFC73
                                                Strings
                                                • Failed to record TimeToFirstWindow, xrefs: 6C7BFC8D
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3Last
                                                • String ID: Failed to record TimeToFirstWindow
                                                • API String ID: 685212868-1716191741
                                                • Opcode ID: e6f6f530a60d87e43b10e39c21633f3bb21e8ba6c5cd19177efbac5dfc756343
                                                • Instruction ID: 3eab239d00c105e0f88c512e85904b959521bb9c4cb1a59573977c5987a21bfb
                                                • Opcode Fuzzy Hash: e6f6f530a60d87e43b10e39c21633f3bb21e8ba6c5cd19177efbac5dfc756343
                                                • Instruction Fuzzy Hash: A901AD3A200202AFD7108F61CB0DBAA3B68AF45758F108528B815DAA80C734FA46CA60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C3CBAE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6C3CBAE2(void* __ecx) {
				intOrPtr _t10;
				void* _t19;
				void* _t20;

				_t20 = __ecx;
				_t19 = 0;
				if( *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					_t19 = 0x8007139f;
					_t10 =  *0x6c3e0088; // 0x6c3e0088
					if(_t10 != 0x6c3e0088 && ( *(_t10 + 0x1c) & 0x00000001) != 0) {
						_t8 = _t10 + 0x14; // 0x0
						_t9 = _t10 + 0x10; // 0x1
						E6C3D5F11( *_t9,  *_t8, 0xa, "j");
					}
				} else {
					if(InitializeCriticalSectionAndSpinCount( *(__ecx + 0x18), 0x80000040) == 0) {
						_t19 = E6C3D9546(GetLastError());
					} else {
						 *((intOrPtr*)(_t20 + 0x1c)) = 1;
						 *((intOrPtr*)(_t20 + 0x20)) = 1;
					}
				}
				return _t19;
			}






                                                0x6c3cbae6
                                                0x6c3cbae8
                                                0x6c3cbaed
                                                0x6c3d2264
                                                0x6c3d2269
                                                0x6c3d2273
                                                0x6c3d228a
                                                0x6c3d228d
                                                0x6c3d2290
                                                0x6c3d2290
                                                0x6c3cbaf3
                                                0x6c3cbb03
                                                0x6c3d22a6
                                                0x6c3cbb09
                                                0x6c3cbb0c
                                                0x6c3cbb0f
                                                0x6c3cbb0f
                                                0x6c3cbb03
                                                0x6c3cbb16

                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,80000040,00000000,00000000,6C3CBA57,00000000,?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3CBAFB
                                                • GetLastError.KERNEL32(?,?,00000000,?,6C3C8733,?,0000000C,6C3CBCB8,6C3C0000), ref: 6C3D229A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2882900521.000000006C3C1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C3C0000, based on PE: true
                                                • Associated: 00000009.00000002.2882856703.000000006C3C0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883044592.000000006C3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 00000009.00000002.2883088544.000000006C3E1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c3c0000_Setup.jbxd
                                                Similarity
                                                • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                • String ID: j
                                                • API String ID: 439134102-2137352139
                                                • Opcode ID: 0acfe0a64b89f359cf1f56f65277de821f426836b8bd1610e53ebaecdb41ede7
                                                • Instruction ID: ac3f6b623c7d9508c6576df814bd5c5fe44d252c132cf0a4da162fa18e5b6417
                                                • Opcode Fuzzy Hash: 0acfe0a64b89f359cf1f56f65277de821f426836b8bd1610e53ebaecdb41ede7
                                                • Instruction Fuzzy Hash: 75F0F6323407009FC7A08F278804F8A3BFAEB95319B120439E146DAD50C732EC05EF22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C774E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 6C774E11
                                                  • Part of subcall function 6C774FAC: _memset.LIBCMT ref: 6C774FB4
                                                  • Part of subcall function 6C7A833E: __EH_prolog3.LIBCMT ref: 6C7A8345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3H_prolog3__memset
                                                • String ID: %d.%d.%d$Error
                                                • API String ID: 755347604-3400412798
                                                • Opcode ID: e0c4ce9e1898683f9904cbe4708a656b5b55978f2aceb41e7cc006506802a552
                                                • Instruction ID: 40ea943ddbf49d571ae3d100b0036bf99db73fad3775fb7a18023ba3fb54cdc3
                                                • Opcode Fuzzy Hash: e0c4ce9e1898683f9904cbe4708a656b5b55978f2aceb41e7cc006506802a552
                                                • Instruction Fuzzy Hash: CF01AD32A101199BDF229F64CE087DCB7B5BF09308F0009E5E044ABA02DB309B699F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C7C5930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 6C7C5937
                                                • GetLastError.KERNEL32(?,?,?,6C7C4247,00000000,?), ref: 6C7C595D
                                                  • Part of subcall function 6C777479: __EH_prolog3.LIBCMT ref: 6C777480
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ErrorLast
                                                • String ID: WinHttpConnect
                                                • API String ID: 1123136255-1867560646
                                                • Opcode ID: 3d2872986085688af4232a01ddbd02c9cfe0b6262998ec5a3c93abccc99328b1
                                                • Instruction ID: 553bc43451992b1e3ea793b36f82f738037c8adb7279f4bf16a0e2b8b8140e7b
                                                • Opcode Fuzzy Hash: 3d2872986085688af4232a01ddbd02c9cfe0b6262998ec5a3c93abccc99328b1
                                                • Instruction Fuzzy Hash: 70F0EC31200601AFCB209F76CA0CE8F7AA6AF88324F104809F4A8CB750CB30E541DB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6C774D35 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • A StopBlock was hit or a System Requirement was not met., xrefs: 6C774D77
                                                • An internal or user error was encountered., xrefs: 6C774D6E
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2883173547.000000006C751000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C750000, based on PE: true
                                                • Associated: 00000009.00000002.2883135345.000000006C750000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883625975.000000006C7FE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883698308.000000006C7FF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883773477.000000006C806000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                • Associated: 00000009.00000002.2883819073.000000006C80A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6c750000_Setup.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: A StopBlock was hit or a System Requirement was not met.$An internal or user error was encountered.
                                                • API String ID: 431132790-2578323181
                                                • Opcode ID: 0b0013f446714c060d30c525d7b47f255f9e8a70dd8a23fb0e50c7609a2c87ea
                                                • Instruction ID: f2176103d275e7f411ed38f8a891081b2f1092c1cd6d2f6705277faef1611823
                                                • Opcode Fuzzy Hash: 0b0013f446714c060d30c525d7b47f255f9e8a70dd8a23fb0e50c7609a2c87ea
                                                • Instruction Fuzzy Hash: F6F02B71B40A0D9BEB11DF98C70E7AD72647B0071DF014850E114AFBC0CBB8AB18D79A
                                                Uniqueness

                                                Uniqueness Score: -1.00%